Article: Hackers Using New Malware Packer DTPacker to Avoid Analysis, Detection

h0w1tzr’s Comments: According to security researchers, DT is short for Donald Trump because it uses his name as a part of the XOR encoding of the packed executable.

A previously undocumented malware packer named DTPacker has been observed distributing multiple remote access trojans (RATs) and information stealers such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook to plunder information and facilitate follow-on attacks.

“The malware uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis,” enterprise security company Proofpoint said in an analysis published Monday. “It is likely distributed on underground forums.”

The .NET-based commodity malware has been associated with dozens of campaigns and multiple threat groups, both advanced persistent threat (APT) and cybercrime actors, since 2020, with the intrusions aimed at hundreds of customers across many sectors.

Attack chains involving the packer rely on phishing emails as an initial infection vector. The messages contain a malicious document or a compressed executable attachment, which, when opened, deploys the packer to launch the malware.

Links

Article: Kali Linux 2021.4 released with 9 new tools, further Apple M1 support

​Kali Linux 2021.4 was released yesterday by Offensive Security and includes further Apple M1 support, increased Samba compatibility, nine new tools, and an update for all three main desktop.

Kali Linux is a Linux distribution allowing cybersecurity professionals and ethical hackers to perform penetration testing and security audits against internal and remote networks.

With this release, the Kali Linux Team introduces a bunch of new features, including:

    • Apple M1 support for the VMware Fusion Public Tech Preview
    • Wide compatibility is enabled for Samba
    • Making it easier to switch to Cloudflare’s package manager mirror
    • Kaboxer updated with support for window themes and icon theme
    • Updates to the Xfce, GNOME and KDE desktops
    • Raspberry Pi Zero 2 W + USBArmory MkII ARM images
    • Nine more tools!

Links

Article: Microsoft Exchange servers hacked to deploy BlackByte ransomware

h0w1tzr’s Comments: These CVEs affect all MS Exchange Server versions from 2013-2019.

The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.

ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.

These vulnerabilities are listed below and were fixed by security updates released in April and May 2021:

    • CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
    • CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
    • CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

Since researchers disclosed the vulnerabilities, threat actors have begun to exploit them to breach servers and install web shells, coin miners, and ransomware.

Links

*** Found via LinkedIn ***

GitHub Project: Subrake

A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.

Key Features

    • OSINT + Subdomain Bruteforcing
    • Capable of handling outputs from multiple tools
    • Handling False Positives and Filters subdomains with same resolutions.
    • Checking for Server Banners and Ports
    • Incredibly Fast
    • Handling domains with larger scopes
    • Port Scanning

Links

GitHub Project: Chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

Links

GitHub Project: Phantom

Phantom is a multi-platform HTTP(S) Reverse Shell server and client in Python 3. Binaries for Linux and Windows platforms can be built through an embedded script that executes PyInstaller.

Reverse shells can be established through HTTP or HTTPS. The certificates used for HTTPS can be auto-generated by Phantom or supplied by the user.

Phantom includes a helper shell script that enables fast generation of self-signed certificates for use of both servers and clients. After generation, the server and certificate authority certificates required for encrypted connections are bundled in the binaries for portability and ease of execution.

Links:

*** Found via Twitter ***

GitHub Project: SillyRAT

A cross platform RAT written in pure Python. The RAT accept commands alongside arguments to either perform as the server who accepts connections or to perform as the client/target who establish connections to the server. The generate command uses the module pyinstaller to compile the actual payload code. So, in order to generate payload file for your respective platform, you need to be on that platform while generating the file. Moreover, you can directly get the source file as well.

Features

    • Built-in Shell for command execution
    • Dumping System Information including drives and rams
    • Screenshot module. Captures screenshot of client screen.
    • Connection Loop (Will continue on connecting to server)
    • Currently, it uses BASE64 encoding.
    • Pure Python
    • Cross Platform. (Tested on Linux. Errors are accepted)
    • Source File included for testing
    • Python 3

Links

*** Found via Twitter. ***