Search This Blog

Showing posts with label Metasploit. Show all posts

Turla Mosquito Hacker Group shift to Open Source Malware

Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor.

While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor.

“In the past, we have seen the group using open-source password dumpers such as Mimikatz,” ESET Research said in a blog post. “However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper.”

The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.

According to the researchers, the compromise occurs when the user downloads a Flash installer from through HTTP, allowing Turla operators to replace the legitimate Flash executable with a trojanized version by intercepting traffic on a node between the end machine and the Adobe servers.

“We believe the fifth possibility to be excluded, as, to the best of our knowledge, Adobe/Akamai was not compromised,” the post went on to say, assuring that the Adobe website does not seem to have been compromised.

Researchers found, at the beginning of March 2018, that there were some changes in the Mosquito campaign. Where previously, the attack was carried out by dropping a loader and the main backdoor using a fake Flash installer, there is now a change in the way the final backdoor is dropped.

“Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer,” the post read.

The shellcode then downloads a Meterpreter, which gives the attacker the control of the compromised machine, and finally places the final Mosquito backdoor.

Once the attack is executed, the fake Flash installer downloads a legitimate Flash installer from a Google Drive URL and runs it to deceive the user into thinking that the installation went smoothly.

Researchers also say that because of the use of Metasploit, it can be assumed that there is an operator controlling the exploitation manually. More information on Turla can be found in ESET’s whitepaper as well as their recent report on Turla’s change in attacks.

Metasploit and Rapid7 DNS hijacked and Defaced by Kdms Team

The domains of and its parent company had been hijacked and defaced by the Kdms Team.  They had previously also had taken down down several high profile computer security related targets.

Mr. HD Moore (Chief Research Officer of Rapid7 and Chief Architect of Metasploit) told EHN how the domain was hijacked.

And when asked if the Domains were back in their control he said "yes" and explained why some people are still seeing the deface page.

Please note that a DNS attacks DOES NOT affect the server of the hacked site in anyway. Anybody could fall victim to it . The blame belongs to the Registrar not Rapid7.

This shows how even if you have the strictest security mechanisms there is always a "weak spot" that could be exploited and more often than not it is the "Human" element that is weakest. 

Microsoft office 2007 Excel.xlb Vulnerable to Buffer Overflow Attack

This Metasploit module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack-based buffer overflow. This results in arbitrary code execution under the context of the user.

Discovered by :
juan vazquez

Reference taken from :
CVE 2011-0105
OSVDB 71765
MSB MS11-021

Platform : windows
Targets :
Win XP sp3 ( Vista and 7 will try to repair the file )
Microsoft Office excel 2007 on Windows XP
Microsoft Office excel 2007 SP2 on Windows XP