- Posted in Exploit by

BellaCiao is a the most current advanced trojan host that has come from the group APT35/42 otherwise known as Charming Kitten. This malicious code is made to be highly customizable to pinpoint specific targets, such as specific companies and even subdomains for payload delivery. The actual attack vector is microsoft exchange servers, but without advanced network IDS/IPS systems, BellaCiao could infiltrate your network without detection.

There is no currently known inital infection vector as there is yet to be any publicly stated logging of such. The ininrended target as used by the malwares authors is intended to be infrastructure or other valuble targets with higher than average security.

Upon deployment of the malware on an exchange server, it is currently designed to run the following in powershell.

powershell.exe -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true

It then currently starts malicious services in windows to maintain persistence such as:

sc create "Microsoft Exchange Services Health" binpath= "C:ProgramDataMicrosoftDRMSMicrosoft Exchange Services Health.exe" start= auto 

sc start "Microsoft Exchange Services Health"

sc create "Exchange Agent Diagnostic Services" binpath= "C:ProgramDataMicrosoftDiagnosticExchange Agent Diagnostic Services.exe" start= auto sc start "Microsoft Exchange Services Health"

Afterwards its recorded that the culprits then pushed malicious IIS modules to the affected server. one of which was IIS-Raid, an IIS module designed to act as a man in the middle for credential theft, sniffing for passwords in IIS traffic as per a list.

The second module was another custom made module design to exfiltrate the data found by the IIS-Raid module, it also captures and records HTTP requests with keywords “pass”, “pwd”, “password”, or “login” for exfiltration.

BellaCiao installs itself as a windows service executable to prevent detection by users, and as it is a trojan host and a C2 module, its functions are baked in, and it could also carry a payload within, making it even more unpredictable and dangerous. It sends BNS requests every 24hrs to maintain isn't connection to the internet and the attacker. These DNS requests are sent to a DNS server that the attacker has control of, and the response from the server is how the the commands are sent to act. the last octet in the returned IP determines the actions to take, as per the pre-programmed IPs baked into the code.

Functions possible by this method include:

Command execution
Execute script Download file
Upload file
Upload web logs
Report web server start time
Report current time
Stop web server


Our assessment of this type of attack is that more high level and automated tools such as modern IDS/IPS, are needed for an in-depth strategy to monitor network traffic and prevent breaches. This malware platform is attacking exchange servers today, but can likely be rebuilt to attack other types of network resources. Combine that with that it can also infiltrate payloads into a network stealthily means it could possibly wreak more havoc than described in this article today. If you aren't sure if your network security is up to task consult a well known trusted firm to get an assessment of your organization security and have proper polices in place.

Fivesys rootkit exploits Microsoft certification system

- Posted in Exploit by

Fivesys is a rootkit that has been recently discovered in the wild. A rootkit is a type of malware designed to install in the background on a target machine and are also designed to be hard to impossible to detect by normal malware scanning and remediation processes. Rootkits as a class of malware isn't new, but the viability of rootkits overall, has been reduced due to countermeasures developed to mitigate the vast majority of rootkits on the internet. The difference with this rootkit is its packaging that mimics a valid signed driver; it even has a Microsoft signed certificate.

The purpose of the Fivesys rootkit to date, is to redirect HTTP/HTTPS traffic to an attackers predefined IP addresses. The current package has a list of 300 different IPs through proxy designed to prevent blocking traffic. The package also contains a driver blacklist to prevent it being removed or overwritten with a legitimate package. It is it thought by Bitdefender, the company that made the discovery, that the primary target of Fivesys is online games, with the intent to steal game login credentials and hijack in-game transactions for payment credentials/data. As the prior statement cannot be fully verified at this time, we would like to note that re-programming of the package will likely occur resulting in Fivesys being weaponized for any number of similar attack vectors.

As I outline in my first paragraph, the major issue with Fivesys is that the creator has managed to pass the package through Microsoft's driver validation program, which we have confirmed is a fully automated signing process with no manual oversight or flag for review. This allows an actor to use the process to bypasses all of the inbuilt windows security features, leaving machines vulnerable until it is discovered.


Our recommendation to prevent Fivesys or any other rootkits from affecting your environment is to be diligent in your downloads by confirming you are on the manufacturers site. Input the url to the manufacturer manually, do not click on links, and do not use the google search to click a link to go to the download. Current exploits in AdSense and other links, advertising links to legitimate sites that are user uploaded sources, all pose a real risk to Fivesys being downloaded instead of the legitimate driver/software you are after - see our posts on the AdSense exploit. Make sure all your teams, staff and users are trained on cyber security.

ZLoader’s Back, Abusing Google AdWords & Disabling Windows Defender

- Posted in Exploit by

A targeted campaign delivering the ZLoader banking trojan is spreading via Google AdWords, and is using a mechanism to disable all Windows Defender modules on victim machines. According to SentinelLabs, hackers are lowering rates of detection by using an infection chain for the campaign that also includes the use of a signed dropper with a backdoored version of the Windows utility wextract.exe to embed the ZLoader payload itself.

ZLoader is not new, but tis exploit addition is. It has been noted as typical a banking trojan which implements web injection to steal cookies, passwords and any sensitive information. It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware.

ZLoader Infection Chain Starts with Google AdWords To target victims, the malware is spread from a fake Google advertisement (published through Google AdWords) for various software; the lures include Discord, Java plugins, Microsoft’s TeamViewer and Zoom.

For example, when someone Googles “Team Viewer download” a fake advert appears in AdWords (advert has already been taken down, but it does indicate that diligence is need to make sure the URL and company is correct for any downloads), an advertisement shown by Google on the search engine, that redirects the clicker to a fake TeamViewer site under the attacker’s control. From there, the user can be tricked into downloading a fake installer in a signed MSI format. Current versions have a signed timestamp of Aug. 23, but this is likely to change as it is exposed.

SentinelLabs advise that “It appears that the cybercriminals managed to obtain a valid certificate issued by Flyintellect Inc., a Software company in Brampton, Canada”; “[t]he company was registered on 29 June 2021, suggesting that the threat actor possibly registered the company for the purpose of obtaining those certificates”.

Bypassing and disabling Windows Defender check The downloaded and legitimately signed .MSI file is of course not an installer for legitimate software, but is rather the first-stage dropper for the malware. It runs an installation wizard that creates the following directory: C:Program Files (x86)Sun Technology NetworkOracle Java SE, and saves a .BAT file appropriately called “setup.bat” and then executes the built-in Windows cmd.exe function to execute that file. Users often see the flash of a cmd prompt as Microsoft often use it during windows updates, so do not suspect anything. The executed .BAT then begins stage two and downloads a second-stage dropper that initiates the third stage of infection by executing a script called “updatescript.bat”.

The third stage dropper contains logic impairment to shutdown defenses of the machine by disabling all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-MpPreference to hide all the components of the malware from Windows Defender.

Once completed, stage four is executed with the download of the .EXE from URL (hxxxURL://pornofilmspremium.com/tim.exe) which is saved and executed through the Windows explorer.exe function.

At this point the attacker is able to break the parent/child correlation often used by endpoint detection and response (EDRs). As the The tim.exe binary is actually a backdoored version of the legitimate Windows utility wextract.exe but with the hackers additional code, hackers can now legitimately execute the malicious batch file with the name “tim.bat” that runs a short script to download the final ZLoader DLL payload, with the name tim.dll. This final payload is executed using the legitimate Windows function regsvr32, which allows the attackers to proxy the execution of the DLL through a signed binary by Microsoft and execute the functions to exploit the machine.

Tim.bat also downloads another script, called “nsudo.bat” to perform multiple operations to elevate privileges on the system and impair defenses as follows:

  1. It checks if the current context of execution is privileged by verifying the access to the SYSTEM hive.
  2. It implements an auto elevation VBScript that aims to run an elevated process in order to make system changes.

The snippet of the script in charge of the UACPrompt feature is as follows:

  echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%getadmin.vbs"
  set params = %*:"="
  echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%getadmin.vbs"
  del "%temp%getadmin.vbs"
  exit /B
  1. Once the elevation occurs, the script is run with elevated privileges to perform the steps of disabling Windows Defender on a persistent basis by making sure that the “WinDefend” service is deleted at the next boot through the utility NSudo, and completely disables Microsoft’s User Account Control (UAC) security.

The nsudo.bat script also completely disables UAC by setting the following registry key to 0 (zero):


  1. After executing these functions it forces a system restart, so that the changes take place and users are unaware.

The purpose of the exploits is to tie the machine into the botnet for bitcoin mining and other operations including DDos attack's as the following extract of DDos URL's show:

@https://commerzbank.de @https://.de//entry* @https://.de/banking-/portal?* @https://.de/banking-/portal;* @https://.de/portal/portal @https://.de/privatkunden/ @https://.deabmelden* @https://.de/de/home @https://.de/en/home @https://.de/fi/home @https://banking.sparda.de @https://banking.sparda- @https://banking.sparda.de/wps/loggedout.jsp @https://meine.deutsche-bank.de/trxm/db* @https://banking.berliner-bank.de/trxm* @https://meine.norisbank.de/trxm/noris @https://targobank.de @https://banking4.anz.com/IBAU/BANKAWAY @https://banking.westpac.com.au/ @https://www1.my.commbank.com.au/netbank/Portfolio/Home/ @https://ibanking.stgeorge.com.au/ibank/ @https://ibanking.banksa.com.au/ibank/ @https://ibanking.bankofmelbourne.com.au/ibank/ @https://online.macquarie.com.au/ @https://ob.cua.com.au/ib/ @https://banking.bendigobank.com.au/banking @https://internetbanking.suncorpbank.com.au/ @https://www.ing.com.au/securebanking/ @https://ib.nab.com.au/ @https://online.beyondbank.com.au/ @https://ib.greater.com.au @www.independentreserve.com @www.coinspot.com.au

Google advise that if you come across any advert that redirects you should report it via the following:

https://support.google.com/google-ads/contact/vio_other_aw_policy https://safebrowsing.google.com/safebrowsing/report_phish/


  1. At all time use an adblocker software to aid in disruption of this exploit.

I realize Google will not be happy about this, but until the system is fixed from such exploits, it is better to be safe. Google should consider formal verification, not just address location verification for advertisers. Perhaps verifying and monitoring advertising URLS may also be something they should consider?

  1. Do not click on ads. Manually go to the advertisers company rather than clicking on the advert.

Again Google will be unhappy as this is their revenue source. But until its fixed, and confirmed safe, AdWords is currently just another tool in the hackers toolbox

  1. Verify the domain name and download link before clicking on a URL. Don't assume it is correct.

Spook.js - Attacking Google Chrome's Strict Site Isolation via Speculative Execution and Type Confusion

- Posted in Exploit by

What is it? Spook.js is a new transient execution side channel attack which targets the Chrome web browser. We show that despite Google's attempts to mitigate Spectre by deploying Strict Site Isolation, information extraction via malicious JavaScript code is still possible in some cases.

In more detail, Spook.js is a fresh side channel attack that works on modern hardware to overcome Google Chrome/Chromium based browsers Site Isolation Protections. The purpose of the aforementioned protections is to prevent each browser tab from being able to see each others memory/storage allocation.

The reason that this is an issue is for example if you are doing something sensitive in one tab, like managing your bank account online, and a separate tab and/or windows you have a different site open that is infected with the spook.js vulnerability. the infected page can potentially read the information from the other tab, such as your banking page.

More specifically, an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password), especially when they are autofilled. Further the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs/executes a malicious extension (say when accessing a website with the exploit active).

Spook.js Example code Spook.js Demo 1 - Attacking Credential Managers

The underlying vulnerability spook.js exploits though is a previously revealed and currently unresolved hardware issue with all modern CPUs dating back at least 10-15 years ago or so. All CPUs come with a task scheduler that attempts to predict what tasks to run when. if manipulated, said task scheduler can be exploited by using timed attacks on the scheduler to determine what's in memory at the time of the attack.

While this sounds scary, it just means that when browsing sites of a sensitive nature it should be the only tab open on the PC on any chromium browser as long as the sensitive site is open.

This affects all forms of chromium browsers: MS Edge, Opera, Chrome, and others using the chromium code.

Current protection may exist in: Firefox, however, great caution should be used as further testing is on going to confirm, as the advanced settings show mitigation not a fix. So we recommend that the same recommendations below should be used in Firefox also.

Web developers can protect their sites against this exploit, but it is unclear as to when everyone will update the code, and there is no way to confirm if it has been done, so it is best to protect rathe than risk.

The exploit exist on both desktop and mobile devices, so you are not protected just by using your phone.


Be sure your browser is fully patched. Then follow these rules when using any browser.

  1. Close all browsers to a clean start (as chrome stays active in the background if not fully closed, this is a must) when using anything that requires login information to your sensitive data (office file systems, banking, etc).
  2. Do not open any other tab or browser while working in the risk sensitive environment
  3. Close the browser when finished and start a fresh browser for research (being sure to close it if you need to access secure resources).
  4. Disable autofill, and remove all autofill usernames and passwords.

Are Bitcoin miners really malware for dark web?

- Posted in Exploit by

With the loss of business due to Covid-19, cryptocurrency has had a resurgence in uptake. Offers of better mining, and group mining from legitimate organizations have seen small business jump on the opportunity to increase revenue through currency mining. Unfortunately, this has also seen an increase in activity for exploits though the mining software.

History to new activity In the past the threat was confined to crypto hijacking. Sending a malware application to the unsuspecting user, and then installing, unaware to the user, an application that would start mining - commonly called cryptojacking. This prompted increases in malware protection and protection policies, that saw the problem move to more sophisticated means through social engineering and so on.

However, with the increase in unemployed workers and business loss due to covid-19, personal computers started to be assigned to the task of crypto mining to try and get people out of difficult spots. This increase in activity did not go unnoticed, and dark web actors turned their minds to exploiting these new users through their own uptake of mining software. This was great news to the hackers, as they no longer needed to force the malware or exploits as users voluntarily downloaded it through legitimate actors.

Industry Knowledge Before I explain how it is important to note that the exploit being deployed is known in the core code, and it appears that it has been unfixed as it allows Bitcoin to increased profits, or so some of the actors who exploit the code explain. They claim that they do this to bring awareness as bitcoin is ignoring their statements to them of how it exist and what it does.

The exploit So how does it work? Its very simple really, a user engaging in mining, signs up to a group management site and downloads a software mining application so that they can mine cryptocurrency in the group, or cloud pool - a pool they add from the machines they have, or friends and do on (cudominer is one as an example). The installed mining application reports to the sever and starts the mining process for the group based on the parameters and hardware set in the management site. Simple so far, the miner then goes off and starts mining and the user can see the hashes being generated and the approximate bitcoin currency they should earn in the month.

The exploit works in a two fold manner. First it allows the dark web to see your miners IP and add it to the botnet network. An attacker can then inject set of code to exploit your machine to process mining for other users not in your group, but are reported as your group in the form of a fee, which is then record to bitcoin as a legitimate fee. This fee is delivered to the botnet manager application available for purchase on the dark web by the actor setting-up the exploit.

Exploit purchase

The second issue relates to the code continuing even after closing the application. A user may close the miner, and think, right now I can do something else and leave it be. Unknown to the user, the miner may be turned on remotely by the exploiter and grab bitcoin from your machine/pool, and you will never know as it stays under the radar by not using 100% of the processor, it only becomes noticeable when using another application needing high resources, such as gaming, as it begins to slowdown or periodically freeze. Harder to notice on higher end gaming hardware due to the speed of allocating resources as calculations which appears more as latency than cpu/gpu load. What's worse, is you pay the power bill, they get 100% of the unseen transactions. The management software never sees it occurring, but the bitcoin is calculated to the exploited application and sent to the actor exploiting the flaw which is calculated off through bitcoin as legitimate due to the setup pool design.

The software is successful because you, the installer, have approved it to bypass your defenses (Windows defender etc) at install as it reports legitimately as a signed MS application from a legitimate company who is also likely to be unaware of the exploit as it is part of the core code working as intended.

Testing We actively tested the issue above after discovering websites on the dark web that advertised the exploits for use.

In our tests we saw as follows: 1 Active exploit to a large pool of devices that allowed for the collection of 2.5 bitcoin, undermining the value of bitcoin currency. 2 Active exploit of the miner application in Windows 10 that could not be closed in the task manager. 3 On reboot, the exploited miners became active again, meaning the miner code had been lodged into the startup code of the OS.

We also express additional concerns arise as to weather this exploit could be used for other malicious purposes?

We notified cudominer of our discovery, with no response, and we have confirmed that the calculations are short the sums we calculated for load and mining allocation compared to the reported sum in cudominer manager.

Recommendations Uninstall immediately.

To uninstall 1. Reconfigure your miners default setting manually by disconnecting from the pools default, and disable startup. Check the miner manager is disabled in your startup tab under task manager. Then uninstall the software and check to confirm that the antimalware settings have been removed. Reboot and test again. 2. Reset of the antimalware back to default is also recommended, it is easier to re approve apps than have the exploit active.

If you must run If you must run the code, and we understand why you might need too, place the code on a computer that only operates this code, and make sure it is firewalled from your main network. When you have finished the mining for the period you allocated, physically shutdown and turn off the machine until you need it next.

Remember that the code exploit sends money to the botnet for any form of criminal activity, and to date Anon has advised over 100million in bitcoin has been generated to date, so run these miner managers is not recommended until this exploit is fixed.