CyberSum logo
Back

Cyberattack Campaign Exploits Web Apps with Log Poisoning

Cyber Security News by CyberSum.net
6 sources
Security researchers have uncovered a sophisticated cyberattack campaign where threat actors exploit web applications using log poisoning to deploy web shells and weaponize Nezha, a legitimate server monitoring tool, for malicious command execution. The attack begins with exploiting vulnerable phpMyAdmin panels lacking proper authentication. Threat actors set the language to simplified Chinese upon access, indicating their likely origin. Within 30 seconds, they execute SQL commands to enable logging and deploy their web shell payload. The log poisoning technique involves manipulating MariaDB’s logging functionality to write malicious PHP code into log files with executable extensions. Following web shell deployment, threat actors install Nezha agents on compromised systems. Nezha, marketed as a lightweight open-source server monitoring tool, is repurposed for malicious command execution and persistent access. The campaign demonstrates how threat actors increasingly abuse publicly available tools to achieve their objectives while maintaining plausible deniability.

Also Read

PhantomVAI Loader: New Multi-Stage .NET Loader in Phishing Campaigns

PhantomVAI Loader, a newly renamed multi-stage .NET loader, is being used in widespread phishing campaigns to deliver various information-stealing malware. The loader, initially identified as Katz Stealer Loader, now supports multiple payloads through an evasive infection chain that includes obfuscated scripts, steganography, and virtual-machine detection. Organizations across multiple sectors have been targeted in this global campaign. The loader is available on underground marketplaces, allowing even low-skill actors to launch complex attacks. The infection chain involves phishing emails with themes of sales, payments, or legal actions, sometimes using homograph attacks to trick recipients. The emails contain ZIP archives with obfuscated JavaScript or VBS files that embed a Base64-encoded PowerShell script, which fetches a GIF file with a steganographically hidden DLL payload. The PhantomVAI Loader performs virtual-machine detection checks and establishes persistence through scheduled tasks or Run registry keys before downloading the final payload and injecting it into a legitimate executable.

By Cyber Security News by CyberSum.net