Discover and read the best of Twitter Threads about #malware

Most recents (24)

More on COSMICENERGY. Previously we said that LIGHTWORK had a 98% function overlap with lib60870-c, turns out it's even more than that. Their main code is based on an example from that project, simple_client.c #ICS #malware (1/13)
github.com/mz-automation/…
Going back in the Github history, and looking at various artifacts, like dangling if statements, and some sleep calls, and such, it looks like it's based on the version from March 28, 2019 (2/13):
github.com/mz-automation/…
I'm going to forego a line by line comparison of all the functions, but if you want to take a look, here are screen shots of the handler functions and their corresponding decompilations. First: rawMessageHandler and connectionHandler (3/13) ImageImageImageImage
Read 13 tweets
Y si os digo que hay una #Blockchain cuyo objetivo es robarte y espiarte a ti como usuario. Es decir, en si es un #Malware encubierto. O al menos la billetera principal del proyecto lo es. La blockchain es #ceilingcatcoin Adelante HILO.
Esta historia comienza con varios usuarios afectados que me contactaron por Redes, indicando que les han #robado todos sus fondos #crypto en diferentes blockchain y diferentes billeteras (Claves privadas), yo no me lo creía hasta que lo comprobé.
Todos tenían una cosa en común, habían invertido en un nuevo proyecto nuevo, que se llama #ceilingcatcoin. Como buen analista, con buen pensamiento lateral empiezo por lo que han hecho en común.
Read 27 tweets
Snake malware details. Seems to have been a large operation spanning multiple alphabet agencies! #malware
media.defense.gov/2023/May/09/20… Image
Read 8 tweets
Today's Twitter threads (a Twitter thread).

Inside: KPMG audits the nursing homes it advises on how to beat audits; and more!

Archived at: pluralistic.net/2023/05/09/din…

#Pluralistic

1/ Two business-suited male fi...
Tomorrow (May 10), I'm in #Vancouver for a keynote at the #OSSummit:

events.linuxfoundation.org/open-source-su…

And a book event at #HeritageHall:

eventbrite.ca/e/red-team-blu…

On Thu (May 11), I'm in #Calgary for @WordfestTweets:

wordfest.com/2023/event/wor…

2/ Image
KPMG audits the nursing homes it advises on how to beat audits: Too big to fail, too big to jail, and an existential risk to civilization.



3/  Image: Vectorportal.com (m...
Read 29 tweets
🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.

By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.

Thread
[1/11] 👇

#Malware #AgentTesla #Ghidra #Debugging ImageImageImage
[1.1/11]
Link to original sample: bazaar.abuse.ch/sample/7512be2…

Link to Full Blog: embee-research.ghost.io/agenttesla-ful…
[2/11] You first need to locate a function that resolves api hashes.

An example can be seen here - A giveaway is the same function is repeatedly called with hash-like values. An extra telltale sign is that each return value is cast as code (code *). Image
Read 12 tweets
⚠️ A browser extension is always a double-edged sword.

In general, there isn't much to disagree with in what @panosmek has written in this fantastic thread, but here are few additional thoughts:

🧵👇 [1/13]
[2/13] Browser extensions in and of themselves can easily be the source of #exploits.

So, rather than securing your #browser session, increasing your #privacy, or acting as a warning tool before signing transactions, it may turn out to be your worst enemy.
[3/13] — Attack Vectors —

🧐 There are merely two malicious concepts that will be exploited by #hackers to harm you while using #browser extensions:

🔸 Supply-Chain attack
🔸 Man-in-the-middle attack
Read 14 tweets
Today's Twitter threads (a Twitter thread).

Inside: The seductive, science fictional power of spreadsheets; and more!

Archived at: pluralistic.net/2023/04/29/ged…

#Pluralistic

1/ A Lotus 1-2-3 spreadsheet w...
Tomorrow (Apr 30) at 2PM, I'll be at the #SanFrancisco Public Library with my new book, *Red Team Blues*, hosted by @annaleen@wandering.shop:

sfpl.org/events/2023/04…

2/ Image
The seductive, science fictional power of spreadsheets: Maybe the map IS the territory?



3/ Image
Read 29 tweets
🐀 AsyncRAT 🐀 - Defeating Obfuscation Using CyberChef

An overview of some advanced CyberChef tricks for decoding malware

[1/12] 🧵

#AsyncRAT #Decoding #CyberChef #Malware Decoding Decimal Values using cyberchefDecoding String Reverse Using CyberchefDecoding Replace Operations Using CyberChefExample of Using Registers and Regex to perform Replace Oper
[2/] First, some links if you wish to follow along.

The Malware File: bazaar.abuse.ch/sample/26c9f29…

Links to CyberChef Recipes:
github.com/embee-research…
[3] Decimal Values:

Some text is converted to decimal to hinder simple text based analysis.

To defeat:
- Subsection - This grabs encoded data without removing the rest of the script
- Regex - Grab the decimal and ignore the "chr" junk
- From Decimal - Decode the decimal Decimal Encoded Values "chr(45)" etc - Prior to De
Read 12 tweets
𝐌𝐚𝐥𝐰𝐚𝐫𝐞 𝐚𝐧𝐝 𝐑𝐞𝐯𝐞𝐫𝐬𝐞 𝐄𝐧𝐠𝐢𝐧𝐞𝐞𝐫𝐢𝐧𝐠 𝐂𝐨𝐧𝐭𝐞𝐧𝐭𝐬 📢

#infosec #Hacking #redteam
#malware #ReverseEngineering
#RE

Awesome Malware and Reverse Engineering
lnkd.in/dZFy_k6d

lnkd.in/dZh9hbpq
Malware API
malapi.io

lnkd.in/djqeN7RS

Malware Analysis and Reverse Engineering
lnkd.in/dXjFkZ7a

Retoolkit
lnkd.in/dwn8bRi3

Malware Bazar
bazaar.abuse.ch

Malware Analysis Journey
lnkd.in/d9B6UGQ8
Read 6 tweets
Ursnif Loader (Javascript) - Manual Decoding Using Cyberchef

[1/13] 👇🧵

#Cyberchef #Decoding #Ursnif #Malware
[1.1] A quick summary/TLDR before we get started

- Remove comments (manually or using regex)
- Remove "split" strings (manually or using regex)
- Remove obfuscated numbers
- (optional) Rename Variables
- Apply beautifier and syntax highlight
[2] First, I downloaded the sample from Malware Bazaar and loaded it into a safe analysis VM.

You can find the same sample here
bazaar.abuse.ch/sample/2a72302…
Read 14 tweets
Potential #DanaBot Loader - De-Obfuscation using CyberChef and Python.

Sample: bazaar.abuse.ch/sample/80aad66…

C2: 0/90 VT
Script: 5/59 VT

[1/5] 👇

#Regex #python #cyberchef #malware ImageImageImageImage
[2/5] Note the initial script contains a large amount of junk comments to mask the "real" code.

These can be removed using #cyberchef and a short #regex.

Find and Replace
^(REM|').*\n ImageImage
[3/5] There are some long junk numbers scattered throughout the code.

Personally, I decoded with Python and an eval inside of a safe VM. ImageImage
Read 5 tweets
Today's quick #malware analysis with #SecurityOnion: FAKEBAT, REDLINE STEALER, and GOZI/ISFB/URSNIF pcap from 2023-02-03!

Thanks to @malware_traffic for sharing this pcap!

More screenshots:
blog.securityonion.net/2023/02/quick-…

#infosec
#infosecurity
#ThreatHunting
#IncidentResponse
@malware_traffic Let's review some of the data that #SecurityOnion generates from this traffic!

When you import the pcap using so-import-pcap, it will generate a hyperlink that will take you to the Overview dashboard:
@malware_traffic Here are the NIDS alerts:
Read 13 tweets
🧠The term Artificial Intelligence is being used as a catch-all for a number of different disciplines but one particular use case may be more important than others: security.

🧐Here's how we use #AI to improve security

🧵👇
First of all, artificial intelligence just means the simulation of human thought by a computer. When you’re using a calculator, you’re already using a computer to “think for you” and do math.

Now you can use a computer to do things like pattern recognition. 🔳🔲🔳🔲🔳🔲
How? The short version is that if you give the computer a step-by-step explanation about how you look at something, you can run it over, and over, and over while correcting its mistakes along the way. 🔁
Read 14 tweets
🎙️Web3 Security Q&A with our CEO Rick Deacon - @rickdeaconx

⚠️Part I: Common #Web3 Threats

(Part II: How Interlock solves this by using #AI - will be published tomorrow!)

🧵👇
Q: What are the top security problems for crypto and Web3 users right now?

A: "The most prevalent security problems are all focused on social engineering:

1⃣Phishing attacks where attackers try to steal personal information by disguising a malicious website as a legitimate one.
2⃣Malware infections which can steal personal information, funds or take control of a device.

3⃣Scams that take advantage of the hype around #cryptocurrency and Web3 technologies to trick users into sending money or personal information.
Read 18 tweets
🧵 While #ChatGPT is grabbing the headlines, pushing @GoogleAI (#LaMDA) and @Baidu_Inc to rush their plans to launch competitors, maybe it’s time to explore the security/privacy concerns generative AIs raise.

Here's a #thread on some of these, brought to you by @InfosecurityMag.
@GoogleAI @Baidu_Inc @InfosecurityMag First, @OpenAI’s #ChatGPT has already been used to develop #malware and other malicious tools, as @a_mascellino reported on January 9, 2023. #encryption #cybercrime cc @SShykevich @_CPResearch_
infosecurity-magazine.com/news/chatgpt-d…
Read 15 tweets
Malware Analysis Tip - Use Process Hacker to watch for suspicious .NET assemblies in newly spawned processes.

Combined with DnSpy - it's possible to locate and extract malicious payloads without needing to manually de-obfuscate.

1/

#Malware #dnspy #analysis #RE
2/ For anyone wanting to try - The initial sample can be in the link below

Once executed (inside of a safe vm!) - You should see the installutil.exe detailed in the screenshots above.

(Make sure to use Dnspy-x86 for attaching to the process) 😄

bazaar.abuse.ch/sample/b24c75d…
3/ Sometimes you'll get lucky and the modules will be named much more suspiciously.

See below for an example of a suspected #redlinestealer loader. Which injected multiple modules into a renamed powershell.exe.

bazaar.abuse.ch/sample/7e09174…
Read 3 tweets
(Possible) AsyncRat loader - Interesting regex to decode the obfuscated C2.

Script was found on host with an active #AsyncRat infection.

#malware #regex #decoding
[1/6] The team at @HuntressLabs are still observing IronPython executables used to load #malware.

In these cases - IronPython (ipyw.exe) file is typically renamed to SupportTool.exe or Ctfmon.exe

Since ipyw.exe is "legitimate", the VT detection rate is very low (0/72).
[2/6] The "update.py" is where the malicious action starts.

This is usually a simple python file containing an additional obfuscated script.

Below you can see this decoded via #CyberChef.
Read 7 tweets
17 herramientas GRATUITAS de #hacking #ciberseguridad #gratis:
Va hilo 🧵
1.Zeek: zeek.org : monitorea y analiza el tráfico de red en tiempo real, captura paquetes, registra eventos y genera alertas de actividad sospechosa. Ampliamente utilizado en la industria y en la investigación académica. #Zeek #seguridad #red
2.ClamAV: clamav.net :detectar y eliminar virus, malware y otras amenazas en archivos y mensajes de correo electrónico. Se utiliza a menudo en servidores de correo y sistemas de red para proteger contra amenazas de seguridad.#ClamAV #virus #seguridad #malware
Read 25 tweets
Setting up an analysis VM for reverse engineering?

Here are a few good tools (with short demos) that I recommend after running the Mandiant/FLARE script, (which installs 99% of tooling for you) 🔥

TLDR:
Garbageman, SpeakEasy, BlobRunner, Dumpulator

#Malware #RE #Analysis
2/ This is the Flare script from Mandiant. Simply running this script will install the majority of tools that you would ever need.

As a beginner RE or malware analyst, you can work comfortably using only the tools included in this script.

github.com/mandiant/flare…
3/ Over time I've picked up some other tooling that isn't installed by default by Flare.

These are relatively lesser-known tools that I have found very useful.
Read 12 tweets
🧵 Everyone’s chatting about 🤖#ChatGPT. Here are 11 things it can do for #malware analysts, #security researchers, and #reverse engineers. A thread >>👇 🧵
1/13
🙋🏻‍♀️ Learn how to use reverse engineering tools more effectively. Use #openAI chat bot to get rapid interactive help on your reversing tools.
2/13
👾 Teach yourself #assembly language. Ask #ChatGPT to convert high-level code into assembly. #arm #intel little endian big endian #nasm #masm. It knows them all.

3/13
Read 13 tweets
📢I recently investigated a campaign targeting the cryptocurrency industry. I wrote a detailed report that includes TTP, IOC and more. Here is a thread about this attack! 🧵👇

@MsftSecIntel @MicrosoftAU #infosec #cryptocurrency #threatintelligence #apt

microsoft.com/en-us/security…
The attack started on Telegram to identify the targets, then they deployed a weaponized Excel document which finally delivered the final backdoor through multiple mechanisms. ☠☠️ #infosec #malware #backdoor
🧐To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram.

👀They created fake profiles using details from employees of the company OKX. #infosec #Cryptocurency
Read 14 tweets
1️⃣ NICCS Federal Virtual Training Environment (FedVTE)

Link: rb.gy/5uai1j
2️⃣ SANS Cyber Aces Free Cyber Security Training Course

Link: rb.gy/qg9on5
Read 7 tweets
1/Αναλυση #υποκλοπες #Ελλαδα: Συνομιλησαμε το προηγουμενο διαστημα με εναν ειδικο στην κυβερνοασφαλεια ο οποιος δεχτηκε να απαντησει σε ερωτησεις μας σχετικα με #malware που προσβαλουν κινητες συσκευες μεταξυ των οποιων και το #Predator.
2/Στο παρων 🧵 θα προσπαθησουμε να ξεδιαλυνουμε καποια σημεια για το σκανδαλο των υποκλοπων. Η συνεντευξη εγινε με την μορφη ερωταπαντησεων πανω σε μεθοδους και εργαλεια που θα μπορουσε να χρησιμοποιησει καποιος για να ξετυλιξει την ακρη του νηματος.Τα στοιχεια του μας ζητηθηκε
3/να μην γινουν γνωστα όπως η ακριβης ιδιοτητητα του για ευνοητους λογους. Για την ευχερεια της παρουσιασης της συνεντευξης θα τον αναφερουμε με τα αρχικα ΖΖ
DG:Αν καποιος εχει λαβει καποιο λινκ (χωρις να το πατησει) μεσα απο malware μπορει με καποια μεθοδο να βρει τον ειβσολεα?
Read 27 tweets
🧵Let's talk about #Telegram - here are ten useful cybersecurity groups and channels we watch:

A thread:
1. Cyber Security News (30k+ members)

Cyber Security News is a feed channel for links to breaking news stories across the internet, everything from #TechCrunch to #Portswigger. It’s a one-stop shop for cyber-related news with your morning coffee.

telegram.me/cyber_security…
2. Cyber Security Experts (23k+ members)
A great channel for exchanging #information about #cyber, #IT, and #security. Mainly used to get answers to questions and help other security experts to enhance their security maturity.

t.me/cybersecuritye…
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!