Discover and read the best of Twitter Threads about #Lazarus

Most recents (9)

Some updates on this suspected #Lazarus #APT:(thread, 1/4)
1) The remote template is VBA stomped or at least it was able to hide itself from olevba and oledump
2) The remote template drops an obfuscated vbs file and registers it as a scheduled service
3) All the strings in "OneDriveUpdateNew.vbs" are obfuscated and are decoded using "string_decoder" function with a hardcoded key table.

You can see the decoder and list of the decoded strings used by this vbs file here:
github.com/HHJazi/APT
2/4
4) The vbs file collects the victim info and builds an HTTP request:
"Username-ComputerName_UUID;OSName"
5) Then it encodes the request using hard coded key and sends the generated request to C2
6) Receives a payload from the C2 and writes it into "%APPDATA%/OD_update.exe"
3/4
Read 4 tweets
Diving into the #Lazarus sample that mentioned in nice blog tinyurl.com/mdyxr8m3. I recognized it uses 2 custom algorithms for decoding strings.
- 1st is modified RC4 to decrypt API functions name.
- 2nd is custom algo to decrypt C2 urls and user agent strings (1/4)
For decrypting API functions name, it decode base64 string and call modified rc4 algo to decrypt the decoded base64 string (2/4).
For decrypting C2 urls and user agent strings, it also decode base64 string and call the custom algo to decrypt the encoded base64 string (3/4).
Read 4 tweets
296. #SophieJones (2021) A raw and resonant coming of age story about dealing with grief and overcome pain,it feels very personal. The cinematography is gorgeous and visually stunning with excellent performances by the cast especially the lead who is great.Really good. ⭐⭐⭐1/2 ImageImageImageImage
296. #Moxie (2021) A fun and entertaining coming of age movie that might be a bit flawed, but the performances by the cast is good and it is a bit long however it deals with a lot of important issues and it have a really powerful scene at the end, the direction is strong. ⭐⭐⭐ ImageImageImageImage
297. #TheHitchHiker (1953) A swift thrilling noir film that is visually pleasing with great direction, it is very tense,suspensful and fast paced (yeah it's only 70 min)anchored by a trio of great performances by the cast. The story might not fully fleshed but still fun. ⭐⭐⭐⭐ ImageImageImageImage
Read 287 tweets
1. The more I look at these Trump election contests the more apparent they're all linked to the criminal conspiracy to impair the @USPS. Question for me: Do the lawyers know the the criminal purpose sufficiently to have incurred criminal liability?
2. For Rudy & Sidney Powell, I think it likely. For run-of-the-mill local counsel, absent more proof, I would think not. But Rudy & Powell likely will be seeking pardons that may have been part of their deal. And with them, Trump will dig himself a deeper hole and the ongoing
3. nature of the conspiracy will bring Rudy and Grisham a taste of my #Lazarus Theory that says you cannot successfully pardon an on-going conspiracy because the continued agreement plus a single overt act in furtherance of the unlawful purpose done by any conspirator
Read 4 tweets
#ESETresearch discovered a supply-chain attack performed by #Lazarus APT group against South Korean 🇰🇷 internet users. @cherepanov74 @pkalnai welivesecurity.com/2020/11/16/laz… 1/7
WIZVERA VeraPort software is often used on internet banking and government websites in 🇰🇷 South Korea. The purpose of this software is to install additional security software required by some of these websites. 2/7
The attackers abused a combination of WIZVERA VeraPort software and compromised South Korean websites with VeraPort support, to deploy Lazarus malware. 3/7
Read 7 tweets
#ESETresearch analyzed operation #Interception, a new espionage campaign targeting aerospace & defense companies in Europe and the Middle East. Initial contact was made via #LinkedIn, where attackers approached targets with fake job offers @jiboutin welivesecurity.com/2020/06/17/ope… 1/5
The attackers sent a password protected RAR archive containing a LNK file responsible for showing a decoy PDF and downloading additional malware. In some cases, this archive was sent directly through #LinkedIn instant messenger. #ESETresearch 2/5
While the victim was being deceived by the decoy PDF, a scheduled task was created, launching WMIC to execute a script embedded in a remote XSL file. This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the computer. 3/5
Read 5 tweets
1. Snippet of pardon law from 2017 in the context of a crime boss in the @WhiteHouse. And I'll add that a dangle, offer and act of pardoning a witness can be bribery, tampering and conspiracy by the official and his/her staff. Sorry Roger. Suck it up. @TheJusticeDept @FBIWFO
2. If Trump pardon's him, Roger has to talk. Also I don't see that a pardon works for an ongoing conspiracy. The defendant who has not withdrawn, still agrees to the conspiracy and agreeing to not testify with one overt act and conspiracy liability comes back to life. #Lazarus.
3. Easy fact pattern: Bob BankRobber plans a bank robbery with Cal Conspirator. Bob gets caught after agreement and overt act and charged with conspiracy. Pres DirtyDon pardons Bob who agrees to refuse to testify against Cal. Assume an overt act in furtherance of conspiracy.
Read 5 tweets
Die #IT-Umgebung des indischen #AKW's Kudankulam wurde nicht nur gehackt, sondern als Command and Control Server benutzt.

Hoffentlich war die #OT nicht auch öffentlich am Netz!

#KRITIS Sektor #Energie #nuclear #nuclearsafety #Resilienz #Cyber #Security

Zur Unterscheidung:

IT sind Informationstechnische Systeme (#PC #Laptop #Windows #Office, #Buchhaltung...)

OT sind Operative Systeme (#ICS #SCADA #SPS #HMI #PLC #Steuertechnik...)
Angemessener Stand der Technik #SdT wie in #KRITIS gefordert wurde offenbar im #AKW nicht eingehalten.

Strikte #Trennung zwischen #OT-Steuersystemen und #IT ist eine wesentliche #Sicherheitsmaßnahme!

Weitere #Maßnahmen und #Forderungen finder Ihr hier.

ag.kritis.info/politische-for…
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!