Discover and read the best of Twitter Threads about #Malware

Most recents (24)

A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.

I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.

A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.

First, download the .zip in the screenshot.👇

Then unzip and locate the "rarest.db" file in the "scabs" folder.

(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.

There are 11 exported functions here. 🧐

Most of them have junk names to throw off analysis.

One of them is "real", the rest are "decoys" which don't do anything if executed.
Read 14 tweets
Hello @Uber! We know breaches suck. Wanted to reach out and support with some interesting information on the #uberhack. If you need any more details, feel free to contact us.

#FightAgainstCybercrime
On September 16, vx-underground posted screenshots with evidence of access to #Uber internal systems, including #SentinelOne, #Slack and #AWS. The screenshots have been attributed to the threat actor teapots2022. Image
During Group-IB’s analysis of the screenshots, interesting artifacts have been found in the recently downloaded files tray. First 2 files are zip archives and have the same format: "LOGID-\d{7} with names LOGID-4952307" and "LOGID-4953756". Image
Read 9 tweets
El correo sigue siendo una de las vías principales de transmisión en infección del #malware porque aquí, aparte de la solución de seguridad que adopte la empresa, existe otro elemento: El usuario.
(hilo) 🧵
Y este usuario llevará a cabo, de bien seguro, todas las acciones que no te esperabas. Para empezar, clicar en enlace que claramente son sospechoso. Pero el orden de las cosas será:
1) Clicar
2) Ver que salen cosas raras
3) Avisar al departamento IT
🤷‍♂️
⬇️ Image
El correo anterior lo he recibido en una de mis cuentas empresariales. En el asunto, aparece el nombre de un antiguo cliente mío. En la lista de destinatarios está mi correo y el de otras personas que están en la agenda de correo de ese cliente y a las cuales no conozco.
⬇️
Read 29 tweets
Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods.

We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.

A (big) thread ⬇️⬇️
[1/23]
[2/23]
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.

My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
[3/23] Once unzipped (pw:infected), load the file into pe-studio for quick analysis. There isn't a lot interesting here, but take note that the file a 64-bit .dll with 4 exported functions.
Read 23 tweets
A list of top 10 popular malware reports that every Malware Analyst should check out

Take a look at these excellent Malware analysis reports

#malware #ThreatHunting #threatintelligence #fireye #virus #Talos @TalosSecurity #linux #hacking #networks #rootkits

👇👇
1⃣ CheckPoint - SpeakUp: A New Undetected Backdoor Linux Trojan

🔗
research.checkpoint.com/2019/speakup-a…
2⃣ First Sednit UEFI Rootkit unveiled

🔗
mirror.netcologne.de/CCC/congress/2…
Read 11 tweets
New: #Ukraine bracing for new round of #Russia|n cyber attacks targeting its energy, financial sectors, Deputy Minister of Digital Transformation Georgii Dubynskyi tells reporters
"We saw this scenario before-before the winter they [#Russia] are trying to find a way how to undermine, how to defeat our energy system & how to make circumstances even more severe for Ukrainians" per Dubynskyi
#Russia also trying to employ "precision" #cyberattacks

"Using social engineering & using some traitors...so it's also possible #hybrid attacks as well" per Dubynskyi
Read 12 tweets
Save this list of resources for your future #OSINT Investigations!

intelx.io: Search engine for data breaches
netlas.io: Search & monitor devices connected to the internet
urlscan.io: Scan a website incoming and outgoing links and assets
prowl.lupovis.io: Free IP search & identifications of IoC and IoA
fullhunt.io: Identify an attack surface
zoomeye.org: Cyberspace search engine, users can search for network devices
leakix.net: Identify public data leaks
greynoise.io: Search for devices connected to the internet
search.censys.io: Get information about devices connected to the internet
hunter.io: Search for email addresses
Read 6 tweets
Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware

via @lazy_daemon
@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.

7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…

redcanary.com/blog/raspberry…

🧵 2/12
Since December, 2021, we've seen several cases mostly in Hungary🇭🇺 and Germany🇩🇪 but also a few in Russia🇷🇺 and India🇮🇳.
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
Read 12 tweets
A lot of talk about threat modeling lately. Let me give you some idea of why I hate it and think threat modeling is bullshit. I'll also tell you what I think is better. I'm going to use $BIGCO as my example. Here's a long thread.
#infosec #blueteam #malware #skincare
🔜🧵
First, you constantly hear the snarky refrain "my threat model is not your threat model" from people trying to sound important. They don't have a "threat model". They have a superiority complex in their head about potential "threats" 🙄 It's silly. Show me your threat model. 🔜🧵
Oh, you don't actually have it written down and it's not based on data, but based on just general things you're worried about? All in your head? 🆗🆒 Sounds like your idea of a "threat model" and mine really are pretty different.
🔜🧵
Read 16 tweets
Since your malicious cyberattack timelines matched cybersecurity’s research to strengthen security for years and now, you hack alone but with a cooperative goal to damage national security. Which Advanced Persistent Threats group/s #APTs are you in, #Animez_UK? Image
Converting traditional crime to cyber-enabled crime and becomes a malicious attacker against the UK, for

1- financial income,
2- #sexual desire and #harassment with #pornography sent to #women,
3- attacks for #politics against the UKGOV.

#Animez_UK ImageImage
1st stage- early life:
-Experienced #exclusion/#discrimination.
-Didn’t learn to communicate with #women.
-favours #authoritarianism.
-enjoys #control targeted women & whom against his will.
- Expresses hidden #hatred & #violence on through cyberattacks.

#Animez_UK ImageImage
Read 214 tweets
NEW: Multiple attackers increase pressure on victims, complicate incident response

Sophos’ latest Active Adversary report explores the issue of organizations being hit multiple times by attackers...

1/17
There’s a well-worn industry phrase about the probability of a cyberattack: “It’s not a matter of if, but when.”

Some of the incidents @Sophos recently investigated may force the industry to consider changing this: The question is not if, or when – but how many times? 2/17
In an issue we highlighted in our Active Adversary Playbook 2022, we’re seeing organizations being hit by multiple attackers. 3/17
Read 17 tweets
TOP Python 🐍Tools 🛠️ & Libraries for Malware &
Binary Analysis.

#Python #malware #infosec

Thread 🧵
❃ Angr: A powerful and user-friendly binary analysis platform!

• Disassembly
• Program instrumentation
• Symbolic exec
• Control-flow analysis
• Data-dependency analysis
• Value-set analysis (VSA)
• Decompilation
🔗
github.com/angr/angr
❃ PEfile: Python module to read and work with PE (Portable Executable) files

• PEfile multi-platform Python module
• Work Portable Executable (PE)
• Most of the information contained in the PE Headers, Sections, Details, and Data is accessible

🔗github.com/erocarrera/pef…
Read 5 tweets
Hey, everyone.
We continue our Cybersecurity series with "The Cybersecurity Gee".
Today, we'll be talking briefly about "malware"; its definition, types, and prevention.

I trust it'll be worth your time.

Legggooo!!! A laptop containing a akull...
What is a Malware?
Intrusive software known as malware is created specifically to harm and incapacitate computers and computer systems. The term "malicious software" is often shortened to "malware."
Malware typically aims to accomplish one of the following:

Give an attacker remote access to a compromised machine.
From the compromised device, you can send spam to unknowing recipients.
Investigate the local network of the affected user.
Steal sensitive information.
Read 11 tweets
#Russia #cyber as part of war in #Ukraine - "We learned a lot" Deputy National Security Advisor of Cyber & Emerging Technology, Anne Neuberger tells #AspenSecurity

"At 1st we've seen several different variants of destructive #malware used...closely aligned w/its invasion"
#Ukraine - "They expected the incidents & worked closely to prepare for it," per Deputy NSA Neuberger

"We had teams on the ground from various agencies, virtually, & on the ground as well helping out"
#Russia's use of #cyber - "There are any number of theories for what we saw & for what we didn't see" per Deputy NSA Neuberger

Notes they didn't see more attacks vs allies supporting #Ukraine or on their critical infrastructure
Read 6 tweets
#ChromeLoader #malware persists via obfuscated content stored in the registry. Here's how to decode it using #Cyberchef.
1/ ImageImageImage
2/ First, locate a scheduled task containing content that you suspect to be chromeloader malware. Decode the first stage using "From Base64" and "Remove Null Bytes". This will give you the first stage loader in its #decoded form. Image
3/ Next, check the location of the next stage in the registry. This should be near the beginning of the code. Image
Read 11 tweets
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
Read 6 tweets
Having fun with cyberstalking #UKGOV, attacking organisations, universities & individuals connected to the justice system, UK #military against #NCSC, treating #intelligence & #GCHQ as jokes to your 15- 20 yrs malicious #hacking for #China & #Russia inside #Britain, @Animez_UK?01
Converting #traditional crime to cyber-enabled crime and becomes a malicious #cyberattacker against the UK, for

1- #financial income,
2- #sexual desire and #harassment with #pornography sent to #women,
3- attacks for #politics against the #UKGOV.

@Animez_UK @NCSC

02 Image
1st stage- early life:
-Experienced #exclusion/#discrimination.
-Didn’t learned to communicate with #women.
-favours #authoritarianism.
-enjoys to #control targeted women & whom against his will.
- Expresses hidden #hatred & #violence on through cyberattacks.

@Animez_UK @NCSC Image
Read 188 tweets
1/

With #P2E's popularity, threat actors are leveraging on the fact that excited players are ready to jump on board to test the new game (and earn at the same time).

Here's a 🧵about a #Redline stealer #malware from a "project" that recently launched a "beta test" Image
2/

I came across @DheerajShah_'s thread about how he was almost hacked, and one of the commenters caught my eye.

@_Starkcrypto shared that he was compromised by a project claiming to be a "p2e beta testing"


https://t.co/M1daLjbsKU
3/

That project is @rworldp2e (now @R_WorldP2E). As they were called out by Stark, the account changed the username lol. Here's the ID though: 1467094027480625155

It is an impersonation of the original project called @ReptileChronic @R_chronicls

Image
Read 12 tweets
NEW: #Russia waging #cyber war as part of its war in #Ukraine, per new @Microsoft report

"Microsoft has seen the Russian military launch multiple waves of destructive cyberattacks against 48 distinct Ukrainian agencies & enterprises..." per report
Goal of #Russia's #cyberattacks vs #Ukraine has been to "penetrate network domains by initially comprising hundreds of computers & then spreading #malware designed to destroy the software & data on thousands of others" per @Microsoft
#Russia also targeting governments outside #Ukraine

"We’ve detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine" per @Microsoft
Read 11 tweets
At a press conference this morning, #FBI Director Christopher Wray announced new and recent enforcement actions to disrupt and prosecute criminal Russian activity. Read his full remarks, as delivered, at go.usa.gov/xu32c. FBI Director Christopher Wr...
To learn more about the court-authorized #cyber operation to disrupt a botnet controlled by the Russian Federation’s Main Intelligence Directorate (GRU), as well as about Cyclops Blink #malware, read this press release from @TheJusticeDept: go.usa.gov/xu3bc
In a press release from the @TheJusticeDept, #FBI Cyber Assistant Director Bryan Vorndran said the disruption showcased "the FBI’s commitment to combatting cyber threats through our unique authorities, capabilities, and coordination with our partners." go.usa.gov/xu3bc “This operation is an examp...
Read 6 tweets
HAPPENING NOW - Senate Intelligence Committee holds open hearing on Worldwide Threats

Testimony coming from:

@ODNIgov Dir Avril Haines

@CIA Dir Bill Burns

@DefenseIntel Dir LtGen Scott Berrier

@NSAGov Dir Gen Paul Nakasone

@FBI Dir Christopher Wray Image
Senate Intel Comm Chair @MarkWarner starts w/praise for the US intelligence community for being candid w/intel on #Russia, #Putin's plans for #Ukraine & "throwing Putin off-guard"
"Democracy is sometimes messy" per @MarkWarner "I believe with all my heart the ppl of #Ukraine are voting with their lives, embracing the values that we take for granted every day"

"With all our flaws, our system is still the best in the world"
Read 41 tweets
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:

1/x Image
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210

2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:

3/x Image
Read 8 tweets
#WhisperGate #HermeticWiper, 2 noms différents mais la même finalité : 1e cyber arme
🚨TL;DR 1e vidéo pour montrer l'impact destructif et irréversible dirigée vers l'Ukraine depuis qlq temps et qui pourrait très vite se propager dans d'autres pays en Europe et notamment en France
➡️Depuis hier, de nombreuses équipes de #cybersécurité spécialisées en analyse et recherche de #malware, ont donné à la communauté des preuves d'une cyber-arme dirigée vers l'#Ukraine. Cette souche de ransomware est un Disk Wiper baptisé #HermeticWiper ou #WhisperGate.
Il daterait de fin décembre laissant entrevoir une préméditation quant à ce qui ce passe actuellement dans le conflit #Russie #Ukraine.
Read 8 tweets
Daily Bookmarks to GAVNet 01/22/2022 greeneracresvaluenetwork.wordpress.com/2022/01/22/dai…
Trump Backs Boosters. Clearly, Someone Did the Math for Him. | by Donald G. McNeil Jr. | Jan, 2022 | Medium

donaldgmcneiljr1954.medium.com/trump-backs-bo…

#PartisanPolitics, #VaccinationBoosters, #PoliticalEndorsement, #SwingStates
The Complex Alternative: Complexity Scientists on the COVID-19 Pandemic — SFI Press

sfipress.org/books/the-comp…

#ComplexityScience, #BookReview, #SantaFeInstitute, #COVID19, #SocialCommentary
Read 20 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!