Discover and read the best of Twitter Threads about #Malware

Most recents (24)

How to check iOS devices for signs of CVE-2021-30860 / FORCEDENTRY exploitation (for context, see @citizenlab's 13.09.2021 blog). #nso #pegasus #malware #ios
Make an unencrypted iTunes backup, or use MVT (docs.mvt.re/en/latest/inde…) to decrypt an encrypted one. You can also check older backups, if you have them. (it's a good idea to make regular iTunes backups for all your devices, precisely for this reason)
Use DB Browser for SQLite (see sqlitebrowser.org) to open Manifest.db, in the root folder of the iTunes backup. Make sure you open it read-only - "File -> Open Database Read Only".
Read 8 tweets
Recently I've been looking into #Pegasus #Malware and found myself in a rather unique threat intelligence position.

To talk about it, here's...
a Thread 🧵
a Blog 📖
and a Video 🎥

👇
In July 2021 @FbdnStories produced an astounding collection of articles highlighting NSO Group's Pegasus malware and its apparent misuse throughout Governments across the globe. @amnesty wrote about Pegasus in 2016 where a prominent human-rights activist was targeted...
Back in 2016 the vehicle to infect an iPhone with Pegasus was the #trident suite of vulnerabilities. In 2021, a vuln known as #megalodon was being used, a zero-day in iMessage which required zero user-interaction...
Read 11 tweets
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware Image
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR. Image
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC") ImageImage
Read 11 tweets
Daily Bookmarks to GAVNet 05/22/2021 greeneracresvaluenetwork.wordpress.com/2021/05/22/dai…
A Scratched Hint of Ancient Ties Stirs National Furies in Europe

nytimes.com/2021/05/16/wor…

#archaeology #europe #runes #slavic #nativism #nationalism #debate
Zoltan On The Coming QE Endgame: "Banks Have No More Space For Reserves"

zerohedge.com/markets/zoltan…

#banking #reserves #TheFed #FinancialSystem
Read 10 tweets
‘Tricks With a Notorious Russian Spy Group’

‘Security researchers have found links between the attackers and #Turla, a sophisticated team suspected of operating out of Moscow’s #FSB intelligence agency.’

#VenomousBear
#Snake
#malware
#UNC2452
#DarkHalo
wired.com/story/solarwin…
“…believe the SolarWinds #hackers and #Turla aren't one and the same. But … one #hacker group at the very least ‘inspired’ the other, and they may have common members between them or a shared #software developer building their #malware.”

wired.com/story/solarwin…
“… That actually makes the connection more significant … ‘It’s more like handwriting. That handwriting or style propagates to different projects written by the same person.'"

#Turla
wired.com/story/solarwin…
Read 16 tweets
Daily Bookmarks to GAVNet 05/06/2021 greeneracresvaluenetwork.wordpress.com/2021/05/06/dai…
Prior SARS-CoV-2 infection rescues B and T cell responses to variants after first vaccine dose

science.sciencemag.org/content/early/…

#COVID19 #variants #vaccines #immunity
Book Review: The Next Frontier of Warfare Is Online

undark.org/2021/04/30/boo…

#cyberattacks #malware #hacking #DigitalMarkets #StateSctors
Read 10 tweets
Schweizer Storenbauer #Griesser von #Ransomware Conti befallen

"Das Unternehmen musste IT-Systeme herunterfahren. Conti wird in APT-Kampagnen eingesetzt und versucht auch Daten zu entwenden." /1
inside-it.ch/de/post/schwei…
"Betroffen sind laut dem Communiqué die #Produktionsstätten im thurgauischen Aadorf sowie in Österreich und Frankreich. Griesser beschäftigt insgesamt 1300 Personen. Die Angreifer hätten die Schlüsselsysteme wie das #ERP ins Visier genommen..." /2
"Um eine Ausbreitung der #Malware zu vermeiden, habe eine IT-Taskforce die Systeme heruntergefahren...#Krisenstab habe zudem Schritte eingeleitet, um den Vorfall zu bearbeiten und schrittweise in der Normalbetrieb zurückzukehren. Am 19.4. will man so weit sein..." /3
Read 4 tweets
Schadsoftware-Bereinigung: #BKA nutzt #Emotet-Takedown als Türöffner für mehr Befugnisse und neue Gesetze

"#Bundeskriminalamt hat ein Schadsoftware-Update auf zehntausenden Windows-PCs weltweit installiert, um sie zu bereinigen..." /1

von @andre_meister
netzpolitik.org/2021/schadsoft…
"Experten kritisieren die konstruierte Rechtsgrundlage dieser brisanten Aktion. Der #BKA-Präsident fordert, das Gesetz an die Praxis anzupassen." /2
"Im @Bundestag gab #BKA-Präsident Holger Münch zu, dass es für eine komplette Bereinigung der Systeme keine #Rechtsgrundlage gibt und die Aktion an der Grenze des rechtlich Möglichen stattfand." /3
Read 25 tweets
This thread brings together all my #infographics until today (2years of work).

These are all infographics about #infosec 🔐

Feel free to share this tweet if you think it may be useful for your #community 📚

Follow me ➡ @SecurityGuill fore more about #security #hacking #news ImageImageImageImage
How does an #Antivirus works? Image
Quick presentation of the different #Bluetooth Hacking Techniques Image
Read 44 tweets
The most terrifying fact about trustless decentralized computing is the emergence of rogue AIs that you can't switch off. (/thread)
#Blockchains are a financial rail for autonomous agents. Rogue agents can self-fund, evolve, and slowly amass unbounded amounts of power.
Viruses and #malware have for decades been evolving sophisticated techniques to hide, spread, mutate, and evade.
Read 17 tweets
#IoC
host: cdn\.discordapp.com
[
"/attachments/780888037466046486/808092382368628736/558d9db9309b918e",
"/attachments/780888037466046486/807766128951689216/Jsom_LINK.exe",
"/attachments/780888037466046486/804309375451398184/b1a0442d05d7960f"
]
#CDN #Malware #attachments #discord Image
#IoC #CDN #Malware #discord #attachments
sf3q2wrq34\.ddns.net
funado\.ddns.net
canary\.discord.com/api/webhooks/792793041416880160/RpiuGmOviECw7T0Pav7V6fEoFgTfRRw-bwZQN-DGwcAbgnPikG18QUdlkuqAndEFYVjX

//@malwrhunterteam @JAMESWT_MHT @James_inthe_box @1ZRR4H @LixaH_CL ImageImage
CORONAVIUS.exe xD Image
Read 12 tweets
Let's walk through #malware de-obfuscation of a REvil PowerShell ransomware script in #CyberChef. The original can be found below if you want to play alone at home! hybrid-analysis.com/sample/e1e19d6…
Following my analysis, I realised there is an excellent write up of the same PowerShell on SANS here which is worth a read: isc.sans.edu/forums/diary/P… Thanks to @xme for saving me the detonation to learn its ransomware! 👍
Taking a scan we can see an AES decrypt function and blob of Base64 - likely what is to be decrypted. Later on we see our IV and Key variables references, also in Base64.
Read 13 tweets
#Sidewinder #APT

It seems that #Indian APTs have been raging war on #Pakistan with the same payloads over and over again. Meanwhile, Pakistani #Government and #Military is either helpless or over occupied. Following is another new sample that goes ages back.
A variant of this sample has attributed to #Sidewinder #APT by Govt. of Pak. The #malware is deployed using the shared image in a #phishing email using a similar methodology to that of Image
DOCX MD5: 2a6249bc69463921ada1e960e3eea589 Mech 8 ZIRC0N-TSIRK0N.doc
#Exploit: hashcheck[.]xyz/PY8997/yrql/plqs
RTF MD5: 7c11d5125c3fb167cca82ff8b539e3c7 plqs
#C2: sportfunk[.]xyz/topaz/foti
CVE-2017-11882 Image
Read 12 tweets
#DataPrivacyDay
Today on #DataPrivacyDay, @SFLCin is bringing you some tips and quick fixes to help protect your privacy online.
#DataPrivacyDay2021 #PrivacyAware #privacy #cybersafety #dataprivacy
We as a generation use #SocialMedia almost obsessively. Most of us have accounts on social media websites like #Facebook, #Instagram & #Twitter.
#SocialSecurity #cybersecuritytips #PrivacyAware
We also keep hearing about various #Hacking, #Phishing attempts and in times like these it is important to understand the basics of social media privacy settings to secure yourself from such attempts.
#PrivacyAware
Read 14 tweets
New backdoor dubbed WizardUpdate, delivered via .PKG file Notarized by @Apple 😟👾 The Apple Developer ID is: Fiona Torok (M9S7M3WX5P). The .PKG hash is: 47fea0cf1eb04b5b0d7aba8c93646d8b63aae11783f629405cb7f93134dd6f86 delivered through ITW Browser Push Notifications
.PKG have post/pre install scripts that downloads & execute a dummy WebView based app, browsing to get[.]adobe[.]com, the App is : ae0fac3473e2d29cc06e425dbe72801504a63fbbd92c0f5546f18304b09fc9b8 DLVPlayer.app/Contents/MacOS… signed by the same developer cert.
.PKG installer script also downloads the WizardUpdate backdoor that is executed every 3 hours via a Launch Agent. The archive of this backdoor is downloaded from cdnassets[.]dlvplayer[.]com
Read 8 tweets
🔥 #AdventOfReversing 1/24 🔥
Get dirty as soon as possible. Don't fall into thinking you are not ready. Sure, you will be confused by many things at first. That's fine! I used to confuse sections and segments when I started. Keep pushing, and things will become clear naturally.
🔥 #AdventOfReversing 2/24 🔥
Get used to (re)name *everything* in your disassembler. You might be able to mentally track data across registers and memory for small crackmes w/ easy control flow, but this does not scale at all. Unclutter your mind. Make your life easier.
🔥 #AdventOfReversing 3/24 🔥
You really want to have some programming foundations, but which languages? I mostly agree with this post by @MalwareTechBlog:

🐍 Python
🏗️ C
⚙️ ASM (different flavors: x86(-64) desktop, ARM mobile...)

Give it a read! 📰
malwaretech.com/2018/03/best-p…
Read 19 tweets
(THREAD): Did you find a #phishing page or a piece of #malware using @telegram for exfil? Here are some useful techniques to grab additional intel on these artifacts. @JCyberSec_ @sysgoblin @dave_daves @PhishKitTracker @urlscanio @nullcookies @ninoseki
1/9 Look for any strings or traffic that call out to api.telegram.org . If you see something like: 'api.telegram[.]org/bot12345:base64key/endpoint?chat_id=-12345', you're in business
Read 11 tweets
It’s our birthday! #CISAgov was established on November 16, 2018. From elections to COVID-19 to natural disasters and more, year two has been action-packed. Let’s take a trip down memory lane…
Informed by #cyber intelligence and real-world events, we issued several insight products, providing background on #cyber threats, #vulnerabilities, and mitigation activities: cisa.gov/insights #InfoSec
One key insight was in in January when we warned partners about potential Iranian retaliation against U.S. organizations—and advised them on how to assess and strengthen their physical & cyber security. This is the kind of rapid information-sharing we aim for! #InfoSecurity
Read 15 tweets
#Malware #Stealer #FickerStealer

New interesting MaaS Ficker Stealer is written on Rust with using Assembly language.

SUC549.exe:
virustotal.com/gui/file/dc021…
app.any.run/tasks/04c558fa…

Special thanks to @James_inthe_box, @ThreatHive.

ImageImageImageImage
Build programming language: Rust + ASM
Panel programming language: Rust + React

Price: 90$ (1 week), 200$ (1 month), 500$ (3 month), 900$ (6 month).

Functional:
- Recursive stealing passwords, credit cards, forms from Chromium-Based, Mozilla (40+ browser).
- Stealing sessions cryptocurrency wallets
- Stealing from Windows Credentials Manager
- Stealing sessions from Pidgin, Steam, Discord, ThunderBird, etc (optional)
- Stealing FTP clients (FileZilla, WinScp)
- Stealing system information
- Taking screenshot
- Universal grabber
Read 7 tweets
Foreign Hackers Cripple #Texas County’s Email System, Raising Election Security Concerns

The #malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability 1/2
propublica.org/article/foreig…
in counties that don’t follow best practices for computer security. 2/2
Read 3 tweets
BREAKING!! New SMS phishing campaign pretending to be from the United States Post Office being pushed out to cell phones today. So far the link in the SMS being used is this domain m9sxv[.]info. Here are a couple of sample texts we have collected. #infosec #malware #smish #osint
The m9sxv[.]info domain was just registered today and here are few sample links we have collected so far. @kyleehmke @RiskIQ @ydklijnsma #infosec #malware #smish #osint
There is a fair amount of victim fingerprinting going on based on the device ect... Here m9sxv[.]info immediately redirects to a jtuzd.rdtk[.]io link. #infosec #malware #smish #osint #phishing
Read 10 tweets
One tactic that needs to be used more often in #malware development is distributed multi-binary components.

Separate each of your components into unique binaries and communicate to them via IPC or something similar.

Each binary is given a single purposes: File IO, Registry etc
There are several advantages to this:

Sandboxes will score each component separately and are more likely to not block a binary that just accesses the File System or registry because essentially it is harmless

Also components can use LOLBins if they are available as substitutes
Also you can recompiled the multi-components individually much easier than recompiling a whole project.

Also dont forget to write garbage to your padding sections / end of binary to easily change your file hashes.
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!