Discover and read the best of Twitter Threads about #malware

Most recents (24)

Malware Analysis Tip - Use Process Hacker to watch for suspicious .NET assemblies in newly spawned processes.

Combined with DnSpy - it's possible to locate and extract malicious payloads without needing to manually de-obfuscate.

1/

#Malware #dnspy #analysis #RE
2/ For anyone wanting to try - The initial sample can be in the link below

Once executed (inside of a safe vm!) - You should see the installutil.exe detailed in the screenshots above.

(Make sure to use Dnspy-x86 for attaching to the process) 😄

bazaar.abuse.ch/sample/b24c75d…
3/ Sometimes you'll get lucky and the modules will be named much more suspiciously.

See below for an example of a suspected #redlinestealer loader. Which injected multiple modules into a renamed powershell.exe.

bazaar.abuse.ch/sample/7e09174…
Read 3 tweets
(Possible) AsyncRat loader - Interesting regex to decode the obfuscated C2.

Script was found on host with an active #AsyncRat infection.

#malware #regex #decoding
[1/6] The team at @HuntressLabs are still observing IronPython executables used to load #malware.

In these cases - IronPython (ipyw.exe) file is typically renamed to SupportTool.exe or Ctfmon.exe

Since ipyw.exe is "legitimate", the VT detection rate is very low (0/72).
[2/6] The "update.py" is where the malicious action starts.

This is usually a simple python file containing an additional obfuscated script.

Below you can see this decoded via #CyberChef.
Read 7 tweets
17 herramientas GRATUITAS de #hacking #ciberseguridad #gratis:
Va hilo 🧵
1.Zeek: zeek.org : monitorea y analiza el tráfico de red en tiempo real, captura paquetes, registra eventos y genera alertas de actividad sospechosa. Ampliamente utilizado en la industria y en la investigación académica. #Zeek #seguridad #red
2.ClamAV: clamav.net :detectar y eliminar virus, malware y otras amenazas en archivos y mensajes de correo electrónico. Se utiliza a menudo en servidores de correo y sistemas de red para proteger contra amenazas de seguridad.#ClamAV #virus #seguridad #malware
Read 25 tweets
Setting up an analysis VM for reverse engineering?

Here are a few good tools (with short demos) that I recommend after running the Mandiant/FLARE script, (which installs 99% of tooling for you) 🔥

TLDR:
Garbageman, SpeakEasy, BlobRunner, Dumpulator

#Malware #RE #Analysis
2/ This is the Flare script from Mandiant. Simply running this script will install the majority of tools that you would ever need.

As a beginner RE or malware analyst, you can work comfortably using only the tools included in this script.

github.com/mandiant/flare…
3/ Over time I've picked up some other tooling that isn't installed by default by Flare.

These are relatively lesser-known tools that I have found very useful.
Read 12 tweets
🧵 Everyone’s chatting about 🤖#ChatGPT. Here are 11 things it can do for #malware analysts, #security researchers, and #reverse engineers. A thread >>👇 🧵
1/13
🙋🏻‍♀️ Learn how to use reverse engineering tools more effectively. Use #openAI chat bot to get rapid interactive help on your reversing tools.
2/13
👾 Teach yourself #assembly language. Ask #ChatGPT to convert high-level code into assembly. #arm #intel little endian big endian #nasm #masm. It knows them all.

3/13
Read 13 tweets
📢I recently investigated a campaign targeting the cryptocurrency industry. I wrote a detailed report that includes TTP, IOC and more. Here is a thread about this attack! 🧵👇

@MsftSecIntel @MicrosoftAU #infosec #cryptocurrency #threatintelligence #apt

microsoft.com/en-us/security…
The attack started on Telegram to identify the targets, then they deployed a weaponized Excel document which finally delivered the final backdoor through multiple mechanisms. ☠☠️ #infosec #malware #backdoor
🧐To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram.

👀They created fake profiles using details from employees of the company OKX. #infosec #Cryptocurency
Read 14 tweets
1️⃣ NICCS Federal Virtual Training Environment (FedVTE)

Link: rb.gy/5uai1j
2️⃣ SANS Cyber Aces Free Cyber Security Training Course

Link: rb.gy/qg9on5
Read 7 tweets
1/Αναλυση #υποκλοπες #Ελλαδα: Συνομιλησαμε το προηγουμενο διαστημα με εναν ειδικο στην κυβερνοασφαλεια ο οποιος δεχτηκε να απαντησει σε ερωτησεις μας σχετικα με #malware που προσβαλουν κινητες συσκευες μεταξυ των οποιων και το #Predator.
2/Στο παρων 🧵 θα προσπαθησουμε να ξεδιαλυνουμε καποια σημεια για το σκανδαλο των υποκλοπων. Η συνεντευξη εγινε με την μορφη ερωταπαντησεων πανω σε μεθοδους και εργαλεια που θα μπορουσε να χρησιμοποιησει καποιος για να ξετυλιξει την ακρη του νηματος.Τα στοιχεια του μας ζητηθηκε
3/να μην γινουν γνωστα όπως η ακριβης ιδιοτητητα του για ευνοητους λογους. Για την ευχερεια της παρουσιασης της συνεντευξης θα τον αναφερουμε με τα αρχικα ΖΖ
DG:Αν καποιος εχει λαβει καποιο λινκ (χωρις να το πατησει) μεσα απο malware μπορει με καποια μεθοδο να βρει τον ειβσολεα?
Read 27 tweets
🧵Let's talk about #Telegram - here are ten useful cybersecurity groups and channels we watch:

A thread:
1. Cyber Security News (30k+ members)

Cyber Security News is a feed channel for links to breaking news stories across the internet, everything from #TechCrunch to #Portswigger. It’s a one-stop shop for cyber-related news with your morning coffee.

telegram.me/cyber_security…
2. Cyber Security Experts (23k+ members)
A great channel for exchanging #information about #cyber, #IT, and #security. Mainly used to get answers to questions and help other security experts to enhance their security maturity.

t.me/cybersecuritye…
Read 13 tweets
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
⚠️#Exclusivo: por suposta “ameaça”, computadores do Planalto são apagados

🧶Segue o fio para entender! Reportagem do @rodrigo_rangel Image
Uma mensagem enviada logo após o 2° turno das #Eleições2022 a funcionários da área de informática do Palácio do Planalto diz que o sistema antivírus da rede da Presidência da República “detectou uma ameaça” e que, por isso, os computadores teriam que ser formatados
➡️ O aviso foi recebido com estranheza por alguns destinatários, especialmente por ter sido disparado dias depois da derrota eleitoral de Jair Bolsonaro... Image
Read 10 tweets
🧵Thread: 10 underestimated resources about malware techniques.

This is a list of various resources to learn more about malware techniques, how to analyse them and how to improve your detection! 🤓 #infosec #malware #threatintel #malwareanalysis #cybersecurity
#1: The Unprotect Project

Of course, I couldn't start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules. cf: @DarkCoderSc

🌐unprotect.it
#2: The LolBas project

Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.

🌐lolbas-project.github.io
Read 13 tweets
BREAKING: There are at least 2 separate hacking campaigns going on & focusing in on the #Twitter blue checkmark verification process. One appears to be #phishing based and another far more nefarious .. and possibly a state actor using Twitter DMs. More shortly. Be alert #infosec
All political candidates running & in office are typically Twitter verified (blue checkmark). Most major journalists are as well. This is a HUGE target 4 a #cyberattack by a nation state actor. This campaign which is still under the radar is very worrisome
Liz @lizthegrey has done greaat work on this. Its not clear how widespread this is but it has some very concerning network indicators. And its significantly more sophisticated than the phishing email that is going around. #infosec #phishing #cybersecurity #malware #Election2022
Read 11 tweets
🐲 Ghidra Tips🐲For Beginner/Intermediate analysts interested in RE.

These tips are aimed at making Ghidra more approachable and usable for beginners and intermediate analysts 😄

[1/9] 🧵

#Malware #RE #Ghidra
2/ The sample I'm using can be found here if you'd like to follow along. It is a cobalt strike DLL often found in Gootloader campaigns.

bazaar.abuse.ch/sample/a2513cc…
3/ Enable "Cursor Text Highlighting". 🖱️

This will automatically highlight areas of interest when using the Ghidra decompiler.

This is useful for quickly identifying where a value has or will be used.
Read 9 tweets
NEW: #Russia's war in #Ukraine & #cyber - "We have learned a tremendous amount" @CYBERCOM_DIRNSA Gen. Paul Nakasone tells @CFR_org

Says #Ukraine has hardened its networks & has been a step ahead of the Russians in #cyberspace
"Having 10 folks on the ground that are tied back to our command & our agency, that's power I think is really helpful" per @CYBERCOM_DIRNSA re US #cyber aid to #Ukraine

Says US "surged to well over 30...we flooded the zone" to help #Kyiv in #cyber
#Ukraine's warnings abt looming #cyber attacks by #Russia on energy, financial sectors - "They have gone after energy, certainly" @CISAJen tells @CFR_org

"We've been working very closely w/the energy sector ... we are not at a place where we should be putting our shields down"
Read 15 tweets
Beware of links from popular YouTube videos, as they may contain #malware. We found such a video (64K views, 180K subscribers) that has a link to a Tor Browser installer in the description. That installer comes with a previously unknown spyware that we dubbed #OnionPoison. [1/4]
The malicious Tor installation has been configured to be less private (it stores browsing history, login data, etc.), and its freebl3.dll library is infected with malware. When the browser is launched, this library contacts the C2 server to receive a second stage implant. [2/4]
It's interesting that the server sends the second stage implant only if the victim's IP is from #China, so the campaign targets only Chinese-speaking users. Features of the spyware include collecting system information, stealing browser history and executing shell commands. [3/4]
Read 4 tweets
#Qakbot Dumpulator Script has now been added to Github! 😀

This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.

1/ (notes and details below)
#malware #qakbot #dumpulator #RE ImageImageImageImage
2/ The script *should* work on the samples that I have provided in the readme, however you may need to change some register values to get it to work on different samples.

In particular, "dp.regs.ecx" and "dp.regs.esp+0x4" may need to be changed. As these ... Image
3/ cont'd... as these values point to the encrypted string table and key, which will differ between samples. You can re-use the same dump file if you wish, as the code will likely remain the same.
Read 11 tweets
A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.

I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.

A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.

First, download the .zip in the screenshot.👇

Then unzip and locate the "rarest.db" file in the "scabs" folder.

(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.

There are 11 exported functions here. 🧐

Most of them have junk names to throw off analysis.

One of them is "real", the rest are "decoys" which don't do anything if executed.
Read 14 tweets
Hello @Uber! We know breaches suck. Wanted to reach out and support with some interesting information on the #uberhack. If you need any more details, feel free to contact us.

#FightAgainstCybercrime
On September 16, vx-underground posted screenshots with evidence of access to #Uber internal systems, including #SentinelOne, #Slack and #AWS. The screenshots have been attributed to the threat actor teapots2022. Image
During Group-IB’s analysis of the screenshots, interesting artifacts have been found in the recently downloaded files tray. First 2 files are zip archives and have the same format: "LOGID-\d{7} with names LOGID-4952307" and "LOGID-4953756". Image
Read 9 tweets
El correo sigue siendo una de las vías principales de transmisión en infección del #malware porque aquí, aparte de la solución de seguridad que adopte la empresa, existe otro elemento: El usuario.
(hilo) 🧵
Y este usuario llevará a cabo, de bien seguro, todas las acciones que no te esperabas. Para empezar, clicar en enlace que claramente son sospechoso. Pero el orden de las cosas será:
1) Clicar
2) Ver que salen cosas raras
3) Avisar al departamento IT
🤷‍♂️
⬇️ Image
El correo anterior lo he recibido en una de mis cuentas empresariales. En el asunto, aparece el nombre de un antiguo cliente mío. En la lista de destinatarios está mi correo y el de otras personas que están en la agenda de correo de ese cliente y a las cuales no conozco.
⬇️
Read 29 tweets
Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods.

We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.

A (big) thread ⬇️⬇️
[1/23]
[2/23]
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.

My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
[3/23] Once unzipped (pw:infected), load the file into pe-studio for quick analysis. There isn't a lot interesting here, but take note that the file a 64-bit .dll with 4 exported functions.
Read 23 tweets
A list of top 10 popular malware reports that every Malware Analyst should check out

Take a look at these excellent Malware analysis reports

#malware #ThreatHunting #threatintelligence #fireye #virus #Talos @TalosSecurity #linux #hacking #networks #rootkits

👇👇
1⃣ CheckPoint - SpeakUp: A New Undetected Backdoor Linux Trojan

🔗
research.checkpoint.com/2019/speakup-a…
2⃣ First Sednit UEFI Rootkit unveiled

🔗
mirror.netcologne.de/CCC/congress/2…
Read 11 tweets
New: #Ukraine bracing for new round of #Russia|n cyber attacks targeting its energy, financial sectors, Deputy Minister of Digital Transformation Georgii Dubynskyi tells reporters
"We saw this scenario before-before the winter they [#Russia] are trying to find a way how to undermine, how to defeat our energy system & how to make circumstances even more severe for Ukrainians" per Dubynskyi
#Russia also trying to employ "precision" #cyberattacks

"Using social engineering & using some traitors...so it's also possible #hybrid attacks as well" per Dubynskyi
Read 12 tweets
Save this list of resources for your future #OSINT Investigations!

intelx.io: Search engine for data breaches
netlas.io: Search & monitor devices connected to the internet
urlscan.io: Scan a website incoming and outgoing links and assets
prowl.lupovis.io: Free IP search & identifications of IoC and IoA
fullhunt.io: Identify an attack surface
zoomeye.org: Cyberspace search engine, users can search for network devices
leakix.net: Identify public data leaks
greynoise.io: Search for devices connected to the internet
search.censys.io: Get information about devices connected to the internet
hunter.io: Search for email addresses
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!