Discover and read the best of Twitter Threads about #swearengine

Most recents (3)

Sure this doc
C:\Users\zhenmingda\Desktop\application_form.doc
created by "Bil Smith" 🙈
contains an embedded stylesheet (coal.xsl) launched with #squiblytwo
and downloads loprtaf[.]icu/dctch.exe

But it also has some dirty macros. #SwearEngine
VT (14/58): virustotal.com/gui/file/324ac… ImageImageImage
Here's a link to the file on @virusbay_io:
💾beta.virusbay.io/sample/browse/…
Some interesting techniques - including some unique obfuscation. No wonder Bil was working on it for 3 hours...

Here's the extracted MSXSL: beta.virusbay.io/paste/browse/5… Image
@virusbay_io loprtaf[.]icu SSL certificate is not at all suspicious

Issuer: C=US, CN=Let's Encrypt Authority X3, O=Let's Encrypt
Validity
Not Before: 2019-08-03 11:07:50
Not After: 2019-11-01 11:07:50
Subject: CN=pofhssri[.]pw
Read 3 tweets
🆕 🔥 Research on PDB Paths from @stvemillertime: fireeye.com/blog/threat-re…
#DFIR primer & exploration of these wonderful artifacts.
Followed by a survey of malware PDB conventions, PDB anomalies, attacker mistakes. All with attribution, including Western gov.

THREAD (1/n) ImageImageImageImage
Includes considerations for #threatintel shops, red teams/operators, and weaknesses in PDB paths.

Blog also has: the most malware code families and threat groups we've ever published, some spicy groups, and some light swearing (malware devs are potty mouths) #SwearEngine

2/n ImageImage
I love that @stvemillertime surfaced a bunch of strange PDB path anomalies and dug in with @mikesiko's #FLARE team to get to ground truth & replicate the artifact.
fireeye.com/blog/threat-re…
Where my #DFIR followers at?
❓ Curious if you've found other anomalies not listed?
3/n ImageImage
Read 5 tweets
The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting
You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.
At least one single "fuck" is present in some samples of the following malware families: AGENTBTZ, ASCENTOR, ZXSHELL, SOGU, TRICKBOT, GHOST, VIPER, WANNACRY, WARP, NETWIRE, COREBOT, REMCOS, VIPER, ORCUSRAT, PONY, etc. I can't even name the coolest ones. There are hundreds.
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!