Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
cybercdh Profile picture
cybercdh
@cybercdh
I make videos about Cyber Security. I tweet about tools and techniques I use in the industry.
Sep 13, 2021 11 tweets 5 min read
Recently I've been looking into #Pegasus #Malware and found myself in a rather unique threat intelligence position.

To talk about it, here's...
a Thread 🧵
a Blog 📖
and a Video 🎥

👇 In July 2021 @FbdnStories produced an astounding collection of articles highlighting NSO Group's Pegasus malware and its apparent misuse throughout Governments across the globe. @amnesty wrote about Pegasus in 2016 where a prominent human-rights activist was targeted...
Jan 25, 2021 8 tweets 3 min read
Here's why you should block and monitor .JNLP files

👉 They're XML files that can Download and Run content from remote locations... Image Here, the JNLP file leads to a malicious JAR which in turn downloads Info-Stealer malware executable, disguised as a JPG... Image
Jan 12, 2021 6 tweets 3 min read
#CrowdStrike have produced fascinating research into #SUNSPOT malware, which was used to implant the SUNBURST / SolarWinds backdoor.

Here are my Threat Hunting tips to:

➡️ Find the malware on disk
➡️ Find the persistence
➡️ Decrypt the log files
➡️ Find if it's running

👇 The malware exists on disk as taskhostsvc.exe

You can use the following commands to look for files on Windows

dir taskhostsvc.exe /S /B
where /r . taskhostsvc.exe
Jan 3, 2021 13 tweets 5 min read
#Zyxel announced CVE-2020-29583 fixing a backdoor admin account which gave attackers root on affected devices via SSH or web interface

If you want to examine the firmware you need to run a #known_plaintext_attack against an encrypted zip

Sounds hard; don't worry I got you... 👇 Zyxel have actually removed the backdoored firmware versions from their portal; but you can still grab the latest version or earlier versions for further inspection.

Example:

portal.myzyxel.com/my/firmwares?f…
Dec 31, 2020 6 tweets 3 min read
#SUPERNOVA #SolarWinds malware is actually pretty boring. So boring in fact, I made a video.

Thread 👇 Adversaries have injected a call to a method called DynamicRun() into the existing LogoImageHandler class. An existing method, ProcessRequest() has been trojan'ed to accept 4 GET parameters passed to the Orion web API Image
Dec 15, 2020 8 tweets 3 min read
#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread 👇 The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand