Adversary Hunter at @DragosInc. Lead #Malware Analyst on #TRISIS and #PIPEDREAM. Spend my time searching for and tearing apart #ICS threats. #FUZZYSNUGGLYDUCK
Jun 19, 2023 • 13 tweets • 6 min read
More on COSMICENERGY. Previously we said that LIGHTWORK had a 98% function overlap with lib60870-c, turns out it's even more than that. Their main code is based on an example from that project, simple_client.c #ICS#malware (1/13) github.com/mz-automation/…
Going back in the Github history, and looking at various artifacts, like dangling if statements, and some sleep calls, and such, it looks like it's based on the version from March 28, 2019 (2/13): github.com/mz-automation/…
Apr 16, 2022 • 14 tweets • 5 min read
Now that I've had some distance from the analysis of #PIPEDREAM, I've been thinking a lot about knowledge gain, across #CRASHOVERRIDE, #TRISIS, and PIPEDREAM. Here's a quick summary of how I'm seeing the advancement of knowledge by adversaries seeking to impact ICS. (1/13)
2016, #CRASHOVERRIDE impacts a substation in UKRAINE. The toolkit encompassed 4 protocols: IEC101, IEC 104, 61850/MMS, and OPC-DA, capable of targeting breakers and switchgear that use those protocols, along with a custom DOS utility targeting a Siemens SIPROTEC relay. (2/13)
Jun 19, 2019 • 7 tweets • 2 min read
I know I tweet alot about IDA. That's because I used to be an instructor, and realize how difficult it can be for new reversers to become accustomed to it (and to learn RE generally). But, owning IDA is not a barrier for entry into the RE community. #reverseengineering 1/5
There's tools like Ghidra, Radare, x64dbg, Windbg, gdb that are all free. Binary Ninja comes in at a much lower price point if you get a personal license. You can also download IDA Free, if you'd like to become more familiar with IDA. 2/5
Nov 21, 2018 • 4 tweets • 2 min read
IDA's remote debugger is my go-to for debugging malware so that I never have to restore my VM and lose. If you're interested in trying it, I've attached some instructions on how to set it up to debug a DLL. (1/4) #malware#reverseengineering1. Copy the remote debugger for your platform from the "dbgsrv" directory in your IDA installation directory to the debugging target and execute. -h will show you other options for configuring a password, port number etc. (2/4)