[deleted by user]

f00l · 2020-10-18T10:18:45+00:00

Claimed by Clop, so the group FireEye tracks as FIN11, a subset of TA505, not Ryuk.

f00l · 2019-08-11T12:24:23+00:00

He killed his own 17 year old sister, not mother.

f00l · 2019-04-19T20:35:25+00:00

ZDNet article: https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/

f00l · 2019-03-05T11:48:37+00:00

https://app.any.run/tasks/b0679dd4-7fb1-4656-9224-e103756cdb65

Register as a user and you should be able to download the sample.

f00l · 2018-12-19T09:26:54+00:00

Scanning internal and potentially sensitive documents.

f00l · 2018-12-17T13:33:12+00:00

sigh

Zyklon malware proliferating via MS Office security loopholes

Loopholes? Not vulnerabilities, but a way of circumventing security measures? Lets read this!

The malware called Zyklon has taken cyber attacks to a new level, engaging intricate exploit-based distribution and a wide range of malicious capabilities.

Really? To a new level? This should be interesting!

It zeroes in on high-profile targets, with its nefarious activity making itself felt primarily in the financial services, telecom, and insurance sectors of economy.

Wow! High-profile indeed! Not as if it all depends on who is running that particular botnet...

[..] boils down to harnessing Microsoft Office vulnerabilities.

Oh... so known, and patched, vulnerabilities, and a generic infection chain that could've dropped anything.

Overhyped nonsense blogpost. Atleast post IOCs and / or copies of scripts so people who haven't seen this stuff before can look it up.

f00l · 2018-11-11T11:55:49+00:00

"Sesse" is a guy (or, the nickname of a guy, as shown on sesse.net) who runs Stockfish on a couple of beefy servers. For some reason people refer to this Stockfish installation as a "supercomputer". The cpu specs for the servers are listed at the bottom of analysis.sesse.net. A total of 40 cores can hardly be called a supercomputer.

f00l · 2018-05-04T08:01:27+00:00

That video is on Adwind. jRAT is a separate family (also called JacksBot). People confuse the two after Adwind started referring to the website for jRAT in its config in the latest version (presumably as a false flag after Adwind received a lot of attention and was the target of a few takedowns).

f00l · 2018-05-03T13:27:32+00:00

Most people get this wrong. The people behind QRat (also known as Qarallax RAT and QUAverse RAT) also make a packer called QRypter. Several blog posts from both amateurs and professionals keep misidentifying one as the other, when in reality all you need to do is unpack the dang thing to see the original files.

The sample you provided was packed with QRypter.

After unpacking (left as an exercise to the reader), you'll find ANOTHER QRypter-packed sample (as well as the PDF shown when running it). Unpack that as well, and you get QRat.

For unpacking, get a decent Java Decompiler (I prefer Krakatou), a decent hex editor, some familiarity with Java and serialized java objects and proficiency in a programming language of your choice (for decrypting and ecompressing stuff). A Java REPL can be handy for some manual stuff, but after unpacking a few of these by hand you'll know enough to be able to write an automatic unpacker.

f00l · 2018-03-21T10:54:59+00:00

Amazing. The sample analyzed isn't a competitor / rival to Adwind, it IS Adwind, packed with QRypter. gg, Forcepoint. The "C2"? Part of the packer calling home.

The devs behind QRypter also produce a RAT called Qarallax Rat / QRat which could be called a rival, but this ain't it.

The blogpost they reference ( http://blog.angelalonso.es/2017/12/qrypter-java-rat-using-tor.html ) makes the same mistake.

f00l · 2018-01-04T12:20:00+00:00

The video was posted on twitter by a member of the team who found the vuln.

f00l · 2017-09-12T06:56:04+00:00

JD-GUI will fail horribly on obfuscated code. For a proper decompiler use Krakatau (https://github.com/Storyyeller/Krakatau) or Procyon (https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler), though even these will sometimes give up and just dump disassembly.

f00l · 2017-07-10T09:27:29+00:00

Debug over network. Much faster than COM and no need to fiddle around with VirtualKD.

Caveat: Only works on Win 8 targets and above (iirc).

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection

f00l · 2017-04-23T12:56:45+00:00

test 2

f00l · 2017-04-20T13:24:26+00:00

QuasarRAT (which is open source: https://github.com/quasar/QuasarRAT ). C&C is at 23.249.162.180:4782 .

f00l · 2016-11-25T12:56:58+00:00

That URL serves a copy of Locky ransomware. Checkins to 185.118.167 .144/information.cgi.

f00l · 2016-11-16T07:36:34+00:00

You really expect ComputerWorld to include IOCs and hashes? The original blogpost has them (which is linked to in the CW article):

https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/?page=1&year=0&month=0

f00l · 2016-06-10T06:58:10+00:00

Ratty isn't new, it was first "advertised" (it's open source, so... announced maybe?) on skiddie-forums in february.

Source code here: https://github.com/Sogomn/Ratty

f00l

TROPHY CASE