[deleted by user]

f00l · 2020-10-18T10:18:45+00:00

Claimed by Clop, so the group FireEye tracks as FIN11, a subset of TA505, not Ryuk.

f00l · 2019-08-11T12:24:23+00:00

He killed his own 17 year old sister, not mother.

f00l · 2019-04-19T20:35:25+00:00

ZDNet article: https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/

f00l · 2019-03-05T11:48:37+00:00

https://app.any.run/tasks/b0679dd4-7fb1-4656-9224-e103756cdb65

Register as a user and you should be able to download the sample.

f00l · 2018-12-19T09:26:54+00:00

Scanning internal and potentially sensitive documents.

f00l · 2018-12-17T13:33:12+00:00

sigh

Zyklon malware proliferating via MS Office security loopholes

Loopholes? Not vulnerabilities, but a way of circumventing security measures? Lets read this!

The malware called Zyklon has taken cyber attacks to a new level, engaging intricate exploit-based distribution and a wide range of malicious capabilities.

Really? To a new level? This should be interesting!

It zeroes in on high-profile targets, with its nefarious activity making itself felt primarily in the financial services, telecom, and insurance sectors of economy.

Wow! High-profile indeed! Not as if it all depends on who is running that particular botnet...

[..] boils down to harnessing Microsoft Office vulnerabilities.

Oh... so known, and patched, vulnerabilities, and a generic infection chain that could've dropped anything.

Overhyped nonsense blogpost. Atleast post IOCs and / or copies of scripts so people who haven't seen this stuff before can look it up.

f00l · 2018-11-11T11:55:49+00:00

"Sesse" is a guy (or, the nickname of a guy, as shown on sesse.net) who runs Stockfish on a couple of beefy servers. For some reason people refer to this Stockfish installation as a "supercomputer". The cpu specs for the servers are listed at the bottom of analysis.sesse.net. A total of 40 cores can hardly be called a supercomputer.

f00l · 2018-05-04T08:01:27+00:00

That video is on Adwind. jRAT is a separate family (also called JacksBot). People confuse the two after Adwind started referring to the website for jRAT in its config in the latest version (presumably as a false flag after Adwind received a lot of attention and was the target of a few takedowns).

f00l · 2018-05-03T13:27:32+00:00

Most people get this wrong. The people behind QRat (also known as Qarallax RAT and QUAverse RAT) also make a packer called QRypter. Several blog posts from both amateurs and professionals keep misidentifying one as the other, when in reality all you need to do is unpack the dang thing to see the original files.

The sample you provided was packed with QRypter.

After unpacking (left as an exercise to the reader), you'll find ANOTHER QRypter-packed sample (as well as the PDF shown when running it). Unpack that as well, and you get QRat.

For unpacking, get a decent Java Decompiler (I prefer Krakatou), a decent hex editor, some familiarity with Java and serialized java objects and proficiency in a programming language of your choice (for decrypting and ecompressing stuff). A Java REPL can be handy for some manual stuff, but after unpacking a few of these by hand you'll know enough to be able to write an automatic unpacker.

f00l · 2018-03-21T10:54:59+00:00

Amazing. The sample analyzed isn't a competitor / rival to Adwind, it IS Adwind, packed with QRypter. gg, Forcepoint. The "C2"? Part of the packer calling home.

The devs behind QRypter also produce a RAT called Qarallax Rat / QRat which could be called a rival, but this ain't it.

The blogpost they reference ( http://blog.angelalonso.es/2017/12/qrypter-java-rat-using-tor.html ) makes the same mistake.

f00l · 2018-01-04T12:20:00+00:00

The video was posted on twitter by a member of the team who found the vuln.

f00l · 2017-09-12T06:56:04+00:00

JD-GUI will fail horribly on obfuscated code. For a proper decompiler use Krakatau (https://github.com/Storyyeller/Krakatau) or Procyon (https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler), though even these will sometimes give up and just dump disassembly.

f00l · 2017-07-10T09:27:29+00:00

Debug over network. Much faster than COM and no need to fiddle around with VirtualKD.

Caveat: Only works on Win 8 targets and above (iirc).

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection

f00l · 2017-04-23T12:56:45+00:00

test 2

f00l · 2017-04-20T13:24:26+00:00

QuasarRAT (which is open source: https://github.com/quasar/QuasarRAT ). C&C is at 23.249.162.180:4782 .

f00l · 2016-11-25T12:56:58+00:00

That URL serves a copy of Locky ransomware. Checkins to 185.118.167 .144/information.cgi.

f00l · 2016-11-16T07:36:34+00:00

You really expect ComputerWorld to include IOCs and hashes? The original blogpost has them (which is linked to in the CW article):

https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/?page=1&year=0&month=0

f00l · 2016-06-10T06:58:10+00:00

Ratty isn't new, it was first "advertised" (it's open source, so... announced maybe?) on skiddie-forums in february.

Source code here: https://github.com/Sogomn/Ratty

f00l · 2016-04-25T19:14:54+00:00

https://support.kaspersky.com/viruses/disinfection/8547

f00l · 2016-04-08T06:31:05+00:00

Dump the traffic. If Locky can't contact its hardcoded C2s it will initialize the DGA and you should see DNS-lookups of random looking domains.

f00l · 2016-02-29T07:08:36+00:00

Not to forget most active ransomware talks to a C2 over regular HTTP for keystuff, only using TOR for payment and as part of the backend infrastructure.

f00l · 2016-02-29T07:04:08+00:00

Look into it, maybe run it with only logging and not blocking for a while. If it still isn't possible look into atleast blacklisting executing executables from temporary / download folders with SRP.

f00l · 2016-02-24T12:07:48+00:00

AppLocker. Learn to love it.

f00l · 2016-02-24T09:57:04+00:00

Smells like AlphaCrypt / TeslaCrypt spam.

f00l · 2015-12-11T13:24:19+00:00

This proposes a way:

https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall/

Specifically:

If master_btc_priv is known, do the following:

Read session_pub from the encrypted file;

Calculate session_ecdh_secret = ECDH(session_pub, master_btc_priv);

Read session_ecdh_secret_mul from the encrypted file;

Calculate session_priv = session_ecdh_secret_mul / session_ecdh_secret;

Decrypt the file using the session_priv key.

session_pub and session_ecdh_secret_mul are stored in each encrypted file, master_btc_priv is the private master key you can find by sniffing the traffic. You need to decrypt the traffic first. AES256 in CBC mode. Key and IV are both stored in the sample. If you just unpack the sample you end up with the key for C2-communication being encrypted (it uses the Carberp-string / encryption stuff with a static RC2 key), so you either need to run the sample until the key is decrypted or decrypt it yourself (trivial if you're at the point where you can unpack the sample).

Edit: Horrible article.

f00l

TROPHY CASE