Monday, October 18th, 2021 a Turkish individual leaked source code to Cerberus Android Banking Trojan. This appears to a variant of a previously leaked version we possess.
You can download Android.Cerberus.d here: https://github.com/vxunderground/MalwareSourceCode/tree/main/Leaks/Android
You can download Android.Cerberus.d here: https://github.com/vxunderground/MalwareSourceCode/tree/main/Leaks/Android
Additions to the VXUG papers collection:
-SmashEx: Smashing SGX Enclaves Using Exceptions by Jinhua Cui, Jason Yu, Shweta Shinde, Prateek Saxena, Zhiping Cai
-Analyzing ransomware negotiations with CONTI: An in-depth analysis by DIFR Research Group
https://vx-underground.org/papers
-SmashEx: Smashing SGX Enclaves Using Exceptions by Jinhua Cui, Jason Yu, Shweta Shinde, Prateek Saxena, Zhiping Cai
-Analyzing ransomware negotiations with CONTI: An in-depth analysis by DIFR Research Group
https://vx-underground.org/papers
Groove ransomware groups asks ransomware operators to unite to attack the United States. Groove asks operators to stop attacking Chinese organizations and warns of a possible race war in the United States.
Image 1: EN
Image 2: RU
Image 1: EN
Image 2: RU
Conti ransomware group has put out a statement regarding the recent REvil activities. We have archived it and placed it on Pastebin.
Title: Announcement. ReviLives.
Subject: Own opinion.
You can read it here: https://pastebin.com/kMQAbcFa
Title: Announcement. ReviLives.
Subject: Own opinion.
You can read it here: https://pastebin.com/kMQAbcFa
Espector.7z
101.6 KB
I will share something on Telegram before it goes live on vx-underground. Here are samples to APT Espector, a Chinese UEFI Bootkit and FiveSYS, a Microsoft signed Windows Rootkit. :) Have a good weekend:)
-smelly
-smelly
Updates to the vx-underground APT collection:
- FiveSYS, Microsoft signed Rootkit
- TinyVNC from Kimsuky Group
- APT Harvester campaign
and more...
Check it out here: https://vx-underground.org/apts
*Samples includes
- FiveSYS, Microsoft signed Rootkit
- TinyVNC from Kimsuky Group
- APT Harvester campaign
and more...
Check it out here: https://vx-underground.org/apts
*Samples includes
We've made updates to the vx-underground APT collection:
- FontOnLake, linux malware
- APT InSideCopy
Samples and papers included.
Check it out here: https://vx-underground.org/apts
- FontOnLake, linux malware
- APT InSideCopy
Samples and papers included.
Check it out here: https://vx-underground.org/apts
We've updated the vx-underground malware source code repository. We have added Android.GhostBot. An Android spyware proof-of-concept capable of surveillance on the target, functionality similar to Pegasus
You can check it out here (under Android section): https://github.com/vxunderground/MalwareSourceCode
You can check it out here (under Android section): https://github.com/vxunderground/MalwareSourceCode
Grief ransomware group has ransomed the National Rifle Association (NRA).
Link: https://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion
Link: https://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion
👍1
We will be releasing the toolkit Conti ransomware group and Blackmatter ransomware group uses tomorrow on Twitter. However, to thank our supporters, and to thank individuals for following our Telegram we will be releasing a vx-underground Telegram exclusive.
Background information:
The files we have received were used scripts by group TeamTNT in their Chimaera campaign. This campaign has been discussed multiple times by various security vendors and researchers.
1. TrendMicro discussed it here: https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html
2. PaloAlto Unit42 discussed it here: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
A security researcher on Twitter named r3dbU7z (https://twitter.com/r3dbU7z) tracked TeamTNT and uploaded a collection of TeamTNTs scripts/toolkits onto VirusTotal. Threat Actors became aware of this, pulled the script compilation from a different location (we believe bazaar.abuse.ch), and have modified them for their personal usage and are being distributed to ransomware affiliates to aid to post-exploitation. The files we are sharing are NOT detected well on VirusTotal (they are bash scripts, we are aware it is difficult to make YARA/SIGMA rules that cover them well).
The password: infected
Background information:
The files we have received were used scripts by group TeamTNT in their Chimaera campaign. This campaign has been discussed multiple times by various security vendors and researchers.
1. TrendMicro discussed it here: https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html
2. PaloAlto Unit42 discussed it here: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
A security researcher on Twitter named r3dbU7z (https://twitter.com/r3dbU7z) tracked TeamTNT and uploaded a collection of TeamTNTs scripts/toolkits onto VirusTotal. Threat Actors became aware of this, pulled the script compilation from a different location (we believe bazaar.abuse.ch), and have modified them for their personal usage and are being distributed to ransomware affiliates to aid to post-exploitation. The files we are sharing are NOT detected well on VirusTotal (they are bash scripts, we are aware it is difficult to make YARA/SIGMA rules that cover them well).
The password: infected
❤1