We've updated the vx-underground Windows malware paper collection. We have a lot more papers in queue.
Read them.
Papers:
- 2024-08-31 - Finding open file handles in PS
- 2024-08-30 - Evil MSI A story about vulnerabilities in MSI Files
- 2024-08-26 - DLL Sideloading ith LicenseDiag.exe
- 2024-08-19 - DRMBIN - Prevent binaries from running on other machines
- 2024-08-15 - Offline SAM Editing
- 2024-08-14 - Tricks with Microsoft Word and Sandboxes
- 2024-08-13 - Abusing AVEDR Exclusions to Evade Detections
- 2024-06-09 - Bypassing EDR NTDSdit protection using BlueTeam tools
Read them.
Papers:
- 2024-08-31 - Finding open file handles in PS
- 2024-08-30 - Evil MSI A story about vulnerabilities in MSI Files
- 2024-08-26 - DLL Sideloading ith LicenseDiag.exe
- 2024-08-19 - DRMBIN - Prevent binaries from running on other machines
- 2024-08-15 - Offline SAM Editing
- 2024-08-14 - Tricks with Microsoft Word and Sandboxes
- 2024-08-13 - Abusing AVEDR Exclusions to Evade Detections
- 2024-06-09 - Bypassing EDR NTDSdit protection using BlueTeam tools
๐29โค11๐คฉ3๐ค2๐1๐ฅ1
Generally speaking, the ultimate goal of collecting malware is getting malware which offers intelligence in some capacity.
- Novel malware
- Stagers and/or chains (leading to malware)
- Active malware campaigns
There is a metric poop-ton of dead malware floating in cyber space which offers nothing of value. Collecting it simply allows you to add (yet another) SHA256 entry in your DB of known-bad files. It will do (probably) nothing except alter system files and be annoying.
Ideally, you'd like malware you can extract C2 information from, tie to a malware campaign, study for making detection rules, or study to learn new malware development techniques.
Old and dead malware does nothing except take up space. But, some vendors like it just to check it off as 'lol this bad fr'.
As an example: our malware ingestion can take it millions upon millions of "padodor", "berbew", "qukart", "vilsel", "zegost", or "vbclone" samples. Most of these don't even work on modern windows, drop like, 100+ copies of itself, and can't connect to anything.
tl;dr its dead
- Novel malware
- Stagers and/or chains (leading to malware)
- Active malware campaigns
There is a metric poop-ton of dead malware floating in cyber space which offers nothing of value. Collecting it simply allows you to add (yet another) SHA256 entry in your DB of known-bad files. It will do (probably) nothing except alter system files and be annoying.
Ideally, you'd like malware you can extract C2 information from, tie to a malware campaign, study for making detection rules, or study to learn new malware development techniques.
Old and dead malware does nothing except take up space. But, some vendors like it just to check it off as 'lol this bad fr'.
As an example: our malware ingestion can take it millions upon millions of "padodor", "berbew", "qukart", "vilsel", "zegost", or "vbclone" samples. Most of these don't even work on modern windows, drop like, 100+ copies of itself, and can't connect to anything.
tl;dr its dead
๐ฅ64๐13๐ฏ7โค3๐ข3๐ค3๐1
Today we ingested 1,721,892 suspected malicious binaries.
Non-junk malware: less than 100,000, probably closer to 60,000
Non-junk malware: less than 100,000, probably closer to 60,000
๐ฅ55๐คฃ11โค9๐ข4๐ค2๐1
This media is not supported in your browser
VIEW IN TELEGRAM
if you cringe you lose
๐ฑ81๐ข48๐คฃ32๐12๐ฅ5๐5๐ค3๐2โค1๐ค1๐ซก1
Today reports surfaced on a cybersecurity incident impacting the London Transport Department
We can assert with a high degree of confidence that this 'incident' is of extreme severity. The immediate presence of the NCA and NCSC drives this point further.
We can assert with a high degree of confidence that this 'incident' is of extreme severity. The immediate presence of the NCA and NCSC drives this point further.
๐ฑ42๐6๐ฏ6๐5๐คฏ4๐ค2๐ค1
Updates to vx-underground:
Papers:
- 2024-09-03 - Rundll32 and Phantom DLL lolbins
- 2024-08-17 - HookChain - A new perspective for Bypassing EDR Solutions
- 2024-08-11 - DriverJack
- 2024-08-11 - Blocking EDR drivers with HVCIDisallowedimage
- 2024-08-10 - ShimMe - Manipulating Shim and Office for Code Injection
- 2024-08-09 - Blocking EDR Drivers with WDAC policies
- 2024-08-08 - Abusing Windows Hello without a severed hand
Families:
- Android.BlankBot
- AteraAgent
- AtlantidaStealer
- Azorult
- BruteRatel
- CobaltStrike
- DCRat
- DonutLoader
- GCleaner
- Gh0stRAT
- GuLoader
- Lokibot
- LummaStealer
- Mirai
- Neshta
- NjRat
- Pony
- PureLogStealer
- RhadamanthysLoader
- Sliver
- Vidar
- XWorm
- ArcStealer
- AgentTesla
- Amadey
- Andromeda
- AsyncRAT
- AugustStealer
- CryptBot
- CyberGateRAT
- Danabot
- Formbook
- Latrodectus
- MicroClip
- Rakos
- Redline
- Remcos
- StealC
- XenoRAT
Note: someone said the artwork we use when pushing updates is scary, they requested we post something cute instead.
Papers:
- 2024-09-03 - Rundll32 and Phantom DLL lolbins
- 2024-08-17 - HookChain - A new perspective for Bypassing EDR Solutions
- 2024-08-11 - DriverJack
- 2024-08-11 - Blocking EDR drivers with HVCIDisallowedimage
- 2024-08-10 - ShimMe - Manipulating Shim and Office for Code Injection
- 2024-08-09 - Blocking EDR Drivers with WDAC policies
- 2024-08-08 - Abusing Windows Hello without a severed hand
Families:
- Android.BlankBot
- AteraAgent
- AtlantidaStealer
- Azorult
- BruteRatel
- CobaltStrike
- DCRat
- DonutLoader
- GCleaner
- Gh0stRAT
- GuLoader
- Lokibot
- LummaStealer
- Mirai
- Neshta
- NjRat
- Pony
- PureLogStealer
- RhadamanthysLoader
- Sliver
- Vidar
- XWorm
- ArcStealer
- AgentTesla
- Amadey
- Andromeda
- AsyncRAT
- AugustStealer
- CryptBot
- CyberGateRAT
- Danabot
- Formbook
- Latrodectus
- MicroClip
- Rakos
- Redline
- Remcos
- StealC
- XenoRAT
Note: someone said the artwork we use when pushing updates is scary, they requested we post something cute instead.
๐ฅฐ53๐ฅ11๐4๐4๐3โค1๐ข1
September 3rd, Lara Trump (daughter-in-law of former U.S. President Donald Trump) and Tiffany Trump (daughter of former U.S. President Donald Trump) had their X accounts compromised.
Their accounts briefly shilled some sort of crypto stuff. X locked the accounts within minutes.
Their accounts briefly shilled some sort of crypto stuff. X locked the accounts within minutes.
๐คฃ78โค10๐ค8๐3๐1๐ข1
vx-underground
September 3rd, Lara Trump (daughter-in-law of former U.S. President Donald Trump) and Tiffany Trump (daughter of former U.S. President Donald Trump) had their X accounts compromised. Their accounts briefly shilled some sort of crypto stuff. X locked the accountsโฆ
> compromise high profile social media accounts tied to powerful american political figures
> can do catastrophic damage
> shills crypto
> can do catastrophic damage
> shills crypto
๐ฏ86๐คฃ64๐7๐3๐ข1
vx-underground
pizza topping must be a valid email address
pepperoni_is_ok_i_guess_im_not_picky@gmail
๐คฃ130โค10๐ฏ6๐3๐2๐ค1
RansomHub ransomware group claims to have ransomed Planned Parenthood
๐คฃ85๐ข52๐ฅ14๐ค11๐6๐6โคโ๐ฅ4๐4โค2๐คฉ2๐ฏ1
vx-underground
We have performed a colossal oopsie doopsie. Our malware ingestion system prepended 'file=' to every file being sent to VirusTotal, thus impacting AV vendors down stream. Sent vendors hundreds of thousands of botched malware samples
We were made aware of the issue when AV companies contacted us regarding our VirusTotal account and the files being corrupted.
tl;dr my bad yall (its free, so fuck you, but seriously were sorry were fixing it)
tl;dr my bad yall (its free, so fuck you, but seriously were sorry were fixing it)
โค90๐คฃ39๐ค16๐ข4๐3๐ฅ1๐1๐ค1
Today the United States Department of Justice indicted Russian nationals Elena Afanasyeva and Kostiantyn Kalashnikov for violations of the Foreign Agents Registration Act (FARA), and conspiracy to commit money laundering.
Afanasyeva and Kalashnikov remain at large as of September 4th.
Afanasyeva and Kalashnikov are accused of laundering money to covertly fund as much as $10,000,000 to English-speaking social media companies (listed as U.S. Company-1) to sway content in favor of the Russian government.
Interestingly, the indictment states the company which received the funds is described as, "a network of heterodox commentators that focus on Western political and cultural issues". Journalists and researchers have tied this to Tennessee-based company Tenet Media ... because ... it has the exact same message on their homepage verbatim.
This media company employees conservative media commentators Lauren Southern, Tim Pool, Tayler Hansen, Matt Christiansen, Dave Rubin, and Benny Johnson.
The indictment is interesting, discusses the money laundering techniques, disinformation campaigns, and their chat communication medium ... on Discord.
Image 1 is U.S. Company-1 per the indictment. Image 2 is Tenet Media.
More information: https://www.justice.gov/opa/pr/two-rt-employees-indicted-covertly-funding-and-directing-us-company-published-thousands
Afanasyeva and Kalashnikov remain at large as of September 4th.
Afanasyeva and Kalashnikov are accused of laundering money to covertly fund as much as $10,000,000 to English-speaking social media companies (listed as U.S. Company-1) to sway content in favor of the Russian government.
Interestingly, the indictment states the company which received the funds is described as, "a network of heterodox commentators that focus on Western political and cultural issues". Journalists and researchers have tied this to Tennessee-based company Tenet Media ... because ... it has the exact same message on their homepage verbatim.
This media company employees conservative media commentators Lauren Southern, Tim Pool, Tayler Hansen, Matt Christiansen, Dave Rubin, and Benny Johnson.
The indictment is interesting, discusses the money laundering techniques, disinformation campaigns, and their chat communication medium ... on Discord.
Image 1 is U.S. Company-1 per the indictment. Image 2 is Tenet Media.
More information: https://www.justice.gov/opa/pr/two-rt-employees-indicted-covertly-funding-and-directing-us-company-published-thousands
๐คฃ58๐21โค6๐ข6๐ฅ4๐3๐ซก3๐2๐ฑ2๐คฏ1