Forwarded from Deadly malware xp
Hello, my rabbits who like to go to tea parties 🐰☕️
While I am writing about bitcoin nodes search and analysis, I decided to make a collection of rootkit malware on linux🐧
Reverse💊
Not really about linux, but still a very cool guide to reverse ;
Article about reverse-engineering the Ebpfkit rootkit ;
Article about dovecat and hy4 malware analysis for Linux ;
A collection of resources for reverse-engineering Linux ;
Article about virus analysis aromatization on linux ;
Article about malware analysis for Linux ;
Article about rootkit and its detection ;
Resources🗝
A site with material on viruses and rootkits on linux, including their writing ;
A site with resources on reversal ;
A resource site for people who want to write viruses for linux ;
A site with excellent material and documents about linux malware ;
Examples of malware 🦠
A github thread with cool virus repositories ;
Linux X86_64 ELF virus ;
A simple linux virus. It can get root rights and destroy your system ;
Linux ransomware ;
Repository of the source code of various Linux malware ;
Combination of shell and rootkit ;
Collection of Linux rootkits ;
A simple Linux kernel rootkit ;
MateriaLs / Collections📖
A collection of linux virus materials ;
A collection of materiałs on rootkits and attacks on linux ;
Article about evading malware analysis by reverse engineering ;
Malware analysis methodology in Linux environment ;
An article for understanding Linux malware ;
Not a bad article about writing rootkits on linux ;
Malware Scanners 🧲
LMD malware scanner for Linux ;
Linux rootkit scanner ;
A github thread with collections of Linux rootkit scanners ;
Also a good rootkit scanner ;
As you can see, although it is widely accepted that "writing viruses on linux is difficult, or even impossible practice", it is far from it, and that you have linux is not yet a silver bullet against viruses
On linux, viruses (especially rootkits) are written and very successfully
So take care and protect your system
Thank you for reading ❤️
And Alice, don't forget to read the sign on the back of the bottle you want to drink, in case it says "poison"🧪🎀
#malware #virus #revers #ransomware #attacks #linux #exploit #rootkit
While I am writing about bitcoin nodes search and analysis, I decided to make a collection of rootkit malware on linux🐧
Reverse💊
Not really about linux, but still a very cool guide to reverse ;
Article about reverse-engineering the Ebpfkit rootkit ;
Article about dovecat and hy4 malware analysis for Linux ;
A collection of resources for reverse-engineering Linux ;
Article about virus analysis aromatization on linux ;
Article about malware analysis for Linux ;
Article about rootkit and its detection ;
Resources🗝
A site with material on viruses and rootkits on linux, including their writing ;
A site with resources on reversal ;
A resource site for people who want to write viruses for linux ;
A site with excellent material and documents about linux malware ;
Examples of malware 🦠
A github thread with cool virus repositories ;
Linux X86_64 ELF virus ;
A simple linux virus. It can get root rights and destroy your system ;
Linux ransomware ;
Repository of the source code of various Linux malware ;
Combination of shell and rootkit ;
Collection of Linux rootkits ;
A simple Linux kernel rootkit ;
MateriaLs / Collections📖
A collection of linux virus materials ;
A collection of materiałs on rootkits and attacks on linux ;
Article about evading malware analysis by reverse engineering ;
Malware analysis methodology in Linux environment ;
An article for understanding Linux malware ;
Not a bad article about writing rootkits on linux ;
Malware Scanners 🧲
LMD malware scanner for Linux ;
Linux rootkit scanner ;
A github thread with collections of Linux rootkit scanners ;
Also a good rootkit scanner ;
As you can see, although it is widely accepted that "writing viruses on linux is difficult, or even impossible practice", it is far from it, and that you have linux is not yet a silver bullet against viruses
On linux, viruses (especially rootkits) are written and very successfully
So take care and protect your system
Thank you for reading ❤️
And Alice, don't forget to read the sign on the back of the bottle you want to drink, in case it says "poison"🧪🎀
#malware #virus #revers #ransomware #attacks #linux #exploit #rootkit
GitHub
GitHub - mytechnotalent/Reverse-Engineering: A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit…
A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures. - mytechnotalent/Reverse-Engineering
🍾4
⚡3
💥Reverse Engineering Tiktok's VM Obfuscation (Part 1)
This article does not delve into the specifics of how these strings are utilized or how TikTok interprets the rest of the bytecode through its custom virtual machine and various opcodes. If that is something you are interested in, keep an eye out for the second part of this series.
🔖Full strings dump
This article does not delve into the specifics of how these strings are utilized or how TikTok interprets the rest of the bytecode through its custom virtual machine and various opcodes. If that is something you are interested in, keep an eye out for the second part of this series.
🔖Full strings dump
Blindside.zip
22.9 KB
🔥🔥🔥Blindside is a technique for evading the monitoring of EDR and XDR platforms using hardware breakpoints to inject commands and perform unexpected, unwanted, or malicious operations. It involves creating a breakpoint handler, and setting a hardware breakpoint that will force the debugged process to load only ntdll to memory. This will result in a clean and unhooked ntdll which then could be copied to our process and unhook the original ntdll.
🔖Technical blog post:
Blindside: A New Technique for EDR Evasion with Hardware Breakpoints
🔖Technical blog post:
Blindside: A New Technique for EDR Evasion with Hardware Breakpoints
🛡Fix memory leak in set_mempolicy_home_node system call
When encountering any vma in the range with policy other than MPOL_BIND or
MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put on
the policy just allocated with mpol_dup().
⚠️This allows arbitrary users to leak kernel memory(Dos).
When encountering any vma in the range with policy other than MPOL_BIND or
MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put on
the policy just allocated with mpol_dup().
⚠️This allows arbitrary users to leak kernel memory(Dos).
CVE-2022-42046.zip
32.3 KB
🔥🔥🔥PoC of wfshbr64.sys LPE(Windows Kernel Mode Anti-Cheat Driver, CVE-2022-42046)
wfshbr64.sys and wfshbr32.sys specially crafted payload allows arbitrary user to perform bitwise operation with arbitrary EPROCESS offset and flags value to purposely elevate the game process to CodeGen Full protection by manipulating EPROCESS.Protection and EPROCESS.SignatureLevel flags (security hole as a feature).
⚠️The driver is signed by Microsoft hardware compatibility publisher that is submitted via Microsoft Hardware Program.
wfshbr64.sys and wfshbr32.sys specially crafted payload allows arbitrary user to perform bitwise operation with arbitrary EPROCESS offset and flags value to purposely elevate the game process to CodeGen Full protection by manipulating EPROCESS.Protection and EPROCESS.SignatureLevel flags (security hole as a feature).
⚠️The driver is signed by Microsoft hardware compatibility publisher that is submitted via Microsoft Hardware Program.
#Threat_Research
1. Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development
2. New Ransomware Strains Emerging From Leaked Conti’s Source Code
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code
1. Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development
2. New Ransomware Strains Emerging From Leaked Conti’s Source Code
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code
SentinelOne
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
New PolyVice ransomware is likely in use by multiple threat actors building re-branded payloads with the same custom encryption scheme.
#Red_Team_Tactics
Using Leaking Sentinel Value to Bypass the Latest Chrome v8 HardenProtect
https://medium.com/@numencyberlabs/using-leaking-sentinel-value-to-bypass-the-latest-chrome-v8-hardenprotect-c4ed40e3d34f
Using Leaking Sentinel Value to Bypass the Latest Chrome v8 HardenProtect
https://medium.com/@numencyberlabs/using-leaking-sentinel-value-to-bypass-the-latest-chrome-v8-hardenprotect-c4ed40e3d34f
Medium
Using Leaking Sentinel Value to Bypass the Latest Chrome v8 HardenProtect
A technical analysis where we use sentinel value to bypass the Latest Chrome v8 HardenProtect
👍1
#tools
#Offensive_security
1. Rps_Http ClientInfo IOC search PowerShell script for recent Exchange issue to check for signs of exploitation
https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
2. Vultriever - Vulnerability scoring with Nmap with the built-in Vulners snap-in
https://github.com/MalwareHunters/vultriever
#Offensive_security
1. Rps_Http ClientInfo IOC search PowerShell script for recent Exchange issue to check for signs of exploitation
https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
2. Vultriever - Vulnerability scoring with Nmap with the built-in Vulners snap-in
https://github.com/MalwareHunters/vultriever
GitHub
OWASSRF/Rps_Http-IOC.ps1 at main · CrowdStrike/OWASSRF
Contribute to CrowdStrike/OWASSRF development by creating an account on GitHub.
#Cloud_Security
Detecting Cloud Account Takeover
https://www.splunk.com/en_us/blog/security/detecting-cloud-account-takeover-attacks-threat-research-release-october-2022.html
Detecting Cloud Account Takeover
https://www.splunk.com/en_us/blog/security/detecting-cloud-account-takeover-attacks-threat-research-release-october-2022.html
Splunk
Detecting Cloud Account Takeover Attacks: Threat Research Release, October 2022 | Splunk
The Splunk Threat Research Team shares a closer look at the telemetry available in Azure, AWS and GCP and the options teams have to ingest this data into Splunk.