Time Travel Debugging IDA plugin, ttddbg, 1.1.0 is out with new tracing feature ! Based on #IDA database, arguments and return value are pretty-printed !
Enjoy βοΈπ°οΈπ
https://github.com/airbus-cert/ttddbg
π£citronneur
π@malwr
Enjoy βοΈπ°οΈπ
https://github.com/airbus-cert/ttddbg
π£citronneur
π@malwr
π1
π£ Exciting news for all JADX users! π
I've just released an official video guide on how to use my new latest Dynamic Scripting Plugin, JADXecute!
#ReverseEngineering #AndroidDev
https://www.youtube.com/watch?v=g0r3C1iEeBg
π£lauriewired
π@malwr
I've just released an official video guide on how to use my new latest Dynamic Scripting Plugin, JADXecute!
#ReverseEngineering #AndroidDev
https://www.youtube.com/watch?v=g0r3C1iEeBg
π£lauriewired
π@malwr
YouTube
JADXecute: Dynamic Scripting For JADX
Introducing my new tool JADXecute! JADXecute is a plugin for JADX that enhances its functionality by adding Dynamic Code Execution abilities.
With JADXecute, you can dynamically run Java code to modify or print components of the jadx-gui output. JADXecuteβ¦
With JADXecute, you can dynamically run Java code to modify or print components of the jadx-gui output. JADXecuteβ¦
π1
Windows kernel drivers for red team tools development
Introduction series by @Idov31
Part 1: https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html
Part 2: https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html
Part 3: https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html
#windows #kernel #redteam #malware #infosec #cybersecurity #learning
π£0xor0ne
π@malwr
Introduction series by @Idov31
Part 1: https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html
Part 2: https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html
Part 3: https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html
#windows #kernel #redteam #malware #infosec #cybersecurity #learning
π£0xor0ne
π@malwr
I made a writeup on #Magniber #ransomware (from 2022) demonstrating the capabilities of the latest #TinyTracer: https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/
π£hasherezade
π@malwr
π£hasherezade
π@malwr
π1
Walk through an incident where initial access was obtained through exploitation of CVE-2023-0669 (Go AnyWhere MFT) a day after the release of the vuln and 4 days before a patch was released. Also, I have some thoughts on vuln adoption by criminals.
https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere/
π£TactiKoolSec
π@malwr
https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere/
π£TactiKoolSec
π@malwr
β€1π1
Supply chain attack in 3CX Windows Electron DesktopApp
π£qwerty0x41
It should also be noted that the MacOS version was also trojaned. If you have installed 3CXDesktopApp-18.12.416.dmg (SHA1 3DC840D32CE86CEBF657B17CEF62814646BA8E98), you have a trojaned version.
Since it had only one C2 domain hard coded and that is offline, the malware is dormant.
Still, burn it with fire.
π€CrimsonNorseman
Some IOCs posted by a user on the 3CX forum: ~~https://www.3cx.com/community/threads/3cx-icos.119967/#post-559156~~
EDIT: thread was removed, refer to https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/#heading-5 for what seems to be up to date IOCs
π€qwerty0x41
Supply chain? So what dependency was compromised/exploited? Electron itself or a node.js library?
π€iliark
π@malwr
π£qwerty0x41
It should also be noted that the MacOS version was also trojaned. If you have installed 3CXDesktopApp-18.12.416.dmg (SHA1 3DC840D32CE86CEBF657B17CEF62814646BA8E98), you have a trojaned version.
Since it had only one C2 domain hard coded and that is offline, the malware is dormant.
Still, burn it with fire.
π€CrimsonNorseman
Some IOCs posted by a user on the 3CX forum: ~~https://www.3cx.com/community/threads/3cx-icos.119967/#post-559156~~
EDIT: thread was removed, refer to https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/#heading-5 for what seems to be up to date IOCs
π€qwerty0x41
Supply chain? So what dependency was compromised/exploited? Electron itself or a node.js library?
π€iliark
π@malwr
π€1
Bypassing DEP with gap restrictions
π£CarelessOne7933
Like it is a new technique... It's basically what everyone is doing since ever to prevent shellcode corruption
π€Void_Sec
π@malwr
π£CarelessOne7933
Like it is a new technique... It's basically what everyone is doing since ever to prevent shellcode corruption
π€Void_Sec
π@malwr
divyanshu-mehta.gitbook.io
Bypassing DEP - Increasing the Gap
This blog talks about how to use WriteProcessMemory API Call for executing shellcode in a scenario where there is very less gap between shellcode and WriteProcessMemory call skeleton
Our team from @Unit42_Intel released a blog related to 3CXDesktopApp supply chain attack. Enjoy!
https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/
#dfir #supplychainattack #Unit42
π£r3nzsec
π@malwr
https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/
#dfir #supplychainattack #Unit42
π£r3nzsec
π@malwr
#sslpinning #frida #mitm #android
New video up on YouTube showcasing the concepts of SSL pinning and how to bypass different types of SSL pinning in android.
@fridadotre @mobilesecurity_
https://youtu.be/iooYH0S2Y3o
π£SecFatal
π@malwr
New video up on YouTube showcasing the concepts of SSL pinning and how to bypass different types of SSL pinning in android.
@fridadotre @mobilesecurity_
https://youtu.be/iooYH0S2Y3o
π£SecFatal
π@malwr
YouTube
How to Bypass Multiple SSL Pinning on Android
#android #sslpinning #frida #pentest #mobilesecurity #mitm
Hey Guys, in this video i have explained about capturing the HTTPS traffic from a very well obfuscated android application. Since the app is obfuscated and using SSL Pinning even if an attacker triesβ¦
Hey Guys, in this video i have explained about capturing the HTTPS traffic from a very well obfuscated android application. Since the app is obfuscated and using SSL Pinning even if an attacker triesβ¦
https://github.com/ggerganov/kbd-audio
this tool lets you extract text from an audio recording of keyboard strokes, right now, for free
i am not making this shit up, you can potentially steal a password from an audio recording in an office
π£f4micom
π@malwr
this tool lets you extract text from an audio recording of keyboard strokes, right now, for free
i am not making this shit up, you can potentially steal a password from an audio recording in an office
π£f4micom
π@malwr
π€2
πIf you are looking for a comprehensive overview of the current #3CX supply chain attack, I created a diagram that shows the attack flow!π₯I'll update as soon as the analysis progresses. Stay tuned for the MacOS edition! #cybersecurity #infosec #supplychainattack #3CXpocalypse
π£fr0gger_
π@malwr
π£fr0gger_
π@malwr
π1
Proofpoint researchers have observed recent espionage-related activity by TA473 (Winter Vivern). TA473 has continuously leveraged an unpatched Zimbra vulnerability to target webmail portals of NATO-aligned governments in Europe. https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability
π£virusbtn
π@malwr
π£virusbtn
π@malwr
Fortinet researchers have observed several attack bursts targeting Cacti & Realtek vulnerabilities, spreading ShellBot & Moobot malware. In an article they examine the payloads of these two attacks and the resulting malware behaviour. https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-cacti-and-realtek-vulnerabilities
π£virusbtn
π@malwr
π£virusbtn
π@malwr
Multiple security vendors have released articles sharing information about an ongoing campaign that trojanizes the #3CX DesktopApp in a supply chain attack:
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
π£virusbtn
Continue...π
π@malwr
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
π£virusbtn
Continue...π
π@malwr
π₯1