Here is a ETW based POC to monitor for (some) direct and indirect syscalls. Should find multiple open source implementations trying to avoid userlandhooks.

https://github.com/thefLink/Hunt-Weird-Syscalls
🗣thefLinkk


🎖@malwr

Hey, FIRSTies! After much dedicated work, the #EthicsSIG has published their #CaseStudies to the FIRST website! Check out the encompassing document here: http://ow.ly/rG2S50NNbJt
🗣FIRSTdotOrg


🎖@malwr

c2detect: Search for c2 servers by listener outside https://github.com/michael2to3/c2-search-netlas
🗣_r_netsec


🎖@malwr

ESET researchers have discovered a new Lazarus #OperationDreamJob campaign targeting Linux users. As far as we know, this is the first public mention of this major threat actor using Linux malware as part of this operation. 🐧
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/?utm_source=twitter&utm_medium=cpc&utm_campaign=wls&utm_term=lazarus-linux-malware

#ESETresearch #ProgressProtected #Cybersecurity
🗣ESET


🎖@malwr

I've your interested in the #TradingTechnologies compromise & detections, then follow this thread 🧵

You won't find these IOCs/rules anywhere else

Hashes
https://github.com/Neo23x0/signature-base/blob/977ebf90ef01476f8586fbfd7e433cb93189bfa1/iocs/hash-iocs.txt#L10819

Filenames
https://github.com/Neo23x0/signature-base/blob/977ebf90ef01476f8586fbfd7e433cb93189bfa1/iocs/filename-iocs.txt#L4265

YARA
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_nk_tradingtech_apr23.yar
🗣cyb3rops


🎖@malwr

dnstop – Monitor and display DNS server traffic on your network https://www.cyberciti.biz/faq/dnstop-monitor-bind-dns-server-dns-network-traffic-from-a-shell-prompt/ #Linux #Unix #FreeBSD
🗣nixcraft


🎖@malwr

EclecticIQ researchers have identified a spear phishing campaign targeting Ukrainian government entities including the Foreign Intelligence Service of Ukraine (SZRU) and Security Service of Ukraine (SSU), likely conducted by APT group Gamaredon. https://blog.eclecticiq.com/exposed-web-panel-reveals-gamaredon-groups-automated-spear-phishing-campaigns
🗣virusbtn


🎖@malwr

VirusTotal's trompi summarises the latest activity of the APT43 group based on the telemetry of its malware toolset, including geographical distribution, lookups, submissions, file types, detection ratios & efficacy of crowd-sourced YARA rules. https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html
🗣virusbtn


🎖@malwr

I have finished my write-up on reversing the Cobalt Strike implementations of indirect syscalls. With thanks to @0xDISREL for suggesting I look at it and supplying a beacon and to @DuchyRE for tips about unpacking and structures.

https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md
🗣dodo_sec


🎖@malwr

#VMware released a security update to address a vulnerability in Tools. A remote attacker could likely exploit the vulnerability to take control of an affected system. More at http://cisa.gov/news-events/alerts/2023/04/21/vmware-releases-security-update-aria-operations-logs. #Cybersecurity #InfoSec
🗣CISACyber


🎖@malwr

Awesome @TrustedSec #Sysmon videos by @Carlos_Perez

Part 1
https://youtu.be/kESndPO5Fig

Part 2
https://youtu.be/MlGc44dfFBg

Part 3
https://youtu.be/2JHjRR2Wt4g

Part 4
https://youtu.be/VKVSedPGDgY

Part 5
https://youtu.be/KBsEAaZFcyI

Part 6
https://youtu.be/46-alN2_vlo

Part 7
https://youtu.be/cN714yh7UF4

Part 8
https://youtu.be/y4cpuliY4dk

Part 9
https://youtu.be/Fs7x7PywdzU
🗣Oddvarmoe


🎖@malwr

Introducing VirusTotal Code Insight: empowering threat analysis with generative AI. This tool is based on Sec-PaLM (LLM) and helps explaining behavior of suspicious scripts. Code Insight is available now for all our users! More details by @bquintero: https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.html
🗣virustotal


🎖@malwr

The AhnLab ASEC team analyse a recent coin miner distributed to Linux SSH servers that are being improperly managed. https://asec.ahnlab.com/ko/51680/
🗣virusbtn


🎖@malwr

#yaradbg v0.0.3 is out

1⃣ New yara editor: syntax highlighting, showing evaluation res inline, autocomplete, ...
2⃣ You can upload pass-protected zip containing malware directly (pass must be" infected")

Not sure who uses it but ping if you do, enjoy :)

https://yaradbg.dev/
🗣DissectMalware


🎖@malwr

Trend Micro's Don Ovid Ladores analyses recent updates to information stealer ViperSoftX. The new campaign uses DLL sideloading for its arrival & execution technique, a more sophisticated encryption method of byte remapping, & a monthly change in C2 server https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
🗣virusbtn


🎖@malwr

The latest podcast from Check Point looks into Operation Silent Watch: several human rights activists in Azerbaijan received the same phishing email that delivered them spyware capable of causing significant harm to their personal and professional lives. https://research.checkpoint.com/2023/operation-silent-watch/
🗣virusbtn


🎖@malwr

So far I've written 559 pages to help the security community:

1. https://exploitreversing.com/2021/12/03/malware-analysis-series-mas-article-1/
2. https://exploitreversing.com/2022/02/03/malware-analysis-series-mas-article-2/
3. https://exploitreversing.com/2022/05/05/malware-analysis-series-mas-article-3/
4. https://exploitreversing.com/2022/05/12/malware-analysis-series-mas-article-4/
5. https://exploitreversing.com/2022/09/14/malware-analysis-series-mas-article-5/
6. https://exploitreversing.com/2022/11/24/malware-analysis-series-mas-article-6/
7. https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
8. https://exploitreversing.com/2023/04/11/exploiting-reversing-er-series/
🗣ale_sp_brazil


🎖@malwr