Bitdefender's Martin Zugec shares recent insights about the tactics, techniques and procedures of the Charming Kitten group (APT35/APT42, Mint Sandstorm/PHOSPHORU), including unpacking a new piece of malware used by the group, named BellaCiao. https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/
π£virusbtn
π@malwr
π£virusbtn
π@malwr
Monitoring Active Directory for Signs of Compromise
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise
π£DirectoryRanger
π@malwr
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise
π£DirectoryRanger
π@malwr
Docs
Monitoring Active Directory for Signs of Compromise
Learn about event log monitoring in Active Directory to improve security
CloudSEKβs Threat Intelligence Research Team look into the details of the Daam Android malware distributed via trojanized applications. https://cloudsek.com/threatintelligence/copy-of-malware-intelligence-analysis-of-daam-android-malware
π£virusbtn
π@malwr
π£virusbtn
π@malwr
A Deep Dive into the Emotet Malware
Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file.
https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html
π£InfosecMonk
π@malwr
Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file.
https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html
π£InfosecMonk
π@malwr
Fortinet Blog
A Deep Dive into the Emotet Malware
FortiGuard Labs has been tracking Emotet since it was first discovered. This blog provides a deep analysis of a new Emotet sample found in early May.β¦
π₯1
Elastic Security Labs' @DanielStepanic analyses the functionality and capabilities of LOBSHOT, an hVNC malware family spreading through Google Ads. https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
π£virusbtn
π@malwr
π£virusbtn
π@malwr
Researchers from Palo Alto's Unit42 identified a new variant of the PingPull malware used by Alloy Taurus actors (aka GALLIUM, Softcell) & designed to target Linux systems. They also found Sword2033 backdoor samples linked to the same C2 infrastructure.
https://unit42.paloaltonetworks.com/alloy-taurus/
π£virusbtn
π@malwr
https://unit42.paloaltonetworks.com/alloy-taurus/
π£virusbtn
π@malwr
A keylogger/sniffer for the on-screen-keyboard? Sure, ETW is happy to help here with {4F768BE8-9C69-4BBC-87FC-95291D3F9D0C}π
Enjoy the C source code, and the compiled exe, as usual - https://github.com/gtworek/PSBits/tree/master/ETW
π£0gtweet
π@malwr
Enjoy the C source code, and the compiled exe, as usual - https://github.com/gtworek/PSBits/tree/master/ETW
π£0gtweet
π@malwr
How to get IDA global information? min and max addresses, entry point, main, other configuration values, etc.
https://youtu.be/2w8LdSCPUQc
π£allthingsida
π@malwr
https://youtu.be/2w8LdSCPUQc
π£allthingsida
π@malwr
YouTube
IDAPython: Retrieving global database information
In this episode, we cover how to retrieve global database information using the idainfo facilities.
We will retrieve things such as:
- Min and max ea, start ea, main ea,
- Input file path, hash, etc.
- Compiler settings, database creation information (typeβ¦
We will retrieve things such as:
- Min and max ea, start ea, main ea,
- Input file path, hash, etc.
- Compiler settings, database creation information (typeβ¦
NIST Cloud Computing Forensic Reference Architecture
Release Date: February 2023
Direct Download Link (PDF):
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-201.ipd.pdf
For more unique resources and tools for the cyber community, please visit:
https://cyberstartupobservatory.com
#CyberSecurity #InfoSec #InformationSecurity
π£CyberSecOb
π@malwr
Release Date: February 2023
Direct Download Link (PDF):
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-201.ipd.pdf
For more unique resources and tools for the cyber community, please visit:
https://cyberstartupobservatory.com
#CyberSecurity #InfoSec #InformationSecurity
π£CyberSecOb
π@malwr
If a website allows you to upload ZIP files it might be vulnerable to a #ZipSlip #vulnerability leading to #RCE.
Watch this explanation video from @gregxsunday on how he got $5.5k #BugBounty from GitHub & built a #CodeQL query to detect this bug:
#AppSec
https://youtu.be/F95U912u7OQ
π£securestep9
π@malwr
Watch this explanation video from @gregxsunday on how he got $5.5k #BugBounty from GitHub & built a #CodeQL query to detect this bug:
#AppSec
https://youtu.be/F95U912u7OQ
π£securestep9
π@malwr
YouTube
CodeQL query to detect RCE via ZipSlip - $5,500 bounty from GitHub Security Lab
π§ Subscribe to BBRE Premium: https://bbre.dev/premium
π° Article about writing this query and more practical tips: https://members.bugbountyexplained.com/how-to-write-a-new-codeql-query-and-maximise-payout-rce-via-zipslip-query/
βοΈ Sign up for the mailingβ¦
π° Article about writing this query and more practical tips: https://members.bugbountyexplained.com/how-to-write-a-new-codeql-query-and-maximise-payout-rce-via-zipslip-query/
βοΈ Sign up for the mailingβ¦
Sharing a tool I developed to help Blue Teamers discover Persistence on Windows - please check it out!
π£panscanner
Hey everyone - thought I would share a tool some of you may find useful. The GitHub readme has most of the information you'd want but basically it scans Windows for possible persistence mechanisms and reports on them in a CSV format (JSON soon).
The difference between this and something like PersistenceSniper is my attempt to add built-in allow-lists, risk assignments and the capability to 'snapshot' a system (such as a golden image) then use that snapshot as a dynamic runtime allow-list. Most functionality also supports 'drive-retargeting' if you are analyzing a mounted image.
Feel free to DM me/reply with any questions/comments/ideas/etc for improving it! This wouldn't exist without the amazing InfoSec community and I'm just trying to give back.
π€panscanner
π@malwr
π£panscanner
Hey everyone - thought I would share a tool some of you may find useful. The GitHub readme has most of the information you'd want but basically it scans Windows for possible persistence mechanisms and reports on them in a CSV format (JSON soon).
The difference between this and something like PersistenceSniper is my attempt to add built-in allow-lists, risk assignments and the capability to 'snapshot' a system (such as a golden image) then use that snapshot as a dynamic runtime allow-list. Most functionality also supports 'drive-retargeting' if you are analyzing a mounted image.
Feel free to DM me/reply with any questions/comments/ideas/etc for improving it! This wouldn't exist without the amazing InfoSec community and I'm just trying to give back.
π€panscanner
π@malwr
GitHub
GitHub - joeavanzato/Trawler: PowerShell script helping Incident Responders discover potential adversary persistence mechanisms.
PowerShell script helping Incident Responders discover potential adversary persistence mechanisms. - joeavanzato/Trawler
π₯1
Evasive Panda APT group delivers malware via updates for popular Chinese software
π£montouesto
π@malwr
π£montouesto
π@malwr
Welivesecurity
Evasive Panda APT group delivers malware via updates for popular Chinese software
ESET Research uncovers a campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software
APC by Schnieder Easy UPS Online Monitoring Software vulnerabilities - Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface
π£digicat
π@malwr
π£digicat
π@malwr
π₯1
Frida 16.0.19 is out! π We're excited to share that @bezjaje and @hsorbo solved two high-impact reliability issues π₯
https://frida.re/news/2023/04/27/frida-16-0-19-released/
π£fridadotre
π@malwr
https://frida.re/news/2023/04/27/frida-16-0-19-released/
π£fridadotre
π@malwr
Frida β’ A world-class dynamic instrumentation toolkit
Frida 16.0.19 Released
Observe and reprogram running programs on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX
Check Point researchers discuss various infection chains and lures used by APT37 in their recent attacks & the resulting payloads of ROKRAT and Amadey. The lures used are largely focused on South Korean foreign and domestic affairs. https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
π£virusbtn
π@malwr
π£virusbtn
π@malwr
β€1π₯1
Debugging with IDA: Understanding how user mode API hooks work and how to detect them in IDA.
https://youtu.be/spsRgAKv6SE
π£allthingsida
π@malwr
https://youtu.be/spsRgAKv6SE
π£allthingsida
π@malwr
YouTube
Debugging with IDA: Understanding and detecting API hooks
In this episode, we will do a brief introduction into API hooks (how they work), then we will show how to use IDA to detect the hooks in a live process or a crash dump file.
SentinelOne's Phil Stokes (@philofishal) takes a close look at how macOS Atomic Stealer works and describes a previously unreported second variant. https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/
π£virusbtn
π@malwr
π£virusbtn
π@malwr
My colleague Elias Bachaalany (@0xeb) has kept an excellent channel about IDA Pro (@allthingsida) with videos about its advanced features. No doubts, it's worth subscribing and following it.
https://www.youtube.com/@allthingsida
#idapro #reverseengineering
π£ale_sp_brazil
π@malwr
https://www.youtube.com/@allthingsida
#idapro #reverseengineering
π£ale_sp_brazil
π@malwr
Binary Ninja 3.4 released. They are getting scary good at C++ decompilation. Can't wait for @vector35 to get scary-good at Go, Rust, and other compiled languages https://binary.ninja/2023/05/03/3.4-finally-freed.html
π£OpenMalware
π@malwr
π£OpenMalware
π@malwr
Binary Ninja
Binary Ninja - 3.4: Finally Freed
Binary Ninja is a modern reverse engineering platform with a scriptable and extensible decompiler.
Zero Trust Architecture (NIST Special Publication 800-207)
Download Link in PDF:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
For more unique resources and tools for the cyber community, please visit:
https://cyberstartupobservatory.com/cyber-startup-observatory-community/
#CyberSecurity #InfoSec #InformationSecurity
π£CyberSecOb
π@malwr
Download Link in PDF:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
For more unique resources and tools for the cyber community, please visit:
https://cyberstartupobservatory.com/cyber-startup-observatory-community/
#CyberSecurity #InfoSec #InformationSecurity
π£CyberSecOb
π@malwr