vx-underground
"HoW CaN yOu bE aN eXpErT iF yoU rAn maLwaRe oN YouR PC???" It's very shrimple. 1. I'm comfortable admitting my mistakes publicly in front of hundreds of thousands of people. If I make a mistake, small or catastrophic, I will admit it. I feel comfortableβ¦
439,000 people on X and 50,000 on Telegram, almost 500,000, whatever. Close enough.
β€93π₯°14π’7π3π2π1
This media is not supported in your browser
VIEW IN TELEGRAM
Chat, we are cooking.
Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.
The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.
Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.
SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.
SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.
I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.
Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.
Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.
The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.
Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.
SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.
SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.
I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.
Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.
π€86β€37π₯15π4π2π₯°2π’2
This media is not supported in your browser
VIEW IN TELEGRAM
I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code
You can't hide behind Prometheus you little bitch
You can't hide behind Prometheus you little bitch
π₯°110π₯25π±14π10β€7π5π€3β€βπ₯2π2π2π«‘2
vx-underground
I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code You can't hide behind Prometheus you little bitch
I'm sorry, SmartLoader malware campaign, I shouldn't have called you a little bitch. That is very rude of me.
I am just passionate and have spent some time working on it, so my emotions are high.
I love you.
I am just passionate and have spent some time working on it, so my emotions are high.
I love you.
π€£130β€31π₯°16π7β€βπ₯1π1π1π€1π€―1π’1π1
My deepest condolences to my colleagues in Venezuela and those impacted by the recent earthquakes.
I wish I had more to offer other than words. I hope you're all doing well and I hope you're all safe.
I wish I had more to offer other than words. I hope you're all doing well and I hope you're all safe.
β€143π’30π27π€2π₯°1π1
> be SmartLoader
> big ass fuck off malware campaign
> tracked by dozens of anti malware companies
> heavily obfuscated lua
> bamboozles everyone
> me jimmies rustled
> team up with roblox cheater nerd
> reverse engineer it back to src
> (almost done)
https://gist.github.com/vxunderground/aaa6a88823afc83b4f8a73366694966d
> big ass fuck off malware campaign
> tracked by dozens of anti malware companies
> heavily obfuscated lua
> bamboozles everyone
> me jimmies rustled
> team up with roblox cheater nerd
> reverse engineer it back to src
> (almost done)
https://gist.github.com/vxunderground/aaa6a88823afc83b4f8a73366694966d
Gist
SmartLoader de-obfuscated and cleaned up (almost done)
SmartLoader de-obfuscated and cleaned up (almost done) - gist:aaa6a88823afc83b4f8a73366694966d
π41π₯35β€12π12π€4π’1π«‘1
> get dm
> "hey smelly, i work for (kind of important place)"
> "vendor sent us weird file, its sus af"
> "what do u think?"
> download file
> look inside
> ultra mega fuck off malware
> pe position independent .code is set to RWX
> multiple extra sections
> extracts .bss segment
> .bss has .exe inside it
> .exe ASPack 2 compressed
> emulate
> has anti-vm features
> pulls .bat from c2 to self-delete
> still bonking
my brother in christ, if your company ran this .exe from this vendor, you better call someone ASAP because your company is COOKED. also, this vendor is either a criminal enterprise or compromised. gl big dawg. happy monday
> "hey smelly, i work for (kind of important place)"
> "vendor sent us weird file, its sus af"
> "what do u think?"
> download file
> look inside
> ultra mega fuck off malware
> pe position independent .code is set to RWX
> multiple extra sections
> extracts .bss segment
> .bss has .exe inside it
> .exe ASPack 2 compressed
> emulate
> has anti-vm features
> pulls .bat from c2 to self-delete
> still bonking
my brother in christ, if your company ran this .exe from this vendor, you better call someone ASAP because your company is COOKED. also, this vendor is either a criminal enterprise or compromised. gl big dawg. happy monday
π€£174β€31π16π₯°2π€2π’2π―2
Okay, I'm going to bed now.
Goodnight people on X
Goodnight people on Telegram
Goodnight FBI
Goodnight NSA
Goodnight CIA
Goodnight Israel spyware
Goodnight ads tracking me
Goodnight AI scrapers
Mwah kisses
xoxo
Goodnight people on X
Goodnight people on Telegram
Goodnight FBI
Goodnight NSA
Goodnight CIA
Goodnight Israel spyware
Goodnight ads tracking me
Goodnight AI scrapers
Mwah kisses
xoxo
β€196π₯°51π18π6π4π«‘4β€βπ₯2π₯2π’2
vx-underground
Okay, I'm going to bed now. Goodnight people on X Goodnight people on Telegram Goodnight FBI Goodnight NSA Goodnight CIA Goodnight Israel spyware Goodnight ads tracking me Goodnight AI scrapers Mwah kisses xoxo
Oh, I forgot
Goodnight Chinese espionage campaigns residing in United States critical infrastructure believed to be aggregating and collecting intelligence on United States citizens
Mwah
Goodnight Chinese espionage campaigns residing in United States critical infrastructure believed to be aggregating and collecting intelligence on United States citizens
Mwah
β€150π₯°31π22π€©6β€βπ₯3π3π2π1π1
> get dm
> "government ppl in Colombia getting weird file"
> lolwtf
> send link
> look inside
> phishing page (looks good tho tbh)
> image 1
> i dont speak spanish, idk wtf it says
> look inside .html
> .zip hidden inside it as base64
> lol ok
> bonk with stick
> "Oficio 2231" zip file
> idk what that means still
> look inside
> .zip has .js inside of it
> look inside
> big ass fuck off obfuscated bs trying to trick u
> image 2
> utf16 bullshit
> utf16 makes another file
> ???
> extract from tiny little fragments of js
> look inside
> .dll .net file
> wtf lol
> look inside
> heavily obfuscated .net malware
> image 3
> tiny .js fragments contain powershell script
> ???
tl;dr
.html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware)
why would someone send government officials in Colombia this file wtf lol
> "government ppl in Colombia getting weird file"
> lolwtf
> send link
> look inside
> phishing page (looks good tho tbh)
> image 1
> i dont speak spanish, idk wtf it says
> look inside .html
> .zip hidden inside it as base64
> lol ok
> bonk with stick
> "Oficio 2231" zip file
> idk what that means still
> look inside
> .zip has .js inside of it
> look inside
> big ass fuck off obfuscated bs trying to trick u
> image 2
> utf16 bullshit
> utf16 makes another file
> ???
> extract from tiny little fragments of js
> look inside
> .dll .net file
> wtf lol
> look inside
> heavily obfuscated .net malware
> image 3
> tiny .js fragments contain powershell script
> ???
tl;dr
.html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware)
why would someone send government officials in Colombia this file wtf lol
π₯°66π€£17π10β€6π1
vx-underground
> get dm > "government ppl in Colombia getting weird file" > lolwtf > send link > look inside > phishing page (looks good tho tbh) > image 1 > i dont speak spanish, idk wtf it says > look inside .html > .zip hidden inside it as base64 > lol ok > bonk withβ¦
oh sorry
if youre a threat intel nerd, or anti malware nerd, who is designated to track potential state sponsored activity in south america
final payload: 5a979c309aff96456ba4482653fc213997387956c24e376645e4e0cfaa6b878a
obfuscated js payload (fragmented utf16le):
87eac5fa290387bd90d71424f8a65f2b2c7436a415f6e7f033915ef8e833ef86
file sent to colombia ppl i guess idk:
193b98595f44935e79413aeb474cd8d75e8d5ba63caf0d52470cadbeb8139c03
theyre all on VT now
if youre a threat intel nerd, or anti malware nerd, who is designated to track potential state sponsored activity in south america
final payload: 5a979c309aff96456ba4482653fc213997387956c24e376645e4e0cfaa6b878a
obfuscated js payload (fragmented utf16le):
87eac5fa290387bd90d71424f8a65f2b2c7436a415f6e7f033915ef8e833ef86
file sent to colombia ppl i guess idk:
193b98595f44935e79413aeb474cd8d75e8d5ba63caf0d52470cadbeb8139c03
theyre all on VT now
β€66π₯°11π―3π’1
> get more dms
> more free malware
> yay
> "smelly someone says this cheat src code is malware"
> download
> look inside
> visual studio prebuild event builds vbs script
> vbs script decrypts .ps1 script
> downloads RAT
> contains link to a YT video
https://www.youtube.com/watch?v=akoxddx6lgc
> more free malware
> yay
> "smelly someone says this cheat src code is malware"
> download
> look inside
> visual studio prebuild event builds vbs script
> vbs script decrypts .ps1 script
> downloads RAT
> contains link to a YT video
https://www.youtube.com/watch?v=akoxddx6lgc
YouTube
LOL
w6fDk8OFZsKYwqHClcK/wpnDoMK5wqzDsMON.deodorantkindredimpo
π74π18π€£12β€5π₯°3π’1
I tried to do a write-up on X and share some de-obfuscated malware source code
I kept getting notifications on X saying something like, "sorryβsomething has gone wrong, don't fret", blah blah blah.
If I removed the malcode it worked
I THOUGHT THIS WAS AMERICA
I kept getting notifications on X saying something like, "sorryβsomething has gone wrong, don't fret", blah blah blah.
If I removed the malcode it worked
I THOUGHT THIS WAS AMERICA
π±55π€£36π’9π₯°6β€3π₯3π€―3
vx-underground
I tried to do a write-up on X and share some de-obfuscated malware source code I kept getting notifications on X saying something like, "sorryβsomething has gone wrong, don't fret", blah blah blah. If I removed the malcode it worked I THOUGHT THIS WAS AMERICA
THEYRE PREVENTING THE PEOPLE FROM GETTING MALWARE!!!!!!
π63π€£19π€5π’4β€2π2π₯°2