vx-underground

27 Jun 2024 19:10

Some people want us to start saying 'hackers' instead of Threat Actors. We'll say hackers again when people stop calling toothpaste saving tips 'pro hacks' or 'life hacks'.

It's not 1996 anymore, sorry.

vx-underground

27 Jun 2024 08:19

"oTheR cOmpAnieS haVe MorE mAlwArE thAn yOu"

Ted Talk time.

First of all, we're not a company. We're just a bunch of internet nerds wildin' out on a computer.

Secondly, right now vx-underground ingests roughly 120,000 malware samples a month with a budget of a slice of pizza and some weird lookin' lint we found in our pocket.

The reality of the situation is large organizations ingest absurd quantities of malware. Antivirus vendors, (some) Threat Intelligence vendors, and Endpoint Security vendors ingest terabytes of malware a day.

We are aware of some organizations which ingest 500,000 - 1,000,000 malware samples a day. Whereas some AV vendors reportedly ingest over 5,000,000 malware samples a day. These organizations dwarf us.

Part of the reason why is simple: intelligence. Vendors are ingesting malware in large quantities, through various means such as honeypots, sharing between organizations (private exchanges), submissions from VirusTotal, and malware captured from user endpoints.

They use this data to track and monitor malware campaigns, C2 addresses (IPs or domains), look for modification of code bases, and look for any missteps and leaking of PII. They then distribute this data and update security rules, update known-good and known-bad SHA256 collections, and often work with law enforcements agencies to takedown Threat Groups. This is work that happens everyday, around the clock, 24/7 and these organizations work hard monitoring malware nerds.

Our purpose of collecting malware is historical in nature – people can download the malware, reverse the malware, and study the malware. Our malware is often hammy downs (metaphorically speaking) from larger organizations and is rarely cutting edge. It would be difficult to identify a new Threat Group from our malware collection. The advantage of our collection is it is often difficult for people to even get hammy down malware without begging someone (or some organization) OR the malware samples are scattered all over the place. Our collection is in 1 singular location making it easier to get the cool stuff nerds wanna study.

Thanks for coming to our Ted Talk.

vx-underground

26 Jun 2024 18:19

When the Security Team catches a Threat Actor actively trying to compromise a machine

vx-underground

26 Jun 2024 15:58

> wake up
> check news
> yet another ransomware group (brain cipher)
> polyfill supply chain attack infecting 100k websites
> more ransomware attacks
> people mad google is stopping cia / nsa operations
> cdk global ransomware drama continues
> more malware being malware

vx-underground

26 Jun 2024 01:13

In the past 30 days vx-underground has had 59,000 unique visitors, served 5,590,000 requests, and delivered 408TB of malware.

It cost you $0 because we have cool sponsors and cool monthly supporters.

vx-underground

26 Jun 2024 00:47

Today Lockbit ransomware groups 'timer' on the 'Federal Reserve' hit zero. They did not ransom the Federal Reserve as we expected – they ransomed Evolve Bank & Trust.

We also assume the data is not critical because the facility is still operational.

vx-underground

25 Jun 2024 23:42

bro thinks im mark cuban wtf

vx-underground

25 Jun 2024 23:03

Today BianLian ransomware group claimed to have ransomed the Better Business Bureau

🧐🧐🧐🧐🧐

vx-underground

25 Jun 2024 17:57

No major updates, news, or memes. Right now we're very busy (that's a lie, we're just being lazy)

vx-underground

25 Jun 2024 02:51

Crazy to think Julian Assange got freed before GTA VI or Elder Scrolls VI

vx-underground

24 Jun 2024 22:31

Facebook is flooded with actual garbage AI bait posts. We don't understand how these images are so popular (and believed to be real)

vx-underground

24 Jun 2024 17:43

If you like embedded security, ICS security, automotive security, etc. you can go to RST CON

RST CON is being held this year in Savannah, Georgia, USA September 13th - September 15th

Get 10% off tickets with code vxunderground

*we're not getting paid for this, just a discount

vx-underground

24 Jun 2024 14:24

Unless Lockbit ransomware group ransomed something small in the Federal Reserve, like maybe Lockbit took down their coffee machine and they can't watch anime or something (we don't know what the staff at the Federal Reserve actually do)

vx-underground

24 Jun 2024 00:00

We hope everyone has had a good week and weekend.

We'll see all of you tomorrow.

vx-underground

23 Jun 2024 07:14

Social engineering is alive and well

vx-underground

27 Jun 2024 19:00

> write malware
> compile binary
> need to think of sneaky name
> svchost.exe (never been done before)
> (thats a lie, everyone does that)
> tfw av vendors find the svchost.exe

vx-underground

27 Jun 2024 00:14

Families that commit state-sponsored-cyber-espionage stay together ❤️

Father: Tim Vakhaevich Stigal, wanted by the United States Secret Service

Son: Amin Timovich Stigal, wanted by the United States Federal Bureau of Investigation

vx-underground

26 Jun 2024 16:08

tl;dr exploring executing vbscript and jscript in-memory from a binary in c++. modexp did a c project on it, explored possibilities of it. worked with vbscript, imploded on jscript with hresult 0x80020101

got annoyed

heres the vbscript code that works: https://pastebin.com/raw/dW3w97Bx

vx-underground

26 Jun 2024 06:55

When we find the guy who did the documentation for IActiveScript and IActiveScriptParse64 on MSDN

vx-underground

26 Jun 2024 00:50

As reference: we expressed extremely skepticism with Lockbit ransomware groups claims. We suspected the affiliate (who probably doesn't know English) saw a document that said "United States Federal Reserve" and thought it was that.

https://x.com/vxunderground/status/1805214817625530613

vx-underground

25 Jun 2024 23:47

Never call Bradley – 'Brad'. Might as well spit in his face. -1/10 social engineering attempt.

vx-underground

25 Jun 2024 23:40

> check tg
> check dms
> get message from someone saying theyre owner of vx-underground (wtf thats me)
> me tells me im the new ceo (wtf)
> me tells me to check my email

Weird social engineering attempt

vx-underground

25 Jun 2024 21:45

June 11th a Microsoft engineer accidentally leaked 4GB of Microsoft PlayReady internal code. It was leaked on the Microsoft Developer Community. The leak includes:

- WarBird configurations
- WarBird libraries for code obfuscation functionality
- Libraries with symbolic information related to PlayReady

Researchers from AG Security Research Lab were able to successfully build the Windows PlayReady dll library from the leaked code. Interestingly, they were assisted because on the Microsoft Developer Community forum a user also provided step-by-step instructions on how to begin the build process.

Also, interestingly, interestingly, the Microsoft Symbol Server doesn't block requests for PDB files corresponding to Microsoft WarBird libraries, which inadvertently leaks more information.

Adam Gowdiak of AG Security Research Lab reported the issue and Microsoft removed the forum post. However, as of this writing, the download link is still active.

File listing is below. Forums screenshots are attached. All information discovered by AG Security Research Lab

File listing: https://pastebin.com/raw/i65qfd2z

vx-underground

25 Jun 2024 03:32

Apologies – was testing something on Telegram. I'm sorry if that sent out a broadcast message.

vx-underground

25 Jun 2024 01:50

Today, Julian Assange made a plea deal with the US government. Assange will plead guilty to a felony charge for his role in a major breach of classified material, receiving a 62-month sentence already served, allowing him to return to Australia. Note: The plea deal must be approved by a federal judge.

vx-underground

24 Jun 2024 20:58

We missed the date on this. This is a few years old (we're confused and scared)

vx-underground

24 Jun 2024 17:00

You can now have ARM and x64 in the same process. Thank you, Microsoft. You continue to introduce new ways for us to explore malware capabilities.

https://learn.microsoft.com/en-us/windows/arm/arm64ec

vx-underground

24 Jun 2024 14:22

Yesterday Lockbit ransomware group claimed to have ransomed the United States Federal Reserve.

1. Doubt

2. If Lockbit ransomware group actually ransomed the United States Federal Reserve it would be DEFCON 2 and the administrators would need to worry about a drone strike

vx-underground

23 Jun 2024 07:19

Damn, Mark Cuban got the hookup. Sundar Pichai got the squad on it ASAP

vx-underground

22 Jun 2024 23:40

CDK Global outage officially attributed to BlackSuit ransomware group.

That's interesting.

More information: https://www.bleepingcomputer.com/news/security/cdk-global-outage-caused-by-blacksuit-ransomware-attack/