14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
Lots of updates coming on Monday.
Also, people have begun receiving their giveaway swag. We still have more people to select, but giving away $1,000 worth of merch is actually kind of time consuming.
Anyway, someone said their cat now uses the shirt for naps
At the end of the day every alert looks like this to a SOC Analyst
Читать полностью…
Here is some code that was written about a year for a project for vx-underground. However, due to various reasons, the code is being publicly released.
tl;dr recursive loader, painful to reverse engineer
Explanation of code:
The following code is inspired by APT Linux/Kobalos. Kobalos was malware, suspected to be tied to the Chinese government, which was fully recursive. It was novel malware.
Following this inspiration, an x64 recursive loader was developed for Windows 10 and Windows 11. When compiled the binary has no entries in the IAT. The binary resolves all APIs via NTDLL. Additional libraries are loaded via LdrLoadDll.
The code recursively calls itself to execute functions. It determines which portion of code to execute using a flag (an enum). Each 'function' is encapsulated in a switch statement. All variables are recursively passed using the 'VARIABLE_TABLE' structure. The VARIABLE_TABLE also contains further nested structures for handling API function resolving, initializing COM objects and associated classes, and data structures for some 'switch functions' which may require additional variables for tasks.
To avoid the compiler optimizing code and introducing functions into the IAT, some STDIO functionality such as ZeroMemory have been re-written in more unorthodox methods.
HTTPS requests are handled by COM via the WinHttpRequest Object.
The code basically downloads a binary from vx-underground and executes it. Currently the code will not work because the executable hosted on vx-underground for the proof-of-concept is no longer there – although it was just a copy cmd.exe.
Code may have some bugs. It can be improved upon by introducing pseudo-polymorphism by 'scrambling' the order of switch statements and enum values on each build.
Code written by smelly
You can checkout Win32.RecursiveLoader.b here: https://pastebin.com/HSTS2zwL
Today the NCA UK was discussing Operation Cronos (the takedown of Lockbit ransomware group) at SLEUTHCON – and for a brief moment in time we were on TV.
The cherry on top was the VX-UWU design as the profile picture.
Today an unknown individual got access to Ring footage of the arrest of Conor Brian Fitzpatrick a/k/a Pompompurin.
We will not share the footage of the arrest because we believe it be unnecessarily invasive to the Fitzpatrick family. Although Pompompurin had plead guilty to the crime, and has been sentenced, we do not want to showcase his family members faces and identities.
What the footage shows:
The United States Federal Bureau of Investigation pretending to be a USPS Postal Worker, saying they have a package for Mr. Fitzpatrick.
Once Mr. Fitzpatrick steps outside the door, to sign for the phony USPS package, other FBI agents swarm him with weapons drawn, instructing him to place his hands behind his head.
Mr. Fitzpatrick remains calm, puts his hands behind his head and complies the entire time. A second person, presumably his Mother, exits the home and speaks with the FBI agents. They ask if anyone else is inside the home. She tells them no one else is currently home.
The entire incident was remarkably calm. Mr. Fitzpatrick complied, there was no physical altercation ...or even swearing. The woman (again, presumably his Mother) was also very polite and complied fully. The FBI agents also seemed calm and apologized to the woman for the event that is taking place.
Pompompurin was wearing sweat pants and for a brief second his butt crack is on camera. It wasn't a very eventful raid. ¯\_(ツ)_/¯
Updates to vx-underground
Samples:
- VirusSign.2024.05.15
- VirusSign.2024.05.16
- VirusSign.2024.05.17
- VirusSign.2024.05.18
- VirusSign.2024.05.19
- VirusSign.2024.05.20
- VirusSign.2024.05.21
- VirusSign.2024.05.22
Torrents:
- vxunderground.HD.APTs.WEBRip.torrent
Papers:
- 2024-04-29 - Zloader Learns Old Tricks
- 2024-04-30 - Latrodectus [IceNova] – Technical Analysis of the New IcedID
- 2024-05-01 - Router Roulette - Cybercriminals and Nation-States Sharing Compromised Networks
- 2024-04-30 - Pouring Acid Rain
- 2024-05-05 - Latrodectus "LittleHw"
- 2024-04-17 - Redline Stealer - A Novel Approach
- 2022-04-21 - Criminals provide Ginzo stealer for free, now it is gaining traction
We received our first dick pic today. We don't really have anything else to say – but we felt like sharing that.
Читать полностью…
Thanks to our friends TorGuard and the degenerates from the DEFCON Data Duplication Village (ly7ine) we now allow individuals to torrent vx-underground
Note: Not all torrents are available yet
You can download the torrents here:
https://vx-underground.org/Torrents
We're partnering up with our sponsor TorGuard to offer a torrent (and if you're cool you'll seed) for vx-underground. You can stop sending us e-mails, messages, DMs, and smoke signals.
More information coming soon.
If you go to DEFCON this year you can visit the Data Duplication Village and clone yourself a copy of vx-underground. All it requires is an 8TB drive
Additionally, as a DEFCON exclusive, the drive will contain something secret
And no, we won't be at DEFCON. We don't go outside
Shoutout to the random person who tried to social engineer our staff into getting a free 5 year anniversary shirt. They were convinced this person was a giveaway winner and contacted other staff for verification.
B+ social engineering attempt. Almost got 'em
wElL aPpLE doES iT
Apple shouldn't do it either — but we didn't know Apple did this because we don't use Apple products and we don't focus on Apple products in the cyber security ecosystem.
No one should be doing this. We don't care if it's for AI, we don't care if it's only local, we don't care if it can be enabled or disabled.
Most consumers won't understand what the hell this is, and most consumers won't know how to turn it off.
We're also terrified of the ramifications of this in enterprise environments. It is wildly invasive, and in environments where end users don't have control over what is enabled and disabled, this is yet another potential attack vector for information stealers or ransomware.
Last week we became acquainted with a server administrator for a 'body mutilation' site.
He assisted a group of individuals with hosting, and maintaining, a site where people were mutilating, severing, smashing, and cannibalizing male genitals. Access to videos required paying money – it was essentially a pay-per-view for watching male individuals be maimed, some were even teenage boys.
The individuals he assisted have since been arrested and sentenced to prison. He was not arrested because despite providing hosting and assistance with the site, he did not actively maim anyone.
We are hoping to interview him and get his perspective on things. No idea if he'll agree to an interview, but it's exciting.
Tomorrow our Chief Executive Nerd (DuchyRE) and his faithful side kick (Monster Energy Drink) will be assigned to the case. Additionally, we have enlisted the help of Breach forum nerds who are exceptionally skilled at scraping. If anyone get the comments, these nerds can
Читать полностью…
Okay, we get it. We've received enough emails. We PROMISE we will enable comments this week. You can stop emailing us now.
Читать полностью…
No idea what this even means, we really liked this kitty and just tried to make something work
Читать полностью…
Thank you, Ares, for supporting us by purchasing merchandise.
(we didn't understand the video because we don't speak Ukrainian)
Hello, how are you?
1. Our shipment of harddrives is on the way. We are expecting them sometime next week. Once they are received the cloning process will begin.
2. Bradley is OOO (like a loser), so giveaway winners and selections are briefly delayed
3. I love you
Per request, we will agree to share an image of the butt crack.
Читать полностью…
"O Lord Jesus Christ, our God, who hast commanded us to love one another and to bear each other's burdens, we humbly beseech Thee to protect us from all harm and danger.
Send Thy holy angels to guard and keep us in peace and safety. Preserve us from every evil assault and from those who would seek to do us harm. Grant us the strength and wisdom to trust in Thy divine providence and to remain steadfast in our faith.
For Thou art our God, and we glorify Thee, together with Thy Father, who is from everlasting, and Thine all-holy, good, and life-creating Spirit, now and ever, and unto ages of ages. Amen."
– Russian Orthodox Priest doing a Prayer of Protection for Russian ransomware operator exfil servers, 2024
Good morning, afternoon, or night.
We've given away roughly $500 worth of merch for the 5 year giveaway. Dozens of people have been contacted. The giveaway is still ongoing due to the volume of people who entered.
tl;dr denial-of-service via nerd overflow
A young man, presumably from the COM scene, is beginning to gain traction on Twitter for his calm and collected thoughts. A modern day philosopher
tl;dr some kid with a gun (airsoft, maybe?), talking about beaming people (?), and saying 'fuck da opps' and some Chicago gang stuff despite being .... 11? 12? maybe 13?
https://x.com/sgtmuffon/status/1793319240641950068
Today EA sent out an alert to consumers that they're experiencing technical issues which results in the removal of games from purchasers digital library.
Photos have been grabbed from random tweets. There is thousands of photos flooding in.
We 'randomly' selected the FBI to receive free vx-underground swag. They ignored us and left us on read.
Got ego'd by the FBI 😭😭😭😭
Hello,
Yes we know we still haven't enabled comments. You nerds literally remind us every single day. We promise we'll do it. Give us time, we're busy.
Microsoft May 3rd, 2024: We must prioritize security above all else
Microsoft May 19th, 2024:
tl;dr Microsoft introduces 24/7 surveillance functionality for the NSA and/or CIA but markets it as a feature that you'll like
https://x.com/tsarnick/status/1792680674060832829
We are still having problems with our vx-underground 5 year Twitter giveaway. We have tried a few different methods. Currently we are only able to view approx. 800+- comments.
Читать полностью…
We are experiencing some technical difficulties with our giveaway. Twitter is having a difficult time loading all of the comments people left. We are only able to see approx. 300 replies out of 2,500+
If you have any suggestions please let us know.
Thanks,