vx-underground

23 Apr 2024 19:28

Learning about malware development, reverse engineering, detection, etc. is an entire career field. It is not something you can watch a few YouTube videos on and be set.

Either do it, or don't. The choice is yours.

vx-underground

23 Apr 2024 06:51

Sometimes we think about those "recommended cyber security profiles to follow" posts. We've seen dozens of people recommending others to follow us.

We wonder how disappointed they are when they see Chicken Adventure 2 Mods or Boston Dynamic robots holding severed hands. 😭😭

vx-underground

23 Apr 2024 04:48

Hello.

We've sold 8 vx-underground harddrives. Please buy the remaining 12 because we have way too much packing material.

This isn't a joke.

Thank you,

vx-underground

22 Apr 2024 06:14

POV: The FBI raids you and finds you relaxing on the bed

vx-underground

22 Apr 2024 04:51

Very cool. Version 10 👍

vx-underground

22 Apr 2024 04:03

Hello, how are you?

Today is the day of rest. We hope everyone had a lovely Sunday. If it is not Sunday for you currently, get back to work >:(

Have a nice day, or night, or morning

vx-underground

21 Apr 2024 14:03

You're all degenerates and CANNOT be trusted

https://github.com/NationalSecurityAgency/ghidra/assets/118324883/b8209e95-1bb7-4c1c-875b-8cceed44c3a1

vx-underground

21 Apr 2024 02:04

We are approaching 300,000 followers on Twitter.

This is an astronomically large number that we never expected to reach.

Some thoughts and feelings:

When vx-underground was first created in May, 2019 the initial goal was to 'revive the VX-scene' – with the hopes that with content being added and archived we could act as an accelerant of malware related education. We really wanted to see a lot of people into malware development (because it's fun!).

Initially we celebrated 100 followers, we celebrated 1,000 followers, we celebrated 10,000 followers. We never imagined so many people, from all across the planet, would care about our website, our shitposts, and the things we discuss. It's a surreal experience because all of this was a happy accident and we still have no idea what the hell is going on. Each day is something different and we just kind of go with the flow. ¯\_(ツ)_/¯

Just a few years ago malware development seemed taboo. We had many 'influential' people call us criminals, said we fueled or actively aided criminals. Now nearly 5 years later those same 'influencers' are polite to us and seem to forget the negative things they said about us.

Anyway, there is a lot that could be said, but thank you everyone for the love and support. Thank you to everyone who donates, sponsors us, gifts us things, and sends messages of support. On our side of the fence all we see is a big number of followers – we don't see the real world impact our website has created.

We are sometimes told stories that our website has helped them with their career, helped them improve their knowledge set, or aided their organization in some way. We didn't know this and we're still always amazed by this because on our side of the keyboard we're just kind of vibing out and doing what we think is cool.

We turn 5 years old soon. At our current pace we may hit 300,000 followers soon. Things we never expected. Thank you again for everything. It's been a crazy ride.

Cheers to (almost) 5 years of vx-underground and the many years to come.

vx-underground

20 Apr 2024 19:36

C programmers having a complete personality change the second they see someone mention Rust or Go (it's going to be a 4 hour long debate)

vx-underground

20 Apr 2024 09:35

https://netflix.com/healthcheck

vx-underground

20 Apr 2024 05:06

Today we decided to check in with Lockbit ransomware group. The Lockbit ransomware group administrative staff informed us that they're actively working on several new projects – most notably they have developed a new ransomware payload which targets Nutanix

vx-underground

20 Apr 2024 04:25

We give APT29's recent APT campaign an B+.

APT29 WINELOADER is modular, multi-staged, practices OPSEC by using multiple compromised websites, has custom built HTTP data blobs. It uses a LOLBIN like technique for persistence and uses a previously undocumented DLL Side Load vulnerability to execute payloads. Random DLL injection is a plus. The encryption and decryption of data is also an interesting plus as it improves its stealth factors and making it more difficult to reverse engineer. The precision of targets and masquerading of an wine tasting event is also interesting – demonstrating research of targets prior to attack. This same attack was later used against German politicians as well.

vx-underground

20 Apr 2024 02:00

We are happy to announce we are pregnant, not pregnant, and segfaulting (chemically)

vx-underground

19 Apr 2024 18:48

Note: some binaries were already compiled from the previous leak*

vx-underground

19 Apr 2024 17:21

Someone made us this

vx-underground

23 Apr 2024 19:25

"How can I learn more about malware?"

Our entire website is malware literature. Browse until something seems interesting and read it. If you don't understand it, search online until it makes sense or read a different paper.

There is no easy route. Stop looking for shortcuts.

vx-underground

23 Apr 2024 06:37

There is heavy overlap with malware developers and video game cheat developers. When you follow this family tree you end up with the malware developers distant cousin – the video game modder.

Anytime we visit our "distant cousins" we find the strangest things.

vx-underground

22 Apr 2024 22:16

Malware writing doesn't require programming experience. Just run this random .exe and it'll make any virus you want and it'll be 100% undetected

vx-underground

22 Apr 2024 05:51

Someone used AI to make Lockbit ransomware groups statement regarding the FBI takedown ... into an anime-like EDM ... ?

You're all degenerates 😂😂😂

What happened.

On February 19, 2024 penetration testing of two of my servers took place, at 06:39 UTC I found an error on the site 502 Bad Gateway, restarted nginx - nothing changed, restarted mysql - nothing changed, restarted PHP - the site worked. I didn't pay much attention to it, because for 5 years of swimming in money I became very lazy, and continued to ride on a yacht with titsy girls. At 20:47 I found that the site gives a new error 404 Not Found nginx, tried to enter the server through SSH and could not, the password did not fit, as it turned out later all the information on the disks was erased.

Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time, the servers had PHP 8.1.2 version installed, which was successfully penetration tested most likely by this CVE https://www.cvedetails.com/cve/CVE-2023-3824/ , as a result of which access was gained to the two main servers where this version of PHP was installed.  I realize that it may not have been this CVE, but something else like 0day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and

vx-underground

22 Apr 2024 04:50

asdasd13asbz discovered Kimsuky (state-sponsored North Korean hackers) mailspam tool.

We've added it to vx-underground. It is named after it's SHA256 hash: bb9c0396a61fa16d8c482a4a17e520fae908aa826e54243da6473494fa5f2305

You can download it here: https://vx-underground.org/tmp

vx-underground

21 Apr 2024 14:04

Can't believe you nerds would add this to the NSA's GitHub repo 😡😡😡

vx-underground

21 Apr 2024 02:54

No, we don't get ad revenue from the shitty fuckin' ads Telegram displays on our channel.

vx-underground

20 Apr 2024 23:15

A visual explanation of how malware masquerading works.

In the attached image what you see appears to be corn, but it's actually a cat.

Similarly in malware masquerading, you see a legit binary, but it's actually malware (sometimes a cat)

vx-underground

20 Apr 2024 19:25

Steam users: "Kernel mode anti-cheats are spyware!"

The entire anti-virus industry:

vx-underground

20 Apr 2024 05:08

We asked for a sample of the new payload. The Lockbit representative subsequently told us: "Ask the FBI for the payload"

>:(

We asked for more information on the Nutanix locker. They told us: "TLP:RED, sorry"

>:(

vx-underground

20 Apr 2024 05:00

The Microsoft Fabric community (?) forum is old and allows unchecked HTML on posts.

- Link attached, don't click the silly button
- Thanks to rari_teh for sharing this with us

Behold:
https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=908a0c5d-95fe-ee11-a73c-000d3ae45d44

vx-underground

20 Apr 2024 04:25

Malware review:

2024-02-27- European diplomats targeted by SPIKEDWIRE with WINELOADER

Notes:
*Zscaler on release of this article did not attribute it to any state-sponsored Threat Actor
*Mandiant later attributed this payload to APT29 March, 22nd 2024 in an article titled: "APT29 Uses WINELOADER to Target German Political Parties"

- Targets specific European diplomats via malicious PDF (0 points)
- Targets carefully enumerated, low volume of malicious PDFs sent (+1 points)
- Malicious PDF masquerading as letter from Ambassador of India for wine tasting event (0 points)
- PDF requires registration to event, links to compromised website (+1 points)
- 'Invitation site' requires guest to download .zip file (-1 point)
- .zip file contains wine.hta which masquerades as invitation event details (0 points)
- .hta file contains malicious javascript, obfuscated with opensource tool (-1 points)
- .hta downloads BASE64 encoded .txt from compromised website (0 points)
- .hta uses certutils.exe to BASE64 decode .txt file (+1 point)
- BASE64 decoded text file transfroms into .zip file, extracted to C:\Windows\Tasks (+1 points)
- .zip extracts sqlwrite.exe and vcruntime140.dll (+1 points)
- APT29 uses DLL sideloading vulnerability (unknown at the time) on sqlwrite.exe to load fake vcruntime140.dll (+2 points)
- Side loaded DLL function se_se_translator pulls RSA encrypted .exe out of DLL (+1 point)
- Side loaded DLL encrypts and decrypts .exe when no longer in use (+2 points)
- .exe has different modules (plugins) for different task (+2 points)
- Modules use DLL Hollowing to inject into randomly selected DLLs (+1 point)
- Each module is downloaded individually from remote C2 (compromised websites) (+2 points)
- Connecting to C2 uses GET HTTP. Sent data is custom made data blobs containing information on modules and commands sent and received (+2 points)
- Persistent achieved by Microsoft signed sqlwriter.exe DLL side loading from Windows Task Scheduler (0 points)
- Memory is zero filled when not used (+1 points)

vx-underground

19 Apr 2024 22:59

MITRE was compromised

Shout out Charles Clancy for full disclosure and his transparency.

vx-underground

19 Apr 2024 18:47

Following the return of HelloKitty ransomware group (now HelloGookie), the individuals behind HelloKitty ransomware group released more files from CD Projekt Red – the game studio behind The Witcher and Cyberpunk 2077.

Using the leaks nerds have compiled The Witcher III

vx-underground

19 Apr 2024 17:15

Researcher crocodylii found Hunters International ransomware group left their Tor domain publicly indexable 😭😭😭😭