vx-underground

19 Apr 2024 05:57

Malware review:

2024-03-26 - Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)

- Masquerades as installer (0 points)
- Masqueraded installer is not functional (-1 points)
- Dropper is signed (+1 points)
- Drops src.rar (-1 points)
- Password protected with "1q2w3e4r" (-1 points)
- Execution begins with command "installer" (0 points)
- Copies to %USERPROFILE% (0 points)
- Payload masquerades as svchost.exe (0 points)
- Registers itself in Task Scheduler (0 points)
- Masquerades in Task Scheduler as "Windows Backups" (0 points)
- Developed in Go (+1 points)
- Recycled code from previous malware campaign (-1 points)
- Used same signed certificate from previous malware campaign (-1 points)
- Has generic RAT functionality (0 points)
- TA pushed Mimikatz to infected machine (-2 points)
- Mimikatz masqueraded as cache.exe (0 points)
- TA used free Ngrok domain for C2 (-1 points)

We give Kimsuky Group's recent APT campaign an F.

Unoriginal, generic code, some code dependent on external applications (Winrar) which may not be present on victim machines. Password is hardcoded in payload and easily identifiable. Recycled code and recycled certificate is poor design and lazy. Masqueraded installer not working is lazy. Pushing Mimikatz is also a poor decision, this tool is heavily flagged and is a big red flag.

vx-underground

19 Apr 2024 02:32

17 AVs flag the newly released Team Fortress 2 64bit client as malware 😭

SHA256: 83fb94ef1accdc0071ef6221f8e5acf870a1df31ff26e04a8d58116402793911

vx-underground

19 Apr 2024 01:54

Hello, how are you? We've updated the vx-underground malware collection. We've added 68,000 new malware samples.

Download the malware.

- Virussign.2024.04.09
- Virussign.2024.04.10
- Virussign.2024.04.11
- Virussign.2024.04.12
- Virussign.2024.04.13
- Virussign.2024.04.14
- Virussign.2024.04.15
- Virussign.2024.04.16
- Virussign.2024.04.17
- InTheWild.0118
- InTheWild.0119

Check it out here: https://vx-underground.org/Samples

vx-underground

18 Apr 2024 22:52

feege_ spotted a billboard advertisement on the i-95 in Philadelphia, near the Wells Fargo Center, that says:

"Hackers Suck"
"Protect your business. Cover your assets."

vx-underground

18 Apr 2024 22:41

13-year-old Marco Liberale has created a proof-of-concept PasteBin C2 botnet in Go. Is it fully cross platform working on Windows, Linux, and Mac.

We are very happy to see such a young person contributing to this research space.

Check it out here: https://github.com/marco-liberale/PasteBomb

vx-underground

18 Apr 2024 07:33

hacking is illegal and for nerds

vx-underground

17 Apr 2024 13:07

Today a group named 66slavs claimed to have breached the United States National Energy Research Scientific Computing Center (NERSC).

* We have not reviewed the data
* Yes, they watermarked a data breach

vx-underground

17 Apr 2024 00:45

"Does {book} cover everything I need to know about malware?"

No book ever released has covered 'everything' about malware. If you wanted a book to cover everything on malware it would weigh 500lbs (226kg) and be cartoonishly large.

vx-underground

16 Apr 2024 08:16

Awhile back we heard rumors of a Telegram RCE 0day. We brushed it off as silly memes. Turns out the 0day was 100% real and you're all probably pwned.

It was unveiled on XSS. Nerds celebrated

(joking about pwned part... kind of)

More information: https://www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts/

vx-underground

16 Apr 2024 02:14

We have a lot of malware samples and malware papers to add. Unfortunately, due to IRL responsibilities this will not happen immediately.

To compensate for this setback we have drawn a shitty picture in MS-PAINT which could illustrate what could have been added

vx-underground

15 Apr 2024 04:46

The show also features the head of the FBI Cyber Crime division, Bryan Vorndran, and ex NSA Cyber Security director Rob Joyce.

You can watch the video here: https://www.cbsnews.com/news/cybersecurity-investigators-worry-ransomware-attacks-may-worsen-as-young-hackers-in-us-work-with-russians-60-minutes-transcript/

vx-underground

15 Apr 2024 01:00

ok, 1 last schizo meme tech post (stolen from telegram) on the day of rest. sorry

vx-underground

13 Apr 2024 23:38

More information on the Cyb3rAv3ngers

https://twitter.com/aejleslie/status/1753461599715652021

vx-underground

13 Apr 2024 22:18

Here is your daily dose of LOLWTF

- Toyota Brazil ransomed by Hunters International ransomware group
- Department of Insurance, Securities and Banking ransomed by Lockbit ransomware group
- Probably like a dozen or so small businesses ransomed which are unable to afford cybersecurity software
- Hunters International ransomware group and RansomHub ransomware group are the flavor the week
- Lockbit administrative staff yelling at affiliates to not give more than a 50% discount
- Windows 11 will start showing 'recommendations' which look very similar to ads, they don't say they're ads though just recommendations that you can disable if you look hard enough in your settings
- Ubisoft revoking gamers abilities to play The Crew 1 because they shut down servers, nerds rage because digital purchases aren't real purchases anymore

See you space cowboy...

vx-underground

13 Apr 2024 03:01

> login to twitter
> check recommended news
> twitter recommends us to us

vx-underground

19 Apr 2024 04:30

Thank you, Hasherezade for producing these cool and badass hoodies.

PE-BEAR ATE MY MALWAREZ

vx-underground

19 Apr 2024 02:16

Nerds are reporting the new Team Fortress 2 64bit version is being flagged as malware from AV engines.

vx-underground

18 Apr 2024 22:54

tl;dr you're all going to prison forever (and ever)

vx-underground

18 Apr 2024 22:44

Half of the vx-underground roster were still not fully potty trained at 13, so we find this profoundly impressive.

vx-underground

18 Apr 2024 08:29

Yesterday Christopher Ahlberg, the CEO of RecordedFuture, shared information on an unidentified Threat Actor attempting to SMS phish employees at their organization

- This message was not sent to a Nikolas
- Who the hell is Nikolas

vx-underground

17 Apr 2024 17:49

babe wake up mandiant just released artwork for sandworm aka apt44 (officially)

vx-underground

17 Apr 2024 00:54

On the Windows platform there dozens of ways to achieve persistence, shellcode execution, process injection, – hundreds of different ways to abuse system components

There are tons of little caveats, niches, tweaks and tricks you can do that are often over looked

tl;dr big book

vx-underground

16 Apr 2024 08:22

Today we will give all of you a lesson on computer hardware. This comprehensive video will explain the different components of a computer and how it all comes together to make the magic of the world wide web

vx-underground

16 Apr 2024 08:13

The Breach forum .cx has been suspended – as is tradition.

The .onion is still live – as is tradition.

vx-underground

15 Apr 2024 05:35

Believe it or not, this is what a real network administrator looks like

vx-underground

15 Apr 2024 04:33

Today on CBS News 60 minutes – Cyber Threat Intelligence experts went on national television to discuss ransomware. Most interestingly, during the airing of the segment, researchers discuss "the Com".

They highlight "JackIdiot", "Star Chat", "Flawless" and "Fresh"

vx-underground

14 Apr 2024 22:50

Today is a day for rest.

Enjoy your Sunday.

vx-underground

13 Apr 2024 23:36

Yesterday the Cyb3rAv3ngers contacted us – a group tied to the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

Based on the events unfolding right now this message is suddenly very ominous 👀

vx-underground

13 Apr 2024 05:53

Ubisoft has begun revoking the ability for people to play "The Crew" because they're shutting the servers down at the end of April.

The Crew has an offline single player option.

When people try to launch the game they're greeted with "You no longer have access to this game".

vx-underground

13 Apr 2024 01:17

Today we spoke with RansomHub ransomware group.

Their representative immediately wanted to dispel any rumors of them being a potential rebrand of ALPHV ransomware group – they assert they're victims of the ALPHV exit scam. They appear to be hyper-aware of these allegations, suggesting they're (probably) on social media and actively monitoring discussions regarding their group.

Additionally, they shared with us various documents which illustrate possession of sensitive data from the United Healthcare Group breach.

* We are unable to verify the authenticity of these documents. However, we do not question the validity of the documents shown. We believe the data to be real.

* There is currently no concrete evidence to suggest RansomHub is a rebrand of ALPHV. Currently accusations of them being a rebrand primarily revolve around the time of their initial launch and 'gut feelings'. To the best of our knowledge there is not any other publicly available information which proves beyond a reasonable doubt this is ALPHV.

* No RansomHub ransomware group payload has surfaced online. We do believe it exists. They are either undiscovered or labeled TLP:RED and are not shared publicly. Some reports suggest the payload is written in Go, but no IOCs were shared.

* RansomHub would not share a malware sample with us. RansomHub would not provide us with photos or access to their ransomware affiliate panel. RansomHub told us they're currently re-developing (?) their ransomware payload.