14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
We caused some confusion about our RansomHub interview post because it was worded similarly to our Lockbit ransomware interview post.
It's a new interview – nothing is being cancelled. We'll mentioned it again later on so we don't confuse people.
Lockbit ransomware group administrative staff agreed to go onto a livestream with us (us screensharing a Tox screen) and doing a live Q&A and allow the audience to ask questions.
Questions would be filtered, but maybe it'll be fun.
¯\_(ツ)_/¯
It appears security researchers, not just sim swappers and fraudsters, follow us on Telegram. It's truly a Christmas miracle
(we don't know who did this talk or what it's about)
> yesterday ltt posts about vxug hdd
> cool_beans.jpeg.exe
> go sleep
> wake up
> check emails
> dozens of inquiries on the vxug hdd
> ???
tl;dr video with 1,000,000+ views gets lots of attention
Today Linus Tech Tips released a video about the vx-underground harddrive and our collection.
First, thank you for using an image of a shadowy person with odors radiating off of them to describe smelly. 11/10.
Secondly, Linus and his group did an EXCELLENT job discussing the harddrive and the collection. We believe they accurately describe it, its use case, and the basic reasoning why this entire collection exists.
Some portions of the video are very watered down – but this high-level beginner perspective is perfect for people who are unfamiliar with malware. Additionally, in some places the nomenclature is wrong, but the general idea and principles are still 100% correct.
We also enjoy the enthusiasm Mr. Linus shows with the malware, he reminds us of our first time experimenting with a malware builder.
The end review saying we're the darker side of grey is a little disheartening, but ¯\_(ツ)_/¯
https://www.youtube.com/watch?v=7inhRWxQMFk
Large update to vx-underground:
Samples:
- VirusSign.2024.06.20
- VirusSign.2024.06.21
- VirusSign.2024.06.22
- VirusSign.2024.06.23
- VirusSign.2024.06.24
- VirusSign.2024.06.25
- VirusSign.2024.06.26
- VirusSign.2024.06.27
- VirusSign.2024.06.28
- InTheWild.0127
Papers:
- 2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit
- 2018-10-22 - Chalubo botnet wants to DDoS from your server or IoT device
- 2022-07-18 - Trident Ursa
- 2023-06-10 - IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
- 2023-06-13 - VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors
- 2024-01-06 - Understanding Internals of SmokeLoader
- 2024-01-19 - Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021
- 2024-04-09 - BlueShell: Four Years On, Still A Formidable Threat
- 2024-04-09 - Unpacking the Blackjack Group's Fuxnet Malware
- 2024-04-24 - Analysis of Ongoing FROZENSHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
- 2024-05-06 - HijackLoader Updates
- 2024-05-08 - From OSINT to Disk: Wave Stealer Analysis
- 2024-05-13 - Wavestealer Spotted In The Wild
- 2024-05-23 - Tracking APT SideWinder With DNS Records
- 2024-05-26 - QakBOT v5 Deep Malware Analysis
- 2024-05-28 - BlackSuit Attack Analysis
- 2024-05-30 - The Pumpkin Eclipse
- 2024-06-04 - Muhstik Malware Targets Message Queuing Services Applications
- 2024-06-05 - DarkGate switches up its tactics with new payload, email templates
- 2024-06-05 - ExMatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data targeting
- 2024-06-06 - DarkGate: Make AutoIt Great Again
- 2024-06-06 - EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware Analysis
More ransomware, more arrests, more breaches, more malware – same ol' same ol'
Читать полностью…
Some people want us to start saying 'hackers' instead of Threat Actors. We'll say hackers again when people stop calling toothpaste saving tips 'pro hacks' or 'life hacks'.
It's not 1996 anymore, sorry.
"oTheR cOmpAnieS haVe MorE mAlwArE thAn yOu"
Ted Talk time.
First of all, we're not a company. We're just a bunch of internet nerds wildin' out on a computer.
Secondly, right now vx-underground ingests roughly 120,000 malware samples a month with a budget of a slice of pizza and some weird lookin' lint we found in our pocket.
The reality of the situation is large organizations ingest absurd quantities of malware. Antivirus vendors, (some) Threat Intelligence vendors, and Endpoint Security vendors ingest terabytes of malware a day.
We are aware of some organizations which ingest 500,000 - 1,000,000 malware samples a day. Whereas some AV vendors reportedly ingest over 5,000,000 malware samples a day. These organizations dwarf us.
Part of the reason why is simple: intelligence. Vendors are ingesting malware in large quantities, through various means such as honeypots, sharing between organizations (private exchanges), submissions from VirusTotal, and malware captured from user endpoints.
They use this data to track and monitor malware campaigns, C2 addresses (IPs or domains), look for modification of code bases, and look for any missteps and leaking of PII. They then distribute this data and update security rules, update known-good and known-bad SHA256 collections, and often work with law enforcements agencies to takedown Threat Groups. This is work that happens everyday, around the clock, 24/7 and these organizations work hard monitoring malware nerds.
Our purpose of collecting malware is historical in nature – people can download the malware, reverse the malware, and study the malware. Our malware is often hammy downs (metaphorically speaking) from larger organizations and is rarely cutting edge. It would be difficult to identify a new Threat Group from our malware collection. The advantage of our collection is it is often difficult for people to even get hammy down malware without begging someone (or some organization) OR the malware samples are scattered all over the place. Our collection is in 1 singular location making it easier to get the cool stuff nerds wanna study.
Thanks for coming to our Ted Talk.
When the Security Team catches a Threat Actor actively trying to compromise a machine
Читать полностью…
> wake up
> check news
> yet another ransomware group (brain cipher)
> polyfill supply chain attack infecting 100k websites
> more ransomware attacks
> people mad google is stopping cia / nsa operations
> cdk global ransomware drama continues
> more malware being malware
In the past 30 days vx-underground has had 59,000 unique visitors, served 5,590,000 requests, and delivered 408TB of malware.
It cost you $0 because we have cool sponsors and cool monthly supporters.
Today Lockbit ransomware groups 'timer' on the 'Federal Reserve' hit zero. They did not ransom the Federal Reserve as we expected – they ransomed Evolve Bank & Trust.
We also assume the data is not critical because the facility is still operational.
Yes, we're aware of the OpenSSH exploit – "regreSSHion".
Everyone and their grandmother is discussing it, it'd be difficult to miss it. We didn't have anything meaningful to contribute to the conversation, so we didn't mention it.
tl;dr exploit bad, its monday, nerd stuff
Updates to vx-underground:
- 2024-06-10 - Technical Analysis of the Latest Variant of ValleyRAT
- 2024-06-11 - A Brief History of SmokeLoader, Part 1
- 2024-06-12 - Dipping into Danger: The WARMCOOKIE backdoor
- 2024-06-12 - New backdoor BadSpace delivered by high-ranking infected websites
- 2024-06-12 - Nova Stealer, le malware made in France
- 2024-06-12 - Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
- 2024-06-13 - DISGOMOJI Malware Used to Target Indian Government
- 2024-06-13 - Inside LATRODECTUS: A Dive into Malware Tactics and Mitigation
- 2024-06-15 - Malware Analysis: FormBook
- 2024-06-17 - From Clipboard to Compromise: A PowerShell Self-Pwn
- 2024-06-17 - Latrodectus, are you coming back?
- 2024-06-17 - Malvertising Campaign Leads to Execution of Oyster Backdoor
- 2024-06-18 - Cloaked and Covert: Uncovering UNC3886 Espionage Operations
- 2024-06-19 - LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations
- 2024-06-19 - New North Korean based backdoor packs a punch
- 2024-06-19 - Spectre (SPC) v9 Campaigns and Updates
- 2024-06-20 - Caught in the Act: Uncovering SpyNote in Unexpected Places
- 2024-06-20 - Medusa Reborn: A New Compact Variant Discovered
- 2024-06-21 - GrimResource: Microsoft Management Console for initial access and evasion
- 2024-06-24 - Gootloader’s New Hideout Revealed: The Malware Hunt in WordPress’ Shadows
- 2024-06-24 - Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame
- 2024-06-25 - From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer
- 2024-06-25 - How to detect the modular RAT CSHARP-STREAMER
"i'm a noob, whats the best language to start maldev?"
Buy a dartboard, put stickie notes on it, write programming languages on them, cover your eyes, spin around 10 times, then throw the dart.
Whatever it lands on, learn that language and get good. If you miss, give up.
Every week nerds ask us "do you know {ransomware_groups} onion?".
Every ransomware group's domains are archived, past and present, as well as their post history by Josh Highet on his website ransomwatch telemetry.
Now stop asking us >:(
Link: https://ransomwatch.telemetry.ltd/
Nerds are reporting Lockbit ransomware group's blog now requires a blog access key to visit it.
The blog access key: NDWZ3NXU66EWUFBMJWQOC2FXIIHFZFKZRULHBGAYFYX4HEIDRF5Q
Have a nice day
Today an unknown individual shared a photo of their new pillow. It is the official Alexandria Sheriff's Office mugshot of ex-Breached administrator Pompompurin
tl;dr don't do crime or you'll end up on a pillow
TeamViewer disclosed a security breach today**
https://www.teamviewer.com/en/resources/trust-center/statement/
> write malware
> compile binary
> need to think of sneaky name
> svchost.exe (never been done before)
> (thats a lie, everyone does that)
> tfw av vendors find the svchost.exe
Families that commit state-sponsored-cyber-espionage stay together ❤️
Father: Tim Vakhaevich Stigal, wanted by the United States Secret Service
Son: Amin Timovich Stigal, wanted by the United States Federal Bureau of Investigation
tl;dr exploring executing vbscript and jscript in-memory from a binary in c++. modexp did a c project on it, explored possibilities of it. worked with vbscript, imploded on jscript with hresult 0x80020101
got annoyed
heres the vbscript code that works: https://pastebin.com/raw/dW3w97Bx
When we find the guy who did the documentation for IActiveScript and IActiveScriptParse64 on MSDN
Читать полностью…
As reference: we expressed extremely skepticism with Lockbit ransomware groups claims. We suspected the affiliate (who probably doesn't know English) saw a document that said "United States Federal Reserve" and thought it was that.
https://x.com/vxunderground/status/1805214817625530613
Never call Bradley – 'Brad'. Might as well spit in his face. -1/10 social engineering attempt.
Читать полностью…
> check tg
> check dms
> get message from someone saying theyre owner of vx-underground (wtf thats me)
> me tells me im the new ceo (wtf)
> me tells me to check my email
Weird social engineering attempt