14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
Write your local government representatives and demand any company introducing AI into their products be jailed for 15,000 years.
Читать полностью…
Updates to vx-underground:
- 2024-03-13 - RisePro stealer targets Github users in “gitgub” campaign
- 2024-04-09 - Havoc C2 Framework – A Defensive Operator’s Guide
- 2024-04-24 - Pakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils Threats and Connections
- 2024-05-01 - Ransom-War: Russian Extortion Operations as Hybrid Warfare, Part One
- 2024-05-02 - Dissecting LOCKBIT v3 ransomware
- 2024-05-04 - 191 Australian Organizations affected by ZircoDATA Breach Linked to Russian Ransomware Gang
- 2024-05-06 - Agent Tesla Malware Analysis
- 2024-05-09 - Case Study: Latrodectus - Analyzing and Implementing String Decryption Algorithms
- 2024-05-10 - AA24-131A: Stop Ransomware: Black Basta
- 2024-05-10 - Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware Part IV
Strap yourself in because it's time for this weeks episode of "Microsoft being dedicated to security".
tl;dr wtf bro lol
Previously Microsoft unveiled 'Recall' – which will be deployed on Windows 11. Recall will take screenshots of your computer desktop, in unspecified intervals, and allow users to search through Recall data (aka your Desktop screenshots) using AI to allow users to ... find things they may have forgotten (???).
When Recall was announced numerous security researchers, cybersecurity firms, and privacy advocates called it a nightmare because Microsoft explicitly stated that Recall will make no attempt to perform content moderation. It will take screenshots of plain text passwords, financial data, etc. Users also expressed concerns over Recall recording sexual fetishes (i.e. them watching pornography) and called it a gross invasion of privacy.
Microsoft's retort was that Recall can be disabled in settings and Microsoft does not have access to any of the data. It is all stored locally. Researchers then questioned whether or not end users, who may not be as tech savvy, would even understand or know Recall is present and may not be able to disable it.
Microsoft also stated today to the BBC that because Recall is stored locally, the only way a Threat Actor would be able to access Recall data is if they have physical access to the machine, unlocked it, and then signed in.
This did little to persuade security researchers because, if the data is stored locally, they expressed concern of the possibility of Recall data being harvested by infostealer malware (e.g. Redline, FormBook, Rhad, etc.) or the data being exfiltrated in the event of a ransomware attack. Furthermore, if Recall is deployed on Enterprise environments, this may make Recall an even larger security risk due to the lack of content moderation (i.e. exposing crown jewels).
With Recall present, and if data can be imported or exported, it could essentially allow Threat Groups the ability to visually inspect and review victims machines using AI search.
Will researchers find a way to abuse Recall? Will Threat Actors find a way to abuse Recall? Will there be 'for educational uses only' proof-of-concepts on GitHub? Find out on the next episode of Dragon Ball Z
Torrents:
- vxunderground.HD.Samples.VirusSign.Collection
- vxunderground.HD.Samples.Twitter.IOC.Collection
- vxunderground.HD.Samples.Families
- vxunderground.HD.Samples.Bazaar.Collection
- vxunderground.HD.Samples.ATM.Malware
- vxunderground.HD.Samples.Argus.Collection
- vxunderground.HD.Papers
Samples:
- VirusSign.2024.05.23
- VirusSign.2024.05.24
- VirusSign.2024.05.25
- VirusSign.2024.05.26
- VirusSign.2024.05.27
- InTheWild.0124
Papers:
- 2023-09-21 - Secrets of commercial RATs! NanoCore dissected
- 2023-11-13 - Decrypting the Mystery of MedusaLocker
- 2023-11-26 - From Infection to Encryption- Tracing the Impact of RYUK Ransomware
- 2024-05-07 - Cybercrime's Anatomy Threats to the Healthcare World
- 2024-04-24 - Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware
Someone found a Facebook post from 2006.
In 2006 this setup was insane.
Anyone who is capable of exercising any sort of critical thinking skills is capable of understanding the information displayed from the Google AI is innately false. It does not reflect an intelligent, informed, or well-minded advice to any individual having thoughts of self-harm or thoughts of harm toward others.
If you do not find humor in the absurdity of botched AI learning, while AI continues to be hailed as an omnipotent technology which will solve all problems, displaying wildly inappropriate and inaccurate information funny then ... ¯\_(ツ)_/¯
Not that big of a deal, dawg. If you're genuinely unhappy with it, unfollow us or something, we're just vibin' out trying to find humor in the everyday technological chaos.
It's time for your quarterly, and mandatory, continual education video from your HR department.
You sit down, play the video, and this what you learn about data backups:
Lots of updates coming on Monday.
Also, people have begun receiving their giveaway swag. We still have more people to select, but giving away $1,000 worth of merch is actually kind of time consuming.
Anyway, someone said their cat now uses the shirt for naps
At the end of the day every alert looks like this to a SOC Analyst
Читать полностью…
Here is some code that was written about a year for a project for vx-underground. However, due to various reasons, the code is being publicly released.
tl;dr recursive loader, painful to reverse engineer
Explanation of code:
The following code is inspired by APT Linux/Kobalos. Kobalos was malware, suspected to be tied to the Chinese government, which was fully recursive. It was novel malware.
Following this inspiration, an x64 recursive loader was developed for Windows 10 and Windows 11. When compiled the binary has no entries in the IAT. The binary resolves all APIs via NTDLL. Additional libraries are loaded via LdrLoadDll.
The code recursively calls itself to execute functions. It determines which portion of code to execute using a flag (an enum). Each 'function' is encapsulated in a switch statement. All variables are recursively passed using the 'VARIABLE_TABLE' structure. The VARIABLE_TABLE also contains further nested structures for handling API function resolving, initializing COM objects and associated classes, and data structures for some 'switch functions' which may require additional variables for tasks.
To avoid the compiler optimizing code and introducing functions into the IAT, some STDIO functionality such as ZeroMemory have been re-written in more unorthodox methods.
HTTPS requests are handled by COM via the WinHttpRequest Object.
The code basically downloads a binary from vx-underground and executes it. Currently the code will not work because the executable hosted on vx-underground for the proof-of-concept is no longer there – although it was just a copy cmd.exe.
Code may have some bugs. It can be improved upon by introducing pseudo-polymorphism by 'scrambling' the order of switch statements and enum values on each build.
Code written by smelly
You can checkout Win32.RecursiveLoader.b here: https://pastebin.com/HSTS2zwL
Today the NCA UK was discussing Operation Cronos (the takedown of Lockbit ransomware group) at SLEUTHCON – and for a brief moment in time we were on TV.
The cherry on top was the VX-UWU design as the profile picture.
Today an unknown individual got access to Ring footage of the arrest of Conor Brian Fitzpatrick a/k/a Pompompurin.
We will not share the footage of the arrest because we believe it be unnecessarily invasive to the Fitzpatrick family. Although Pompompurin had plead guilty to the crime, and has been sentenced, we do not want to showcase his family members faces and identities.
What the footage shows:
The United States Federal Bureau of Investigation pretending to be a USPS Postal Worker, saying they have a package for Mr. Fitzpatrick.
Once Mr. Fitzpatrick steps outside the door, to sign for the phony USPS package, other FBI agents swarm him with weapons drawn, instructing him to place his hands behind his head.
Mr. Fitzpatrick remains calm, puts his hands behind his head and complies the entire time. A second person, presumably his Mother, exits the home and speaks with the FBI agents. They ask if anyone else is inside the home. She tells them no one else is currently home.
The entire incident was remarkably calm. Mr. Fitzpatrick complied, there was no physical altercation ...or even swearing. The woman (again, presumably his Mother) was also very polite and complied fully. The FBI agents also seemed calm and apologized to the woman for the event that is taking place.
Pompompurin was wearing sweat pants and for a brief second his butt crack is on camera. It wasn't a very eventful raid. ¯\_(ツ)_/¯
Updates to vx-underground
Samples:
- VirusSign.2024.05.15
- VirusSign.2024.05.16
- VirusSign.2024.05.17
- VirusSign.2024.05.18
- VirusSign.2024.05.19
- VirusSign.2024.05.20
- VirusSign.2024.05.21
- VirusSign.2024.05.22
Torrents:
- vxunderground.HD.APTs.WEBRip.torrent
Papers:
- 2024-04-29 - Zloader Learns Old Tricks
- 2024-04-30 - Latrodectus [IceNova] – Technical Analysis of the New IcedID
- 2024-05-01 - Router Roulette - Cybercriminals and Nation-States Sharing Compromised Networks
- 2024-04-30 - Pouring Acid Rain
- 2024-05-05 - Latrodectus "LittleHw"
- 2024-04-17 - Redline Stealer - A Novel Approach
- 2022-04-21 - Criminals provide Ginzo stealer for free, now it is gaining traction
We received our first dick pic today. We don't really have anything else to say – but we felt like sharing that.
Читать полностью…
From the United States Department of Justice:
911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation
Botnet Infected Over 19M IP Addresses to Enable Billions of Dollars in Pandemic and Unemployment Fraud, and Access to Child Exploitation Materials
https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
May 22nd security research GossiTheDog was able to get Microsoft Recall. His wrote a long thread on Mastodon regarding it. The full thread is linked at the bottom of this if you're interested in the photos he shared.
tl;dr highlights:
- Enabled by default and globally in Microsoft Intune managed users for businesses
- Disabling recording of websites in Control Panel or GPO is still ... enabled (???), disabling recording of websites only stops recording in Microsoft Edge (???)
- Recall uses Core AI Platform service
- Screenshots are titled "Snapshots"
- Images are stored in APPDATA directory, administrative privileges not required to access storage
- Processed data stored in SQLite database, can be viewed programmatically
More information: GossiTheDog/112479974357074203" rel="nofollow">https://cyberplace.social/@GossiTheDog/112479974357074203
In the past couple of days we have received nearly 100 of these types of messages.
When we click the link is just directs us to YouTube. What the hell kind of spam campaign doesn't even deliver malware 😭
They've also got an N64, the CRT monitor on the floor, and the CD collection rack. This guy was ballin' out
Читать полностью…
This took like 10 minutes is ms-paint. This better get 18,446,744,073,709,551,615 likes (2^64 - 1)
Читать полностью…
Someone reported one of our posts as ??? to Xitter which resulted in us receiving this e-mail this morning.
Presumably, our Google AI meme/mock post was reported as imagery which promotes self-harm.
Good morning.
Today is the day of rest. We hope all of you have enjoyed your weekend thus far. We will see you all on Monday.
Love you
Today Donald Trump, former United States President who is seeking re-election, stated he vows to commute the sentence of former SilkRoad founder Ross Ulbricht
More information: https://www.coindesk.com/policy/2024/05/26/trump-pledges-to-free-silk-road-creator-ross-ulbricht-if-re-elected/
No idea what this even means, we really liked this kitty and just tried to make something work
Читать полностью…
Thank you, Ares, for supporting us by purchasing merchandise.
(we didn't understand the video because we don't speak Ukrainian)
Hello, how are you?
1. Our shipment of harddrives is on the way. We are expecting them sometime next week. Once they are received the cloning process will begin.
2. Bradley is OOO (like a loser), so giveaway winners and selections are briefly delayed
3. I love you
Per request, we will agree to share an image of the butt crack.
Читать полностью…
"O Lord Jesus Christ, our God, who hast commanded us to love one another and to bear each other's burdens, we humbly beseech Thee to protect us from all harm and danger.
Send Thy holy angels to guard and keep us in peace and safety. Preserve us from every evil assault and from those who would seek to do us harm. Grant us the strength and wisdom to trust in Thy divine providence and to remain steadfast in our faith.
For Thou art our God, and we glorify Thee, together with Thy Father, who is from everlasting, and Thine all-holy, good, and life-creating Spirit, now and ever, and unto ages of ages. Amen."
– Russian Orthodox Priest doing a Prayer of Protection for Russian ransomware operator exfil servers, 2024
Good morning, afternoon, or night.
We've given away roughly $500 worth of merch for the 5 year giveaway. Dozens of people have been contacted. The giveaway is still ongoing due to the volume of people who entered.
tl;dr denial-of-service via nerd overflow
A young man, presumably from the COM scene, is beginning to gain traction on Twitter for his calm and collected thoughts. A modern day philosopher
tl;dr some kid with a gun (airsoft, maybe?), talking about beaming people (?), and saying 'fuck da opps' and some Chicago gang stuff despite being .... 11? 12? maybe 13?
https://x.com/sgtmuffon/status/1793319240641950068