14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
There is something oddly amusing about watching LinkedIn cybersecurity executives, managers, suit-non-nerds discuss vx-underground. It is evident they are completely culturally disconnected from the nerds.
Also, shout-out Ryan C. and Florian Bogner for being real 1's.
In 2022 Italian politician Maurizio Gasparri displayed his password on his workplace device on live TV
It was a sticker on his laptop.
"Agta123"
Monthly additions are now live. New additions:
- Virusshare.482 total of 52,807 new samples
- The Old New Thing for October, 2023
- Malware analysis collection - 82 new papers from malpedia
Have a nice day.
https://www.vx-underground.org/
TrustedSec has repeatedly spoken out about the importance of giving back, helping others, and making an impact on the community - whether it be them donating to educational programs to schools, creating cybersecurity conferences designed to make a positive impact on the community, sponsoring local events, or donating to people, giving away items, etc.
We spoke with Dave Kennedy, CEO of TrustedSec - he has offered us invaluable resources to aid us in our growth, given us insight into potential ways we can expand (while remaining free, vx-underground will remain free forever).
TrustedSec is also now our largest sponsor.
Thank you Dave Kennedy and friends at TrustedSec for making an impact and doing everything that you do. It is wholeheartedly appreciated it.
It's been 10 minutes - still trying to understand this e-mail
Читать полностью…
At this moment in time vx-underground is a daily grind - keeping the website updated with new papers, malware samples, the VX-API, the VXDB, etc.
Not entirely sure what else can be done now. Other than continuing the generic updates
Mission accomplished...?
The argument is that this is potentially undefined behavior because of how the pre-increment and post-increment expression will be interpretted (and/or optimized) by the compiler.
tl;dr don't write goofy goober code
tl;dr tl;dr nerds arguing over methods to increment an integer
We've updated the vx-underground Windows malware paper collection
- 2023-09-10 - GIF Steganography from First Principles
- 2023-09-11 - MATLAB Reverse Shell
- 2023-10-09 - Demonstrating Sleep Obfuscation - KrakenMask
Check it out here: https://www.vx-underground.org/
"Sorry, you can't join our ransomware group, you don't have a Bachelors degree in computer science and you don't seem to have any certificates"
Читать полностью…
Insider Threats come in many shapes and sizes and are a major hurdle to any organization.
Читать полностью…
We've updated the vx-underground Windows malware paper collection
- 2023-07-29 - Lord Of The Ring0 - Part 5 Sarumans Manipulation
- 2023-08-13 - LAPS 2.0 Internals
- 2023-08-29 - DevTunnels for C2
- 2023-09-06 - How to Troll an AV
Here is a very poorly written way to do 'whoami' using CreateNamedPipe and Advapi32!NpGetUserName.
This undocumented function will do the generic LookupAccountSidW via GetUserNameExW, but it can act as a proxy function, or something.
https://pastebin.com/raw/ZsReS7k4
Google is introducing more new TLDs =D
.ing and .meme
New phishing links inbound!
52,807 new malware samples queued for upload in our VXDB and the vx-underground website.
*Reminder our VXDB allows you to search through our malware collection and download for free 🫡
https://virus.exchange
6 hours ago Reuters got confirmation from Boeing that they were impacted by 'cyber incident'. Boeing declined to comment on whether Lockbit was responsible for the 'cyber incident'.
More information: https://www.reuters.com/business/aerospace-defense/boeing-investigating-cyber-incident-affecting-parts-business-2023-11-01/
Attempting to close Microsoft OneDrive on Windows 11 triggers a poll asking the user why they want to terminate the process.
*Killing the process via task manager doesn't trigger the poll
Image via tomwarren
It should also be noted that Dave Kennedy asked for nothing in return for sponsoring us - not even a tweet or a logo on vx-underground. He is legitimately just wildin' out and helping nerds for fun
Читать полностью…
Over the weekend we received a series of e-mails from compromised enterprise networks with the message "Я гей" ("I'm gay" in Russian). In a weird twist of fate, we received an e-mail (an uncompromised e-mail....) with the message "I'm gay".
Lots of gay people ¯\_(ツ)_/¯
No, we're not shutting down. We're noting that we are considering exploring other projects for vx-underground (keyword: considering, nothing solid).
Also, we love all of you, especially you
Hello, how are you?
We're now granting permission to individuals who would like to upload malware to our VXDB. We are only granting this to select individuals we know, or individuals we know who can be trusted (or vouched for). We are doing this to prevent our VXDB being flooded with junk data or non-malicious files.
No changes will be made to the VXDB for user registration or downloads. It will always be free.
If you'd like to contribute to the VXDB you can contact us Twitter DMs or via e-mail at staff@vx-underground.org
Additionally, we are still working on refining the VXDB, bulk download (via API) is still not supported yet. It is in our ever-growing todo list.
Thank you everyone for the love, support, donations, and sponsorships you've given us. We would not have been able to create this VXDB, get this much malware, or share it with this many people if it were not for all of you helping us out.
Love you,
Swift removing ++ and -- operators because they can be confusing because of code like this:
int i = 5;
i = ++i + i++;
Swift developers proving they're very not cool
tl;dr says "++" and "--" operators are confusing
Reminder that Threat Actors (probably) haven't paid for a Red Teaming course or any sort of formal education
Читать полностью…
Forgot to link to the website, but whatever. If you don't know the website by now you've got some sort of cognitive damage.
Going back to bed. If you need anything... don't need anything
An image illustrating the current CloudFlare status
https://www.cloudflarestatus.com/
Alternatives to 'whoami.exe'.
COM interface ideas:
- IADsADSystemInfo
- IADsWinNTSystemInfo
- IADsComputer
- WMI COM provider to query 'whoami.exe'
IADsADSystemInfo, IADsWinNTSystemInfo, and IADsComputer are all fundamentally similar in calling syntax and are pretty copy-pasta ish. Windows SDK is kind of a pain though, the GUIDs weren't located easily, so they needed to be manually defined.
Example: https://pastebin.com/raw/S32nYDAp
Advapi32 functionality:
- Advapi32!LookupAccountSidW
- Advapi32!LsaLookupSids
LookupAccountSidW is an internal wrapper that calls LsaOpenPolicy, LsaLookupSids, and subsequently LsaFreeMemory. LsaFreeMemory is a wrapper to RtlFreeHeap.
Example: https://pastebin.com/raw/zJVShnay
Other possibilities:
- NpGetUserName - gets the username from a named pipe. Requires spawning a secondary thread, creating a named pipe, connecting to it, impersonating it, ... it is a long story =D
- Offlinesame.dll - Offline sam has a lot of functionality for enumerating users and domains on the machine. This is undocumented and requires a little more work. However, it has been demonstrated loosely by 0gtweet
Example: https://github.com/gtworek/PSBits/blob/master/OfflineSAM/OfflineAddAdmin.c
tl;dr can't stop thinking about whoami.exe :(
tl;dr 3rd party vendor breached - resulting in Okta employees data exposed
Okta was breached (again). Their last breach was announced October 20th, 2023. They've been compromised 4 times now
- March, 2022
- December, 2022
- October, 2023
- November, 2023
Image via BrettCallow
We've updated the vx-underground malware sample collection
- MedusaLocker
- XLoader
- SystemBC
- MinodoLoader
- ShellBot
- Moqhao
- XMRig
- PlayRansomware
- MoneyRansomware
- PrivateLoader
- AridGopher
- Micropsoa
- IcedId
and more...
Check it out here: vx-underground.org/
We are behind schedule on almost all of our tasks. 1/2 of our staff is sick.
Seasonal changes are illegal and for nerds