vx-underground

20 Apr 2024 19:25

Steam users: "Kernel mode anti-cheats are spyware!"

The entire anti-virus industry:

vx-underground

20 Apr 2024 05:08

We asked for a sample of the new payload. The Lockbit representative subsequently told us: "Ask the FBI for the payload"

>:(

We asked for more information on the Nutanix locker. They told us: "TLP:RED, sorry"

>:(

vx-underground

20 Apr 2024 05:00

The Microsoft Fabric community (?) forum is old and allows unchecked HTML on posts.

- Link attached, don't click the silly button
- Thanks to rari_teh for sharing this with us

Behold:
https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=908a0c5d-95fe-ee11-a73c-000d3ae45d44

vx-underground

20 Apr 2024 04:25

Malware review:

2024-02-27- European diplomats targeted by SPIKEDWIRE with WINELOADER

Notes:
*Zscaler on release of this article did not attribute it to any state-sponsored Threat Actor
*Mandiant later attributed this payload to APT29 March, 22nd 2024 in an article titled: "APT29 Uses WINELOADER to Target German Political Parties"

- Targets specific European diplomats via malicious PDF (0 points)
- Targets carefully enumerated, low volume of malicious PDFs sent (+1 points)
- Malicious PDF masquerading as letter from Ambassador of India for wine tasting event (0 points)
- PDF requires registration to event, links to compromised website (+1 points)
- 'Invitation site' requires guest to download .zip file (-1 point)
- .zip file contains wine.hta which masquerades as invitation event details (0 points)
- .hta file contains malicious javascript, obfuscated with opensource tool (-1 points)
- .hta downloads BASE64 encoded .txt from compromised website (0 points)
- .hta uses certutils.exe to BASE64 decode .txt file (+1 point)
- BASE64 decoded text file transfroms into .zip file, extracted to C:\Windows\Tasks (+1 points)
- .zip extracts sqlwrite.exe and vcruntime140.dll (+1 points)
- APT29 uses DLL sideloading vulnerability (unknown at the time) on sqlwrite.exe to load fake vcruntime140.dll (+2 points)
- Side loaded DLL function se_se_translator pulls RSA encrypted .exe out of DLL (+1 point)
- Side loaded DLL encrypts and decrypts .exe when no longer in use (+2 points)
- .exe has different modules (plugins) for different task (+2 points)
- Modules use DLL Hollowing to inject into randomly selected DLLs (+1 point)
- Each module is downloaded individually from remote C2 (compromised websites) (+2 points)
- Connecting to C2 uses GET HTTP. Sent data is custom made data blobs containing information on modules and commands sent and received (+2 points)
- Persistent achieved by Microsoft signed sqlwriter.exe DLL side loading from Windows Task Scheduler (0 points)
- Memory is zero filled when not used (+1 points)

vx-underground

19 Apr 2024 22:59

MITRE was compromised

Shout out Charles Clancy for full disclosure and his transparency.

vx-underground

19 Apr 2024 18:47

Following the return of HelloKitty ransomware group (now HelloGookie), the individuals behind HelloKitty ransomware group released more files from CD Projekt Red – the game studio behind The Witcher and Cyberpunk 2077.

Using the leaks nerds have compiled The Witcher III

vx-underground

19 Apr 2024 17:15

Researcher crocodylii found Hunters International ransomware group left their Tor domain publicly indexable 😭😭😭😭

vx-underground

19 Apr 2024 04:30

Thank you, Hasherezade for producing these cool and badass hoodies.

PE-BEAR ATE MY MALWAREZ

vx-underground

19 Apr 2024 02:16

Nerds are reporting the new Team Fortress 2 64bit version is being flagged as malware from AV engines.

vx-underground

18 Apr 2024 22:54

tl;dr you're all going to prison forever (and ever)

vx-underground

18 Apr 2024 22:44

Half of the vx-underground roster were still not fully potty trained at 13, so we find this profoundly impressive.

vx-underground

18 Apr 2024 08:29

Yesterday Christopher Ahlberg, the CEO of RecordedFuture, shared information on an unidentified Threat Actor attempting to SMS phish employees at their organization

- This message was not sent to a Nikolas
- Who the hell is Nikolas

vx-underground

17 Apr 2024 17:49

babe wake up mandiant just released artwork for sandworm aka apt44 (officially)

vx-underground

17 Apr 2024 00:54

On the Windows platform there dozens of ways to achieve persistence, shellcode execution, process injection, – hundreds of different ways to abuse system components

There are tons of little caveats, niches, tweaks and tricks you can do that are often over looked

tl;dr big book

vx-underground

16 Apr 2024 08:22

Today we will give all of you a lesson on computer hardware. This comprehensive video will explain the different components of a computer and how it all comes together to make the magic of the world wide web

vx-underground

20 Apr 2024 09:35

https://netflix.com/healthcheck

vx-underground

20 Apr 2024 05:06

Today we decided to check in with Lockbit ransomware group. The Lockbit ransomware group administrative staff informed us that they're actively working on several new projects – most notably they have developed a new ransomware payload which targets Nutanix

vx-underground

20 Apr 2024 04:25

We give APT29's recent APT campaign an B+.

APT29 WINELOADER is modular, multi-staged, practices OPSEC by using multiple compromised websites, has custom built HTTP data blobs. It uses a LOLBIN like technique for persistence and uses a previously undocumented DLL Side Load vulnerability to execute payloads. Random DLL injection is a plus. The encryption and decryption of data is also an interesting plus as it improves its stealth factors and making it more difficult to reverse engineer. The precision of targets and masquerading of an wine tasting event is also interesting – demonstrating research of targets prior to attack. This same attack was later used against German politicians as well.

vx-underground

20 Apr 2024 02:00

We are happy to announce we are pregnant, not pregnant, and segfaulting (chemically)

vx-underground

19 Apr 2024 18:48

Note: some binaries were already compiled from the previous leak*

vx-underground

19 Apr 2024 17:21

Someone made us this

vx-underground

19 Apr 2024 05:57

Malware review:

2024-03-26 - Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)

- Masquerades as installer (0 points)
- Masqueraded installer is not functional (-1 points)
- Dropper is signed (+1 points)
- Drops src.rar (-1 points)
- Password protected with "1q2w3e4r" (-1 points)
- Execution begins with command "installer" (0 points)
- Copies to %USERPROFILE% (0 points)
- Payload masquerades as svchost.exe (0 points)
- Registers itself in Task Scheduler (0 points)
- Masquerades in Task Scheduler as "Windows Backups" (0 points)
- Developed in Go (+1 points)
- Recycled code from previous malware campaign (-1 points)
- Used same signed certificate from previous malware campaign (-1 points)
- Has generic RAT functionality (0 points)
- TA pushed Mimikatz to infected machine (-2 points)
- Mimikatz masqueraded as cache.exe (0 points)
- TA used free Ngrok domain for C2 (-1 points)

We give Kimsuky Group's recent APT campaign an F.

Unoriginal, generic code, some code dependent on external applications (Winrar) which may not be present on victim machines. Password is hardcoded in payload and easily identifiable. Recycled code and recycled certificate is poor design and lazy. Masqueraded installer not working is lazy. Pushing Mimikatz is also a poor decision, this tool is heavily flagged and is a big red flag.

vx-underground

19 Apr 2024 02:32

17 AVs flag the newly released Team Fortress 2 64bit client as malware 😭

SHA256: 83fb94ef1accdc0071ef6221f8e5acf870a1df31ff26e04a8d58116402793911

vx-underground

19 Apr 2024 01:54

Hello, how are you? We've updated the vx-underground malware collection. We've added 68,000 new malware samples.

Download the malware.

- Virussign.2024.04.09
- Virussign.2024.04.10
- Virussign.2024.04.11
- Virussign.2024.04.12
- Virussign.2024.04.13
- Virussign.2024.04.14
- Virussign.2024.04.15
- Virussign.2024.04.16
- Virussign.2024.04.17
- InTheWild.0118
- InTheWild.0119

Check it out here: https://vx-underground.org/Samples

vx-underground

18 Apr 2024 22:52

feege_ spotted a billboard advertisement on the i-95 in Philadelphia, near the Wells Fargo Center, that says:

"Hackers Suck"
"Protect your business. Cover your assets."

vx-underground

18 Apr 2024 22:41

13-year-old Marco Liberale has created a proof-of-concept PasteBin C2 botnet in Go. Is it fully cross platform working on Windows, Linux, and Mac.

We are very happy to see such a young person contributing to this research space.

Check it out here: https://github.com/marco-liberale/PasteBomb

vx-underground

18 Apr 2024 07:33

hacking is illegal and for nerds

vx-underground

17 Apr 2024 13:07

Today a group named 66slavs claimed to have breached the United States National Energy Research Scientific Computing Center (NERSC).

* We have not reviewed the data
* Yes, they watermarked a data breach

vx-underground

17 Apr 2024 00:45

"Does {book} cover everything I need to know about malware?"

No book ever released has covered 'everything' about malware. If you wanted a book to cover everything on malware it would weigh 500lbs (226kg) and be cartoonishly large.

vx-underground

16 Apr 2024 08:16

Awhile back we heard rumors of a Telegram RCE 0day. We brushed it off as silly memes. Turns out the 0day was 100% real and you're all probably pwned.

It was unveiled on XSS. Nerds celebrated

(joking about pwned part... kind of)

More information: https://www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts/