I've been working on this for 5 years, and it's finally out! I wrote a dark fantasy book (no computers involved), and it's the hardest thing I have ever done. I'm extremely proud of the final result. (But it's in French, for now.)
I wrote an IDA plugin that queries
#ChatGPT
and explains decompiled functions. It's still very bleeding edge, but you can find the code here and try it out:
(Yes, the video was performed on a very basic case for simplicity's sake.)
Do you know what all lawyers are doing right now? Reading
#CrowdStrike
EULAs.
Let's have a look, shall we? Such documents are super easy to find online, I put one there for reference:
Let's see what happens when something hits the fan. (It's good.) 🧵
Kaspersky released a new blogpost today, documenting an iOS 0day + zero-click exploit used to target cybersecurity researchers. The scope and full victimology are still unknown.
This is a good time to point out how cybersecurity has become a business of transferring accountability to third parties (you don't buy security, you buy someone to blame when it all goes down). But it's largely symbolic since nobody is liable, and this might even be a feature.
We released two videos for free from our online reverse engineering course. They focus on Go malware (Sunshuttle).
Almost 2 hours of premium IDA Pro entertainment!
We created cheat sheets for IDA Pro and x64dbg for our online course recently, and were authorized to share them with everyone!
The aim was to list all hotkeys that we use on a daily basis, i.e. only those we feel are worth learning.
I hope you find them useful!
Interesting trick used by scammers over DMs. They invite you to click on a link which appears to lead to the calendly website, but if you check the resulting URL, you will end up somewhere else (i.e., hxxps://calindaly[.]com/). How does this work?
This fools Twitter's card generation into displaying a false URL.
Long story short, you can't trust Twitter's previews, don't click on links sent by strangers and if you can't help yourself, double check where you land.
I have written a personal statement about the war in Ukraine, recent criticism about Kaspersky and its founder.
Those words were written from the heart. I humbly hope they give you pause.
I am staying in GReAT, and here is why.
(FR version coming soon.)
Our online reverse-engineering / malware analysis course (intermediate level) is finally launching!
@legezo
and I have been working on it almost exclusively for 6 months now. 50+h of video, 100h of virtual lab time, 10 real-life APT malware cases.
Problem: deep enough home server racks are super expensive and difficult to source.
Solution: introducing the IKEA GhettoRåck™️, made out of:
- 2x BESTÅ cabinets
- 2x MÖRTVIKEN doors
A 10-ish U rack for under 300€, coming to your garages everywhere.
A lot of the value I bring to any company comes in the form of entertainment, specifically through an endless stream of salty emails. AI just made me obsolete.
All hail our new robot overlords.
10: Whatever damages incur from your use of the product, they're on you. Even if CrowdStrike could have prevented it.
Never use the product in sensitive environments, such as aircraft navigation systems (you can't make this stuff up), nuclear facilities, etc.
A normal request to the website returns HTML content as you would expect (1st screenshot). But if you change your user-agent to TwitterBot (the one used when generating cards), watch what happens (second screenshot).
The server sends a second redirect to the legitimate site.
An update to my 0day handling ethics mind-map for cybersecurity researchers.
Version 1.0 did not account for the possibility of becoming accessory to murder.
What a silly oversight on my part.
Personal news: I have resigned from my position in
@Kaspersky
's GReAT team. I'm very grateful for my time there and everything the team accomplished.
I don't have any reason to believe anything I wrote about the company was untrue at the time I wrote it.
I will now take a
New blog post: "The Case for Burning Counterterrorism Operations"
My thoughts on why defenders should always report exploits and operations, even when they originate from "friendly" entities. This follows the recent debate in the community.
Curl is being introduced as a standard windows command line tool! Malware authors all over the world must be extatic; stage 1s are going to get smaller.
So... I guess a lot will hinge on whether CrowdStrike violated 8.2 by failing to meet industry standards with their update. I expect communication on this subject will not be super forthcoming.
Beyond goodwill gestures to protect their image, I don't think they're liable.
RCE in Redis < 7.2.4 (CVE-2023-41056)
I haven't seen a lot of noise about this one. Redis is everywhere (NextCloud, Mastodon, GitLab...) – if you're using it, patch now, but I also expect to see a lot of second-degree exploitation with this one.
Our research on the new(?) mercenary APT DeathStalker is finally out!
Please take a look if you're interested in Evilnum or Janicab!
(cc
@securechicken
)
I have the pleasure to announce I'm joining
@HarfangLab
as Lead Cyber Threat Researcher starting tomorrow!
I'll be working on APTs from everywhere, reversing malware, writing FOSS tools and blog posts!
Not to bash on a single individual, which accomplishes nothing - but this is exactly why there is a need for more discussion about ethics in infosec.
Take a minute to think about how your actions have impacted "human and women rights" and "free speech" in 2021.
On March 25, the FBI released an indictment of APT31 hackers. We read it carefully to find new intel, and managed to connect a few dots (including about the RAWDOOR malware family).
Full article and IOCs:
We're very happy that this research is released:
In it,
@felixaime
,
@securechicken
and I discuss the connection between the VHD ransomware and the Lazarus group.
This work was made possible with huge help from Kaspersky's GERT (IR) team.
@ActuPolitiqueN
Dites-donc les gars, traiter la gauche de nazis en utilisant Pétain+Hitler comme exemple pour défendre l'extrême droite, faut vraiment n'avoir aucune conscience historique.
Faut ouvrir des livres des fois, hein
Our team just released a report on
#CharmingKitten
/
#APT35
.
We discovered a new malware family called Cyclops, written in Go. It launches a local web server which exposes a REST API used to control the malware. The port is forwarded to the C2 via SSH.
Okay Twitter 😶
Sorry non-French speakers, I can't translate this tweet considering how heinous it is. Imagine a hatred bingo combining the N-word, call for violence and nazism.
8.6: There is no guarantee that the product will successfully protect all threats, if something still destroys your system, Crowdstrike is not liable.
8.7: The product may have bugs, not do anything or not work at all and there's nothing you can say about that.
A few days ago, I contributed an IDA Pro script which extracts type information from Go binaries to
@juanandres_gs
' AlphaGolang repository.
We just released an article that gives background on how this works:
Code:
8.2: Crowdstrike pledges that it operates in a professional manner consistent with industry standards.
8.4: Crowdstrike will do its best to fix problems reported. If they can't you get a refund for whatever's left of your subscription.
I wrote my first blog post with
@harfanglab
: a primer on reverse engineering .NET AOT applications.
This will be interesting to people who never created FLAIR signatures in IDA.
I feel like there's a need to clarify what is going on here, it's an interesting anti-sandbox trick.
The SeShutdownPrivilege string is constructed on the stack dynamically, in particular the program uses the first letter of its filename as an index in the string.
If you analyze HermeticWiper ( 61b25d11392172e587d8da3045812a66c3385451) and you are a beginner to malware RE, be careful to your sample name. Sometimes, it breaks or modifies the behavior of the malware.
#HermeticWiper
#malware
Ping to all hash crackers:
@trustedsec
has just released a great set of scripts at .
- Wordlist deduplication
- Analysis of already cracked hashes
- Launches all the run-of-the-mill attacks from a single command
And a lot of other goodies.
Hidden gem in
@DonnchaC
's
#37C3
talk on Predator spyware: state actors could generate
@letsencrypt
certificates for any website by using their MitM capabilities at ISP level to complete verification challenges (both HTTP and DNS I expect).
CT may be the only way to detect this.
New research from our team (h/t
@securechicken
):
Compromised routers leveraged as malicious infrastructure to target government organizations in Europe and Caucasus (possible APT28 activity)
In the interest of supporting the discussion on the ethics of releasing PoCs for critical vulnerabilities, I created the following mind map.
It is merely meant as a listing of the available options and associated consequences. No judgement intended.
If you're using
@Zimbra
, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday.
Malicious emails are coming from 79.124.49[.]86 and attempting to curl a file from that IP.
I have stumbled onto something interesting while working on PE resource timestamps. It seems that a build chain, somewhere, is using local (non-UTC+0) timestamps for resources, which can help determine where the binary is compiled. Is this something known?
New blog post: "So you want to work in cybersecurity".
Every time I post research here, I get DMs asking how to get into cybersecurity. Instead of repeating myself ad nauseam, I wrote down all my thoughts on the subject here:
Personal opinion obviously.
A few minutes ago at BotConf, I shared a script to import and export Twitter blocklists. I use it to block advertisers on the platform!
Find my code and current list here:
For the record, this is a clear misrepresentation of my teammates' research.
1) We did *not* attribute these samples to any organization.
2) Lambert is *not* an internal name for the CIA.
If you're going to attribute attacks, do it in your own name.
I hear a lot of people are looking for Pegasus samples. Dear
@ANSSI_FR
, please buy the product, get all 0days patched, leak the tools and infra. Burn them to the ground and I swear I will never ever complain again about how my tax money is spent.
Our reverse-engineering course has been out for a few months now, and the feedback is amazing :)
If you haven't checked it out, there's IDA scripting, mock C2 development, hardcore deobfuscation and even Go. Feel free to DM me with any question!
So after finishing another video from
@kaspersky
malware training, I've implemented the commands from Lazarus sample in the C2 emulator, it was pretty interesting learning about this topic, thanks to
@JusticeRage
for the extra exercise.
To be fair, anti-cheat usually only has a single process to protect, which its developers fully own.
EDR and endpoint solutions have to defend whole systems that they have zero control over, which is a much more difficult task.
We welcome constructive feedback from game hackers!
Our team has been investigating
#LockerGoga
and we can assess with medium confidence that it is linked to GrimSpider.
We believe a Cobalt Strike / meterpreter combination is used during the post-exploitation phase. C2s use the default SSL certificate on port 443 ;)
This has to be the dumbest "forgotten password" form that was ever written. There aren't enough facepalm gifs in the whole Internet to convey how I feel.
#100DaysofYARA
I created a web service that allows you to verify on which yara versions your rule compiles.
In the past, shipping rules to customers, I wondered if there were limitations but couldn't find out easily. Now I can.
I just stumbled on to this very interesting Linux post-exploitation talk by
@_ta0
:
It's full of hidden gems, I'll be watching it again so I can take notes.
Alright. Is it maybe time to talk about using *local* password managers instead of cloud-based ones?
Yes, they're better than no password manager, but come on. Don't trust anyone with such sensitive data as your passwords.
Dear
@HexRaysSA
, considering that you won't allow me to renew my licence, I'd appreciate it if you either:
a) Granted me an OSS dev license, considering the value I bring to your customers for free
b) Refrained from using my work for PR purposes
Cheers
Our team has been tracking
#DoppelG
änger activities for over a month, and we've just published our research! In total, we share ~250 URLs to disinformation content and ~800 handles of X accounts part of the dissemination network.
Very unhappy and disappointed by this move from
@HexRaysSA
. During trainings, how can I justify the investment for newcomers if now they can't use the software after a year?
New research: our team at
@harfanglab
just published an investigation into possible Arid Viper (but definitely Hamas-related) activity against 🇮🇱 targets, based on a tip from
@NicoleFishi19
.
We analyzed the malware (including 2 wipers) & IW aspect:
New feature added moments ago:
@OpenAI
's
#ChatGPT
now automatically renames variables in the pseudocode view.
(Video slightly edited to cut loading times.)
Keep in mind that this is only the work of a single week-end! This thing is only getting started.
I showed this tip to a friend today, and thought maybe it could be useful to other people.
Problem: how to write Yara rules that match a given ASM snippet? Answer in three steps.
1) Open a random program with x64dbg. Break anywhere, entry point is fine.
@BushidoToken
According to CORRECTIV, she's actually Russian, and linked to Evil Empire / DoppelGänger activities.
100% chance this is a front for 🇷🇺 intelligence if the brokering aspect is even legit.
When debugging DLLs, I often need to go back and forth between
@x64dbg
and IDA. So far, here is the quickest way I have found to convert addresses. Is there a better one?
Pro reverse-engineering tip: don't spend too much time looking at code located in kernel32.dll as this can lead to significant lost time and ridicule on Twitter.