Malware News

2022-01-21 20:45:27 [1/n] Today I'm sharing the details of a research done by vaber_b, legezo, Ilya Borisov and myself on a UEFI firmware implant found in the wild, dubbed #MoonBounce. We assess that this formerly unknown threat is the work of the infamous #APT41. A
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
_marklech_


@malwr Open / Comment

2022-01-21 20:18:17 An old sample of the Lamberts (probably #WhiteLambert) appeared on VirusTotal.
This driver file intel440x.sys is also mentioned by name on the infamous drv_list.txt from The Shadow Brokers' leak. The logic itself is contained inside a compressed resource.
https://www.virustotal.com/gui/file/1eede29007619d207842ddcaadf41b17b47a456004df43189d1f6cf54a3b785b
_CPResearch_


@malwr Open / Comment

2022-01-21 12:08:00 For those following the news, the WhisperGate campaign (as initially described by Microsoft) has been quite impactful. Today, my blog for corporate has gone live regarding this wiper campaign, with the analysis of all four stages. Additionally, I uploaded the binary of stage 4 to VirusTotal, MalShare, and MalwareBazaar, making it accessible for all. The links are given below.

Link: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html


Sent from one of our members


@malwr Open / Comment

2022-01-21 10:40:05 Best search engines for Pentesters and Security Professionals.

→ google .com
→ Shodan .io
→ Censys .io
→ Hunter .io
→ redhuntlabs .com
→ fullhunt .io
→ onyphe .io
→ fofa .so
→ socradar .io
→ synapsint .com
→ binaryedge .io
→ ivre .rocks
→ crt .sh
→ spyse .com
→ vulners .com
→ PublicWWW .com
→ Pulsedive .com
→ ZoomEye .org
→ intelx .io
→ WiGLE .net
→ reposify .com
→ viz. greynoise .io

NandanLohitaksh


@malwr Open / Comment

2022-01-21 10:16:13 Are you an admin with EXE blocked by #AppLocker? You can bypass the protection without any execution traces in the AppLocker Log! Load your DLL, steal the token from spooler and create the child process.
C source code and the compiled binary, as usual: https://github.com/gtworek/PSBits/tree/master/AppLockerBypass
0gtweet


@malwr Open / Comment

2022-01-21 10:15:19 About the WhisperGate, it's quite simple to setup the IDA Pro + Bochs to examine the MBR and I showed it step-by-step few slides in an introductory talk at HTIB Amsterdam 2019. Just it case you want to check slides:

https://exploitreversing.files.wordpress.com/2021/12/hitb_ams_2019-1.pdf

#malware #idapro
ale_sp_brazil


@malwr Open / Comment

2022-01-21 10:14:35 After the Pro version earlier this week, I just released a new version of MacroPack Community!
#infosec #MacroPack
https://github.com/sevagas/macro_pack
EmericNasi


@malwr Open / Comment

2022-01-21 10:13:41 We do not possess any samples from Lockbit Ransomware group. A new sample from Lockbit has not appeared on @abuse_ch since December, 2021.

We asked Lockbit for a new sample - they have provided us with a sample directly from their panel.

Download here: https://samples.vx-underground.org/samples/Families/
vxunderground


@malwr Open / Comment

2022-01-20 23:47:19 CVE-2022-0173
radare2 is vulnerable to Out-of-bounds Read

@cveNotify Open / Comment

2022-01-20 17:40:07 Time to chip in for #100DaysofYARA, this rule is a (fun) example that looks for a structure (#Regin VFS) instead of data.
Structures (often config) are useful to validate your understanding of malware functionality and for more resilient rules. But be careful with boundaries :)
Int2e_


@malwr Open / Comment