Some North Korean post infection malware. Nothing groundbreaking, I just always like to see the actual code when vendors gloss over it:

norfolkinfosec.com/north-koreas-p…

I’ve included hashes where the files were on VT, if you want to grab them to look for yourself.

Just got the very sad news that Science Fiction great Vernor Vinge has died. He'd been dealing with Parkinson's disease for several years.

Vinge's space opera 'A Fire Upon the Deep' was a wonderful rollick.

He popularized the notion of The Singularity.

Some notes and testing on (what I think is) a #VIRTUALGATE sample, following Mandiant's ESXI report:

norfolkinfosec.com/some-notes-on-…
MD5 3c7316012cba3bbfa8a95d7277cda873
-Opens VMCI listener on 25736
-Listens
-Runs what it receives via cmd

Post shows RE + how to test it. Cool malware

.ATT&CK v9 is out!!! A big shout out 🙌 to Patrick Wardle, Thomas Reed, Cody Thomas , and Chris [email protected] for helping us update changes to macOS🍎. There is more to come...but let's take a moment to appreciate my new favorite gif, which summarizes this release perfectly!

Also, my personal favorite talk from the conference was from James Pavur - A fantastic presentation on eavesdropping on satellite internet conversations.

youtu.be/d5Sbwlu6f8o

No technical satellite knowledge required (I barely know how they get up there)

They put our BlackHat videos up the other day! :)

It's a bit old now, but if you want to see how #Lazarus used ISO-8583 for the #FASTCash malware in past years, here's the URL: youtu.be/zGvQPtejX9w

Feedback is always welcome - presenting to a glowing orb was not the easiest.

Last #Lazarus #ZINC update: a source gave me the missing registry data (~2mb reg entry). Sorry for the spam... have to do this after hours.

Updated w/ brief analysis of Stage 2:

norfolkinfosec.com/dprk-targeting…

Screengrab, process launching, recon etc.

That's it from me for a while :)

Part II: Looking at the #DPRK / #Lazarus / #ZINC .sys malware targeting security researchers, with a hunt hypothesis as the highlight:

norfolkinfosec.com/dprk-targeting…

Note that I *don't* have the Stage 2 registry data. Would love to see it if someone has a copy!

A look at some of the malware mentioned in this Google TAG research.
norfolkinfosec.com/dprk-malware-t…

- Two-stage (payload in ProgramData)
- AV Check (Kasp, Avast)
- Basic Persistence
- Multiple C2s per payload

More to be done re:C2 comm (unless someone does it first)

#DPRK

Interesting possible relationship between #TinyPOS + #ProLocker

norfolkinfosec.com/tinypos-and-pr…

I lean towards, 'would makes sense if it's the same group,' but far from definitive. Was trying to find infrastructure.

Drunk Binary (for the hashes)
Florian Roth (for code segments and YARA)

Really awesome to be included in part of the Wired write-up! 🙂 For folks looking for the slides and whitepaper, both are linked here: norfolkinfosec.com/presentations/

Whitepaper has a summary of tool relationships from the #FASTCash adversary + some extra RE.

LOVING the live Q&A *DURING* the #BHUSA session with Kevin Perlow on financial malware.

Learning lots.

My April Fool's present: Incident Response, the 'Bored' Game. Please verb responsibly.

Drunk Binary Vitali Kremez mark Jacob Denne

*Might be worth playing with blank squares and a 'dungeon master' who tracks the rolls and reads the squares.

Golang walkthrough - A look back at some old (2017) #Dragonfly / #DYMALLOY 'Goodor' using newer tools:

norfolkinfosec.com/a-new-look-at-…

Always how Goodor *actually* worked. Redress from Joakim Kennedy helps answer that question.

CC Drunk Binary