Repeat after me:

Patching an already compromised system won’t solve the problem

#PaloAlto

🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information 'as is' while the analysis…

It is important to remember that Lasse is blameless in this. There is no individual, and very very few organisations, able to detect, let alone resist!, the directed interest of an intelligence agency.

Briefly, I want to address the issue of who is to blame. Easy — the people behind the attack. Lasse, the maintainer of xz, was the target of a patient intelligence campaign that invested more resources into subverting him than anyone invested into his project.

When suspecting malicious code in a backdoored executable, running that binary to check the version is not advisable

FAQ on the xz-utils backdoor |  by Sam James

gist.github.com/thesamesam/223…

#XZ #XZ util

The xz backdoor was initially caught by a software engineer at Microsoft. He noticed 500ms lag and thought something was suspicious.

This is the Silver Back Gorilla of nerds. The internet final boss.

MemProcFS 5.9 released!

Fast and easy to use memory forensics in a virtual file system!

Many smaller updates, built-in yara rules causing a detection are now shown directly in FindEvil!

github.com/ufrisk/MemProc…

RE tip of the day: APIs like DebugActiveProcess, DbgUiDebugActiveProcess or NtDebugActiveProcess can be used by malware to attach to its own process. If the debugger is attached, they will fail this way revealing its presence
#infosec #cybersecurity #malware #reverseengineering

Looks like you can debug x86 malware on the Apple M1 Pro using getwhisky.app! 🥳

Meet VenomRAT. It’s just another unimpressive fork of a fork of AsyncRAT / QuasarRAT. 🥱

It’s also the 66th malware variant ScumBots has a config extractor for.

🚨 I'm building a #malware skills path with Pluralsight and already have several courses live! Want to get started on this journey? It begins with the course Initial File Triage 👇

pluralsight.com/courses/initia…

We have partnered with our friend 0verfl0w from Zero2Auto to provide 3 individuals with the Zero2Auto malware reverse engineering course for free 🥰

This course is not designed for complete noobies - it is focused more toward junior reverse engineers

More details coming soon

For my Danish followers: Forhøjet trussel mod danske virksomheder fra #DarkGate MaaS :: Kruse Industries, cybersecurity og cybercrime. Holding selskab. kruse.industries/l/forhojet-tru…

#Pikabot - #TA577 - url > .zip > .lnk > .dll

cmd /c WX.pdf.lnk

rundll32.exe xSa.log, HUF_inc_var

c2's
102.129.139.]65:32999
79.141.175.]96:2078
167.86.96.]3:2222
144.64.204.]81:2078
45.131.108.]250:1194
38.242.240.]28:1194

IOC's
github.com/pr0xylife/Pika…

#DarkGate - #TA577 - url > .zip > lnk > .vbs > .exe

Some updated distro urls 👇

http://84.246.85.]138/xNn/ys
http://162.19.130.]45/Gdt5p3y/vWw
http://84.246.85.]121/nvT4ni/XX

IOC's
github.com/pr0xylife/Dark…

Do you like unpacking malware? We too! During our recent #AgentTesla analysis we wrote unpacker for #DotRunPeX , and decided to share it. Read our blog post for more info: cert.pl/en/posts/2023/…

My talk from SEC-T is already on YouTube check it out! youtu.be/NvCDdhbMQsA?si… thx to the awesome crew, Super honored for the opportunity to present at this great conference!

Now seems like a perfect time to remind you...

IT IS ALWAYS DNS!!

Looks like Boris is having a no good very bad day. Couldn't happen to a nicer person. We wish Boris well in his new occupation becoming a solder to fight for the motherland! Good luck out there in the trenches! youtu.be/mIeUT0QmqfU Greets to LEA and all partners! ❤️Great work!