Domain Generation Algorithms are straightforward to program and usually bug free. Not so the new #DGA of #BazarLoader, which goes haywire during the summer months: bin.re/blog/a-bazarlo…

New blog post: Analysing TA551/Shathak malspam with binary refinery bin.re/blog/analysing… I show how the open source framework "binary refinery" can be effective in analysing multistage TA551 malspams with encrypted ZIP, Word document, HTA and Javascript.

Chris Sanders 🔎 🧠 Since there's probably a few big CyberChef aficionados here, I'll go ahead and pitch my little rival project, the binary refinery: 🏭 github.com/binref/refiner… It's (almost) like CyberChef, but it's a cross platform command line toolkit.

New blog post: "The Domain Generation Algorithms of SharkBot" 🦈 bin.re/blog/the-dgas-…

I published a new blog post on a Domain Generation Algorithm that uses the balance of the Bitcoin genesis block as seed. bin.re/blog/a-dga-see…

We published a tech paper on the #ConfuserEx obfuscation mechanism of a Ginzo .NET sample. This class of obfuscator is known as code flatteners. We describe how it can be dealt with using a Python script + IDA Pro Blog: 👉govcert.ch/blog/unflatten… Paper: 👉govcert.ch/whitepapers/un…

Fortinet released security updates for FortiOS to fix a heap-based buffer overflow vulnerability (CVE-2022-42475). Apply patches asap. Read more at: go.dhs.gov/Z8v

Just updated the "malwarebazaar" Python module to include a Python and CLI client for abuse.ch #YARAify and added a "richer" output. You can find it on Github (github.com/3c7/bazaar/rel…) and on PyPI (via "malwarebazaar"). #threatintel #malware

#BinaryRefinery 0.5.10 can deobfuscate this sample with little effort. Only had to add one new unit for StrReverse constant folding. Not a silver bullet, obviously, but why write those regular expressions yourself when you can make me do it for you?

New video on the Domain Generation Algorithm of the file infector m0yv. We've sinkholed multiple domains & show how infections dramatically increased in the last 400+ days 📈. #m0yv #DGA youtu.be/3RYbkORtFnk

🛠️ .NET malware decompiling challenges: Obfuscations of strings/constants can be tedious. Automate w/ IDA Pro's Python 🐍 interface for MSIL binary patching, even for simple cases: threatcat.ch/blog/undo-dotn… #CyberSecurity #MalwareAnalysis #IDAPro #DotNET

I wrote a short blog post on MCRIT, the one-to-many code similarity analysis framework that we released as open source recently at Botconf.

New blog post: threatcat.ch/blog/when-hunt… #nuclei

I wrote a blog post about MalpediaFLOSSed, a collection of ~4 million strings extracted from 1800+ malware families and upgrading its GUI plugin to work with IDA, Ghidra, and Binary Ninja at once! Kudos to Hyun Yi for Hyara, which pioneered such cross-tool compatibility!

Nice #MooBot botnet caught by Fox_threatintel 😂 Botnet C2 domain: 🔥 putin.zelenskyj .ru Pointing to: 45.88.90.30:43957 (AS203168 Constant MOULIN 🇧🇪) DNS resolution provided by Cloudflare 🔎 Payload URLs: 🌐 urlhaus.abuse.ch/host/45.88.90.… Payload: 📄 bazaar.abuse.ch/sample/21f1caa…

Could you please share your IOCs in any format that is NOT low screenshots Cloudflare 🙏? blog.cloudflare.com/disrupting-fly…

We're proud to be a Quad9 partner, helping make the Internet a safer place!

What's happening? #FlareOn11 is happening! Time to update #BinaryRefinery and snag some flags! ✨ github.com/binref/refiner… ✨ flare-on11.ctfd.io/challenges

According to GovCERT.ch , an unknown threat actor has sent out postal letters (yes, *postal* letters ✉️) to recipients in Switzerland that pretend to originate from MeteoSchweiz, luring the recipient into downloading and installing a rogue App 🔥🕵️‍♂️ The QR code in the letter

Today, I'm releasing the first version of a small web 🚀: rosti.bin.re It provides IOCs and YARA rules collected semi-automatically from public blog posts and reports of almost 200 cybersecurity sites. I hope it proves useful to some of you ... 🙏✨ #ThreatIntel