I've been working on this for 5 years, and it's finally out! I wrote a dark fantasy book (no computers involved), and it's the hardest thing I have ever done. I'm extremely proud of the final result. (But it's in French, for now.)
I wrote an IDA plugin that queries
#ChatGPT
and explains decompiled functions. It's still very bleeding edge, but you can find the code here and try it out:
(Yes, the video was performed on a very basic case for simplicity's sake.)
Kaspersky released a new blogpost today, documenting an iOS 0day + zero-click exploit used to target cybersecurity researchers. The scope and full victimology are still unknown.
We released two videos for free from our online reverse engineering course. They focus on Go malware (Sunshuttle).
Almost 2 hours of premium IDA Pro entertainment!
We created cheat sheets for IDA Pro and x64dbg for our online course recently, and were authorized to share them with everyone!
The aim was to list all hotkeys that we use on a daily basis, i.e. only those we feel are worth learning.
I hope you find them useful!
Interesting trick used by scammers over DMs. They invite you to click on a link which appears to lead to the calendly website, but if you check the resulting URL, you will end up somewhere else (i.e., hxxps://calindaly[.]com/). How does this work?
This fools Twitter's card generation into displaying a false URL.
Long story short, you can't trust Twitter's previews, don't click on links sent by strangers and if you can't help yourself, double check where you land.
I have written a personal statement about the war in Ukraine, recent criticism about Kaspersky and its founder.
Those words were written from the heart. I humbly hope they give you pause.
I am staying in GReAT, and here is why.
(FR version coming soon.)
Our online reverse-engineering / malware analysis course (intermediate level) is finally launching!
@legezo
and I have been working on it almost exclusively for 6 months now. 50+h of video, 100h of virtual lab time, 10 real-life APT malware cases.
Problem: deep enough home server racks are super expensive and difficult to source.
Solution: introducing the IKEA GhettoRåck™️, made out of:
- 2x BESTÅ cabinets
- 2x MÖRTVIKEN doors
A 10-ish U rack for under 300€, coming to your garages everywhere.
A lot of the value I bring to any company comes in the form of entertainment, specifically through an endless stream of salty emails. AI just made me obsolete.
All hail our new robot overlords.
A normal request to the website returns HTML content as you would expect (1st screenshot). But if you change your user-agent to TwitterBot (the one used when generating cards), watch what happens (second screenshot).
The server sends a second redirect to the legitimate site.
An update to my 0day handling ethics mind-map for cybersecurity researchers.
Version 1.0 did not account for the possibility of becoming accessory to murder.
What a silly oversight on my part.
Personal news: I have resigned from my position in
@Kaspersky
's GReAT team. I'm very grateful for my time there and everything the team accomplished.
I don't have any reason to believe anything I wrote about the company was untrue at the time I wrote it.
I will now take a…
Curl is being introduced as a standard windows command line tool! Malware authors all over the world must be extatic; stage 1s are going to get smaller.
RCE in Redis < 7.2.4 (CVE-2023-41056)
I haven't seen a lot of noise about this one. Redis is everywhere (NextCloud, Mastodon, GitLab...) – if you're using it, patch now, but I also expect to see a lot of second-degree exploitation with this one.
Our research on the new(?) mercenary APT DeathStalker is finally out!
Please take a look if you're interested in Evilnum or Janicab!
(cc
@securechicken
)
I have the pleasure to announce I'm joining
@HarfangLab
as Lead Cyber Threat Researcher starting tomorrow!
I'll be working on APTs from everywhere, reversing malware, writing FOSS tools and blog posts!
Not to bash on a single individual, which accomplishes nothing - but this is exactly why there is a need for more discussion about ethics in infosec.
Take a minute to think about how your actions have impacted "human and women rights" and "free speech" in 2021.
We're very happy that this research is released:
In it,
@felixaime
,
@securechicken
and I discuss the connection between the VHD ransomware and the Lazarus group.
This work was made possible with huge help from Kaspersky's GERT (IR) team.
On March 25, the FBI released an indictment of APT31 hackers. We read it carefully to find new intel, and managed to connect a few dots (including about the RAWDOOR malware family).
Full article and IOCs:
Okay Twitter 😶
Sorry non-French speakers, I can't translate this tweet considering how heinous it is. Imagine a hatred bingo combining the N-word, call for violence and nazism.
A few days ago, I contributed an IDA Pro script which extracts type information from Go binaries to
@juanandres_gs
' AlphaGolang repository.
We just released an article that gives background on how this works:
Code:
I feel like there's a need to clarify what is going on here, it's an interesting anti-sandbox trick.
The SeShutdownPrivilege string is constructed on the stack dynamically, in particular the program uses the first letter of its filename as an index in the string.
If you analyze HermeticWiper ( 61b25d11392172e587d8da3045812a66c3385451) and you are a beginner to malware RE, be careful to your sample name. Sometimes, it breaks or modifies the behavior of the malware.
#HermeticWiper
#malware
I wrote my first blog post with
@harfanglab
: a primer on reverse engineering .NET AOT applications.
This will be interesting to people who never created FLAIR signatures in IDA.
Ping to all hash crackers:
@trustedsec
has just released a great set of scripts at .
- Wordlist deduplication
- Analysis of already cracked hashes
- Launches all the run-of-the-mill attacks from a single command
And a lot of other goodies.
Hidden gem in
@DonnchaC
's
#37C3
talk on Predator spyware: state actors could generate
@letsencrypt
certificates for any website by using their MitM capabilities at ISP level to complete verification challenges (both HTTP and DNS I expect).
CT may be the only way to detect this.
New research from our team (h/t
@securechicken
):
Compromised routers leveraged as malicious infrastructure to target government organizations in Europe and Caucasus (possible APT28 activity)
In the interest of supporting the discussion on the ethics of releasing PoCs for critical vulnerabilities, I created the following mind map.
It is merely meant as a listing of the available options and associated consequences. No judgement intended.
I have stumbled onto something interesting while working on PE resource timestamps. It seems that a build chain, somewhere, is using local (non-UTC+0) timestamps for resources, which can help determine where the binary is compiled. Is this something known?
New blog post: "So you want to work in cybersecurity".
Every time I post research here, I get DMs asking how to get into cybersecurity. Instead of repeating myself ad nauseam, I wrote down all my thoughts on the subject here:
Personal opinion obviously.
A few minutes ago at BotConf, I shared a script to import and export Twitter blocklists. I use it to block advertisers on the platform!
Find my code and current list here:
For the record, this is a clear misrepresentation of my teammates' research.
1) We did *not* attribute these samples to any organization.
2) Lambert is *not* an internal name for the CIA.
If you're going to attribute attacks, do it in your own name.
Our reverse-engineering course has been out for a few months now, and the feedback is amazing :)
If you haven't checked it out, there's IDA scripting, mock C2 development, hardcore deobfuscation and even Go. Feel free to DM me with any question!
So after finishing another video from
@kaspersky
malware training, I've implemented the commands from Lazarus sample in the C2 emulator, it was pretty interesting learning about this topic, thanks to
@JusticeRage
for the extra exercise.
I hear a lot of people are looking for Pegasus samples. Dear
@ANSSI_FR
, please buy the product, get all 0days patched, leak the tools and infra. Burn them to the ground and I swear I will never ever complain again about how my tax money is spent.
To be fair, anti-cheat usually only has a single process to protect, which its developers fully own.
EDR and endpoint solutions have to defend whole systems that they have zero control over, which is a much more difficult task.
We welcome constructive feedback from game hackers!
Our team has been investigating
#LockerGoga
and we can assess with medium confidence that it is linked to GrimSpider.
We believe a Cobalt Strike / meterpreter combination is used during the post-exploitation phase. C2s use the default SSL certificate on port 443 ;)
This has to be the dumbest "forgotten password" form that was ever written. There aren't enough facepalm gifs in the whole Internet to convey how I feel.
#100DaysofYARA
I created a web service that allows you to verify on which yara versions your rule compiles.
In the past, shipping rules to customers, I wondered if there were limitations but couldn't find out easily. Now I can.
I just stumbled on to this very interesting Linux post-exploitation talk by
@_ta0
:
It's full of hidden gems, I'll be watching it again so I can take notes.
Alright. Is it maybe time to talk about using *local* password managers instead of cloud-based ones?
Yes, they're better than no password manager, but come on. Don't trust anyone with such sensitive data as your passwords.
Dear
@HexRaysSA
, considering that you won't allow me to renew my licence, I'd appreciate it if you either:
a) Granted me an OSS dev license, considering the value I bring to your customers for free
b) Refrained from using my work for PR purposes
Cheers
Very unhappy and disappointed by this move from
@HexRaysSA
. During trainings, how can I justify the investment for newcomers if now they can't use the software after a year?
New research: our team at
@harfanglab
just published an investigation into possible Arid Viper (but definitely Hamas-related) activity against 🇮🇱 targets, based on a tip from
@NicoleFishi19
.
We analyzed the malware (including 2 wipers) & IW aspect:
New feature added moments ago:
@OpenAI
's
#ChatGPT
now automatically renames variables in the pseudocode view.
(Video slightly edited to cut loading times.)
Keep in mind that this is only the work of a single week-end! This thing is only getting started.
I showed this tip to a friend today, and thought maybe it could be useful to other people.
Problem: how to write Yara rules that match a given ASM snippet? Answer in three steps.
1) Open a random program with x64dbg. Break anywhere, entry point is fine.
Pro reverse-engineering tip: don't spend too much time looking at code located in kernel32.dll as this can lead to significant lost time and ridicule on Twitter.
When debugging DLLs, I often need to go back and forth between
@x64dbg
and IDA. So far, here is the quickest way I have found to convert addresses. Is there a better one?
I'm very happy to share a project I've been working on for a long time now. A 🔥 scathing 🔥 three-part series on cryptocurrencies & NFTs.
Part I: blockchains and crypto
Part II: NFTs
Part III: the politics of cryptocurrencies
Part I was just released:
The video of my
@virusbtn
talk on ethics in infosec is now online! Of all the talks I've given, it's the one I find the most important. Thanks again to the organizers for accepting it!
Manalyze is 10 years old today! 🎂
Over time, it has processed over 100 GB of files (that I know of) with no meaningful security issues. I still use it to this day, I know others do too.
There's still much I want to do, hopefully in the next 10 years!
Very happy to share the results of a new investigation with
@_marklech_
and
@securechicken
!
In this case, we talk more about the things we don't know than the things we do, which is a huge part of threat intelligence. I hope you enjoy the read!
You might have heard about a "massive" ongoing attack on FR government websites. Here's some context.
1) Anonymous Sudan claimed the attack. It's a hacktivist group which has consistently aligned with 🇷🇺 interests – to the point of being suspected of being a front for RU psyops
There's currently a summer sale on our online reverse-engineering training! The price dropped by over 25% for this month: please check it out if you were considering it before!
DMs are open if you have any questions about the course.
Big update to
#Gepetto
today, with support for GPT-4! This will only work if you have access to the corresponding API (via a waiting list AFAIK).
Lots of refactoring in preparation for more features, so it might be a little bleeding edge!
Takeaways of the war in Ukraine for the cybersecurity community:
I contributed to this article along with
@craiu
and
@securechicken
. As with any analysis piece, there's some deal of personal opinion in there, so I'm very interested in other assessments.