 |
Post AsUdRsNDpWfAVnF692 by [email protected] |
 |
More posts by [email protected] |
|
Post #AsUUIB7IODTw9w5tFg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
on a day with no ADHD meds, my roommate knocks on the door and is like "a … |
|
|
|
Post #AsUUReiThx0eZF0NCi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Is that friend a metaphor for lack of ADHD meds? |
|
|
|
Post #AsUUVtsVHMIakUiaqO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
I am some kind of reverse engineer/security engineer but I'm not very good … |
|
|
|
Post #AsUUcTv6BmnkGh4QXA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone 🚨 🚨 🚨 |
|
|
|
Post #AsUVbd2Gua5KCkaBXM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Statistically, yes. |
|
|
|
Post #AsUVeaPf7SWwwHvwu0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
seems it is an electron based javascript malware that tries to steal all your p… |
|
|
|
Post #AsUVpDJ3MxoIScuTaq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
huh, one of the things it does is check your RAM speed. I think because that… |
|
|
|
Post #AsUW7AnhQMeJtyoANs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
but yeah it does a bunch of checks to see if anything remotely debuggy or VMy i… |
|
|
|
Post #AsUWDekOzmsCWAMD3Y by [email protected] |
|
0 likes, 0 repeats |
|
|
|
it even checks against OllyDbg, a really great debugger that hasn't updated… |
|
|
|
Post #AsUWU5r1yqeDDoIOMS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone why does it need to be electron based? does it have some sort of ui? |
|
|
|
Post #AsUWU5x3cRT5WV7Ckq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@imtired it makes it look like a regular application, so anti-viruses can't… |
|
|
|
Post #AsUWXALlio862A8ceO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
I'm looking at this disassembly from dez_ on twitter. https://gist.github.c… |
|
|
|
Post #AsUWeaaYZ9HZREavZ2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
there's a lot of very specific checks before it tries to do anything, I thi… |
|
|
|
Post #AsUWhQOav4I2h6LrM0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Electron-based malware... gonna need to sit down for a minute.I guess wh… |
|
|
|
Post #AsUX64sC4psTBNx4d6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
yes let me accidentally try to unpack the electron app in poland, that's ex… |
|
|
|
Post #AsUXAAMlazf3NTCYuO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
god I bet there are some malware out there that checks your location on GPS bef… |
|
|
|
Post #AsUXDDvMp6dfHVqMa0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone so what you're saying is I'm safe because i run my discord clien… |
|
|
|
Post #AsUXMKPK5XifzkCFZg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
sure there's work-from-home, but you're probably still within a reasona… |
|
|
|
Post #AsUXWsIAxcb7yxsmES by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@foone Close enough (hah) to remind me of the chatter a few years back about ra… |
|
|
|
Post #AsUXtjdnIAqZoLtY9o by [email protected] |
|
0 likes, 0 repeats |
|
|
|
OH GOOD this is a different version that uses aes compression. so the source is… |
|
|
|
Post #AsUXzexJclWl1Aqp2O by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@azonenberg well, it'll steal your discord password from the VM, but yeah |
|
|
|
Post #AsUY7Nf7nwadhT1Yga by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Well that's the question, is it going to even try to steal anything … |
|
|
|
Post #AsUYHvO3GvWpBu49s8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@azonenberg oh yeah. no it'll probably do nothing |
|
|
|
Post #AsUZAeByu2vzn1Vvcm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
I hope these fuckers aren't trying to obfuscate the password by abusing jav… |
|
|
|
Post #AsUZDeiLQ1L8HG5OtM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
my head already hurts enough as it is |
|
|
|
Post #AsUZGLcQs4q5vHbXMW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone IT security model: forced relocation to kraków |
|
|
|
Post #AsUZg7sIat2CpFJlx2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
finally unencrypted and re-deobfuscated.and it's got debugging strings in T… |
|
|
|
Post #AsUZo0ze3ySxndW2nA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
awfully lot of debugging information printed to console.log by this malware. it… |
|
|
|
Post #AsUa5bVDZlNdxCfeKm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
other debug strings are in portuguese!? this is a very international bit of mal… |
|
|
|
Post #AsUa6XlWxGtKeakUoS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone i brought out ollydbg the other day (though mostly because i don't k… |
|
|
|
Post #AsUa6XrYariCxHZJCq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@xssfox x64dbg is quite good, and feels like a modernized successor to ollydbg … |
|
|
|
Post #AsUakzKzrVsPkZcieW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
so it also checks your GPU. You know, because VMs usually have a GPU like "… |
|
|
|
Post #AsUatXPb3iTNkJqsPA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone because its only tartegting "real actually gamers tm" |
|
|
|
Post #AsUbI3TNVaeg8DJMKO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone encrypting something that comes with its own decryption key doesn't … |
|
|
|
Post #AsUbI3ZP9BTYQu8Aim by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@jeremy_list welcome to DRM |
|
|
|
Post #AsUbMwn1mdPUqtppWS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
so this seems to be associated with leetb.iwannaeatcats[.com]it sends them the … |
|
|
|
Post #AsUbQXRRy7eXOYSFLk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
and Growtopia. I didn't know that game existed, but apparently there's … |
|
|
|
Post #AsUbUJJORgFMjKU7HM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone it's odd, i find debugging x86/64 code really rare these days. Usual… |
|
|
|
Post #AsUbUJPm3xLp37TDE0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@xssfox that's one of the reasons I mainly hack games from the 90s. They do… |
|
|
|
Post #AsUbyisJxxDghWK7vM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
ahh, naturally the C&C server is cloudflare. |
|
|
|
Post #AsUc1DaGlJsWWQ4Oo4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
whenever you find the worst pits of the internet, you will find cloudflare ther… |
|
|
|
Post #AsUc8s0YrgYHvE15ay by [email protected] |
|
0 likes, 0 repeats |
|
|
|
it also fails to run if you have less than 2gb of RAM.because what regular comp… |
|
|
|
Post #AsUcBbZ8SBcnnOUaRs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone There was a time, I did everything to stay away from dirty work. Today I… |
|
|
|
Post #AsUcJqJXVFmDr07qaG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
it also refuses to run if your external IP is one of a couple, which include a … |
|
|
|
Post #AsUcNZNQPx8oTwiiDA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone no that's not why.it's because the malware is written in electro… |
|
|
|
Post #AsUcQDPCYy0ZCwoRkW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@azonenberg good point |
|
|
|
Post #AsUcXxFCXBDTOvpEno by [email protected] |
|
0 likes, 0 repeats |
|
|
|
it is also apparently dumping these stolen passwords into a discord somewhere, … |
|
|
|
Post #AsUdBP1dB7jQrAHwEy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
they distribute some of the malware through NPM, fun! |
|
|
|
Post #AsUdRsNDpWfAVnF692 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
It's a npm package with no actual source that does anything, but there'… |
|
|
|
Post #AsUdUXglBzKdEAeX0S by [email protected] |
|
0 likes, 0 repeats |
|
|
|
And the electron malware dropped an exe malware. Yay |
|
|
|
Post #AsUda1rqPqDiH0SBUG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
I'm gonna leave this to the kind of security researchers who get paid for t… |
|
|
|
Post #AsUej6EBfo3oMCnF1E by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone I have run into malware that has server-side checks before the second st… |
|
|
|
Post #AsUepU02Cg2HozDWwC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone I love this idea of antivirus companies casting an invisible antivirus s… |
|
|
|
Post #AsUesJ7B84jSvouCrw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
So it's packaged like this:rar inside a rar (both passworded)containing an … |
|
|
|
Post #AsUfFXaNUbiCTNdrIu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
anyone an actual security researcher who knows how (and with what authority) to… |
|
|
|
Post #AsUfXM1rCPfbqIzOPQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone I never quite looked at malware stuff like that, your thread was very i… |
|
|
|
Post #AsUg1w0K0b0o6aqwFM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Cloudflare, the selling-to-both-sides-arms-dealers of the internet. |
|
|
|
Post #AsUg877JbXB6JC4Qoy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone I18N made it to the malware writers. |
|
|
|
Post #AsUgDchxZq6fjaq0mW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone@GossiTheDog maybe knows how to purge malware from NPM or a pointer? |
|
|
|
Post #AsUgUv7CORG7kItIx6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Absolutely brilliant thread, as always. Thank you for letting us ride al… |
|
|
|
Post #AsUgaf66rJuto17SgC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Can you upload all the exe's you have to VirusTotal? Might help get … |
|
|
|
Post #AsUgr7Dq3mAJfMa2L2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone i once got hit with someone dming me "you wanna try my game" a… |
|
|
|
Post #AsUgskA6lgC4j2bz2u by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Is it worth sending an abuse report for that hexonst34l3r.com domain? |
|
|
|
Post #AsUgv7ntq6Msd1MKye by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone ah makes sense |
|
|
|
Post #AsUh70Vcmqf7TlTeJU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] Normally I'd ask who nowadays just runs random .EXEs o… |
|
|
|
Post #AsUh9sAWFjXoTqyJ84 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone I meant the roommate, but I shan't rewrite history |
|
|
|
Post #AsUh9sHFqgvqok7gcy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] @[email protected] the posts is against the rule… |
|
|
|
Post #AsUh9sNdSy2J8X6mZc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@m0xEE @foone Editing the posts breaks the mindmaps of those who'd already … |
|
|
|
Post #AsUh9sTf6YrBRDvay0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@m0xEE @foone (Just like cleaning up labs too much breaks the mindmaps of those… |
|
|
|
Post #AsUhCM0aHR6LbdVY1Y by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone or, arguably worse, doing it for “free” |
|
|
|
Post #AsUhFZ06QpxUlloTOy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone what comes to mind reading this: "the aristocrats!" |
|
|
|
Post #AsUhHSJIHHpSbAgx3g by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone of course stealers are using electron nowi've seen stealers in pytho… |
|
|
|
Post #AsUhUwfAjo4AV7MEE4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Argh. Say Yes and go back to bed. |
|
|
|
Post #AsUhZ21akHKOHunCnQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone O O F |
|
|
|
Post #AsUhZepYSxsAdsSdwu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone there's a report malware button at least |
|
|
|
Post #AsUheHVya5k3mGVYmG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@rudi @foone iwannaeatthearistocats.com? Why'd that come to mind? |
|
|
|
Post #AsUheHd49jPg8FpDpQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@kawa @foone maybe just my mind, but the encryption and obfuscation chain is a … |
|
|
|
Post #AsUhfjoWqo3hprseBs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] How considerate |
|
|
|
Post #AsUhpKi32lPgs4QNCC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone If only their moneymaking was reflected in their stocks price. |
|
|
|
Post #AsUhyHRaYP1DLjzZ5s by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone I'm reminded of the Polish train DRMhttps://www.youtube.com/watch?v=… |
|
|
|
Post #AsUiB4QyEgi8lSnlj6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone this is a cursed day. |
|
|
|
Post #AsUitN28Re43BvJDtY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone Malware in electron? shocking! but props for finding this. |
|
|
|
Post #AsUj4Ocasg3RImcU2y by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone this is incredible to watch."I'm not a paid security researcher… |
|
|
|
Post #AsUjyo7LH5VSaotuym by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@AlesandroOrtiz already did |
|
|
|
Post #AsUl2GK4xot4tS4ODw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@itsalrightiguess no, it should be fine. if you downloaded the module and ran t… |
|
|
|
Post #AsVICnebBxXbePIfq4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone possibly to game download numbers for the package. Make it look more leg… |
|
|
|
Post #AsVIXZk86hGwaXnHHM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone after the first post, I initially assumed that it was your roommate who … |
|
|
|
Post #AsVQkpAiqxfTq23pey by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone There are a lot that check your keyboard layouts and fail if you have a … |
|
|
|
Post #AsVifNX5zBPFqO4vrc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone the "report malware" button/contact form seems to be effective… |
|
|
|
Post #AsVsNUwMhm2x9C0jaq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@irgendwr cool! |
|
|
|
Post #AsW0P3KP8YcLioVVq4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@foone looks like the yelling worked, it's now replaced with the npm securi… |
