We've updated the vx-underground malware source code collection on GitHub.

Yesterday the source code to banking trojans Android.Hook and Android.Ermac were leaked online.

*Hook is the successor to Ermac
*Thanks to 3xp0rtblog for the code

https://github.com/vxunderground/MalwareSourceCode

ZachXBT, an independent cryptocurrency investigator who monitors and tracks cryptocurrency scams, shared ANOTHER video of cryptocurrency thieves taunting him.

The sign says "Fuck ZachXBT. Chards"

That's 3 videos now 😭

"Who is 29a labs?"

In the spirit of Halloween we will share something with you that is truly terrifying.

*Yes, this is real game made by EA

We keep getting pinged. Yes, Boeing has been removed from Lockbit ransomware groups website.

Lockbit administrative staff informed us they removed Boeing because negotiations have begun.

We don't know anything else. It is Halloween. Cya nerds tomorrow. We're busy.

This one simple trick will land you a job anywhere

> "DONT DO THIS!!! THIS IS A FELONY!!!"

No shit, Sherlock. It's satire

We are behind schedule on almost all of our tasks. 1/2 of our staff is sick.

Seasonal changes are illegal and for nerds

6 hours ago Reuters got confirmation from Boeing that they were impacted by 'cyber incident'. Boeing declined to comment on whether Lockbit was responsible for the 'cyber incident'.

More information: https://www.reuters.com/business/aerospace-defense/boeing-investigating-cyber-incident-affecting-parts-business-2023-11-01/

We've updated the vx-underground malware sample collection

- MedusaLocker
- XLoader
- SystemBC
- MinodoLoader
- ShellBot
- Moqhao
- XMRig
- PlayRansomware
- MoneyRansomware
- PrivateLoader
- AridGopher
- Micropsoa
- IcedId
and more...

Check it out here: vx-underground.org/

52,807 new malware samples queued for upload in our VXDB and the vx-underground website.

*Reminder our VXDB allows you to search through our malware collection and download for free 🫡

https://virus.exchange

Google is introducing more new TLDs =D

.ing and .meme

New phishing links inbound!

Alternatives to 'whoami.exe'.

COM interface ideas:
- IADsADSystemInfo
- IADsWinNTSystemInfo
- IADsComputer
- WMI COM provider to query 'whoami.exe'

IADsADSystemInfo, IADsWinNTSystemInfo, and IADsComputer are all fundamentally similar in calling syntax and are pretty copy-pasta ish. Windows SDK is kind of a pain though, the GUIDs weren't located easily, so they needed to be manually defined.
Example: https://pastebin.com/raw/S32nYDAp

Advapi32 functionality:
- Advapi32!LookupAccountSidW
- Advapi32!LsaLookupSids

LookupAccountSidW is an internal wrapper that calls LsaOpenPolicy, LsaLookupSids, and subsequently LsaFreeMemory. LsaFreeMemory is a wrapper to RtlFreeHeap.
Example: https://pastebin.com/raw/zJVShnay

Other possibilities:

- NpGetUserName - gets the username from a named pipe. Requires spawning a secondary thread, creating a named pipe, connecting to it, impersonating it, ... it is a long story =D

- Offlinesame.dll - Offline sam has a lot of functionality for enumerating users and domains on the machine. This is undocumented and requires a little more work. However, it has been demonstrated loosely by 0gtweet
Example: https://github.com/gtworek/PSBits/blob/master/OfflineSAM/OfflineAddAdmin.c

tl;dr can't stop thinking about whoami.exe :(

Here is a very poorly written way to do 'whoami' using CreateNamedPipe and Advapi32!NpGetUserName.

This undocumented function will do the generic LookupAccountSidW via GetUserNameExW, but it can act as a proxy function, or something.

https://pastebin.com/raw/ZsReS7k4

An image illustrating the current CloudFlare status

https://www.cloudflarestatus.com/

We've updated the vx-underground Windows malware paper collection

- 2023-07-29 - Lord Of The Ring0 - Part 5 Sarumans Manipulation
- 2023-08-13 - LAPS 2.0 Internals
- 2023-08-29 - DevTunnels for C2
- 2023-09-06 - How to Troll an AV