vx-underground
Following the return of HelloKitty ransomware group (now HelloGookie), the individuals behind HelloKitty ransomware group released more files from CD Projekt Red – the game studio behind The Witcher and Cyberpunk 2077. Using the leaks nerds have compiled…
Note: some binaries were already compiled from the previous leak*
👍40😁10🥰4
Malware review:
2024-02-27- European diplomats targeted by SPIKEDWIRE with WINELOADER
Notes:
*Zscaler on release of this article did not attribute it to any state-sponsored Threat Actor
*Mandiant later attributed this payload to APT29 March, 22nd 2024 in an article noscriptd: "APT29 Uses WINELOADER to Target German Political Parties"
- Targets specific European diplomats via malicious PDF (0 points)
- Targets carefully enumerated, low volume of malicious PDFs sent (+1 points)
- Malicious PDF masquerading as letter from Ambassador of India for wine tasting event (0 points)
- PDF requires registration to event, links to compromised website (+1 points)
- 'Invitation site' requires guest to download .zip file (-1 point)
- .zip file contains wine.hta which masquerades as invitation event details (0 points)
- .hta file contains malicious javanoscript, obfuscated with opensource tool (-1 points)
- .hta downloads BASE64 encoded .txt from compromised website (0 points)
- .hta uses certutils.exe to BASE64 decode .txt file (+1 point)
- BASE64 decoded text file transfroms into .zip file, extracted to C:\Windows\Tasks (+1 points)
- .zip extracts sqlwrite.exe and vcruntime140.dll (+1 points)
- APT29 uses DLL sideloading vulnerability (unknown at the time) on sqlwrite.exe to load fake vcruntime140.dll (+2 points)
- Side loaded DLL function se_se_translator pulls RSA encrypted .exe out of DLL (+1 point)
- Side loaded DLL encrypts and decrypts .exe when no longer in use (+2 points)
- .exe has different modules (plugins) for different task (+2 points)
- Modules use DLL Hollowing to inject into randomly selected DLLs (+1 point)
- Each module is downloaded individually from remote C2 (compromised websites) (+2 points)
- Connecting to C2 uses GET HTTP. Sent data is custom made data blobs containing information on modules and commands sent and received (+2 points)
- Persistent achieved by Microsoft signed sqlwriter.exe DLL side loading from Windows Task Scheduler (0 points)
- Memory is zero filled when not used (+1 points)
2024-02-27- European diplomats targeted by SPIKEDWIRE with WINELOADER
Notes:
*Zscaler on release of this article did not attribute it to any state-sponsored Threat Actor
*Mandiant later attributed this payload to APT29 March, 22nd 2024 in an article noscriptd: "APT29 Uses WINELOADER to Target German Political Parties"
- Targets specific European diplomats via malicious PDF (0 points)
- Targets carefully enumerated, low volume of malicious PDFs sent (+1 points)
- Malicious PDF masquerading as letter from Ambassador of India for wine tasting event (0 points)
- PDF requires registration to event, links to compromised website (+1 points)
- 'Invitation site' requires guest to download .zip file (-1 point)
- .zip file contains wine.hta which masquerades as invitation event details (0 points)
- .hta file contains malicious javanoscript, obfuscated with opensource tool (-1 points)
- .hta downloads BASE64 encoded .txt from compromised website (0 points)
- .hta uses certutils.exe to BASE64 decode .txt file (+1 point)
- BASE64 decoded text file transfroms into .zip file, extracted to C:\Windows\Tasks (+1 points)
- .zip extracts sqlwrite.exe and vcruntime140.dll (+1 points)
- APT29 uses DLL sideloading vulnerability (unknown at the time) on sqlwrite.exe to load fake vcruntime140.dll (+2 points)
- Side loaded DLL function se_se_translator pulls RSA encrypted .exe out of DLL (+1 point)
- Side loaded DLL encrypts and decrypts .exe when no longer in use (+2 points)
- .exe has different modules (plugins) for different task (+2 points)
- Modules use DLL Hollowing to inject into randomly selected DLLs (+1 point)
- Each module is downloaded individually from remote C2 (compromised websites) (+2 points)
- Connecting to C2 uses GET HTTP. Sent data is custom made data blobs containing information on modules and commands sent and received (+2 points)
- Persistent achieved by Microsoft signed sqlwriter.exe DLL side loading from Windows Task Scheduler (0 points)
- Memory is zero filled when not used (+1 points)
❤51🤯15👍5👏3🤣2🤓2😢1😍1
vx-underground
Malware review: 2024-02-27- European diplomats targeted by SPIKEDWIRE with WINELOADER Notes: *Zscaler on release of this article did not attribute it to any state-sponsored Threat Actor *Mandiant later attributed this payload to APT29 March, 22nd 2024…
We give APT29's recent APT campaign an B+.
APT29 WINELOADER is modular, multi-staged, practices OPSEC by using multiple compromised websites, has custom built HTTP data blobs. It uses a LOLBIN like technique for persistence and uses a previously undocumented DLL Side Load vulnerability to execute payloads. Random DLL injection is a plus. The encryption and decryption of data is also an interesting plus as it improves its stealth factors and making it more difficult to reverse engineer. The precision of targets and masquerading of an wine tasting event is also interesting – demonstrating research of targets prior to attack. This same attack was later used against German politicians as well.
APT29 WINELOADER is modular, multi-staged, practices OPSEC by using multiple compromised websites, has custom built HTTP data blobs. It uses a LOLBIN like technique for persistence and uses a previously undocumented DLL Side Load vulnerability to execute payloads. Random DLL injection is a plus. The encryption and decryption of data is also an interesting plus as it improves its stealth factors and making it more difficult to reverse engineer. The precision of targets and masquerading of an wine tasting event is also interesting – demonstrating research of targets prior to attack. This same attack was later used against German politicians as well.
❤46🤓11👍5🫡1
The Microsoft Fabric community (?) forum is old and allows unchecked HTML on posts.
- Link attached, don't click the silly button
- Thanks to rari_teh for sharing this with us
Behold:
https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=908a0c5d-95fe-ee11-a73c-000d3ae45d44
- Link attached, don't click the silly button
- Thanks to rari_teh for sharing this with us
Behold:
https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=908a0c5d-95fe-ee11-a73c-000d3ae45d44
🤣47😁7👍6❤1🤓1
Today we decided to check in with Lockbit ransomware group. The Lockbit ransomware group administrative staff informed us that they're actively working on several new projects – most notably they have developed a new ransomware payload which targets Nutanix
🔥34🤔7👍6🤣2❤1
vx-underground
Today we decided to check in with Lockbit ransomware group. The Lockbit ransomware group administrative staff informed us that they're actively working on several new projects – most notably they have developed a new ransomware payload which targets Nutanix
We asked for a sample of the new payload. The Lockbit representative subsequently told us: "Ask the FBI for the payload"
>:(
We asked for more information on the Nutanix locker. They told us: "TLP:RED, sorry"
>:(
>:(
We asked for more information on the Nutanix locker. They told us: "TLP:RED, sorry"
>:(
🤣89👍5😁3😎2🔥1🤩1
This media is not supported in your browser
VIEW IN TELEGRAM
C programmers having a complete personality change the second they see someone mention Rust or Go (it's going to be a 4 hour long debate)
🤣146💯17❤5👍5😱4🤓4😁3🫡3🔥2🤝1
We are approaching 300,000 followers on Twitter.
This is an astronomically large number that we never expected to reach.
Some thoughts and feelings:
When vx-underground was first created in May, 2019 the initial goal was to 'revive the VX-scene' – with the hopes that with content being added and archived we could act as an accelerant of malware related education. We really wanted to see a lot of people into malware development (because it's fun!).
Initially we celebrated 100 followers, we celebrated 1,000 followers, we celebrated 10,000 followers. We never imagined so many people, from all across the planet, would care about our website, our shitposts, and the things we discuss. It's a surreal experience because all of this was a happy accident and we still have no idea what the hell is going on. Each day is something different and we just kind of go with the flow. ¯\_(ツ)_/¯
Just a few years ago malware development seemed taboo. We had many 'influential' people call us criminals, said we fueled or actively aided criminals. Now nearly 5 years later those same 'influencers' are polite to us and seem to forget the negative things they said about us.
Anyway, there is a lot that could be said, but thank you everyone for the love and support. Thank you to everyone who donates, sponsors us, gifts us things, and sends messages of support. On our side of the fence all we see is a big number of followers – we don't see the real world impact our website has created.
We are sometimes told stories that our website has helped them with their career, helped them improve their knowledge set, or aided their organization in some way. We didn't know this and we're still always amazed by this because on our side of the keyboard we're just kind of vibing out and doing what we think is cool.
We turn 5 years old soon. At our current pace we may hit 300,000 followers soon. Things we never expected. Thank you again for everything. It's been a crazy ride.
Cheers to (almost) 5 years of vx-underground and the many years to come.
This is an astronomically large number that we never expected to reach.
Some thoughts and feelings:
When vx-underground was first created in May, 2019 the initial goal was to 'revive the VX-scene' – with the hopes that with content being added and archived we could act as an accelerant of malware related education. We really wanted to see a lot of people into malware development (because it's fun!).
Initially we celebrated 100 followers, we celebrated 1,000 followers, we celebrated 10,000 followers. We never imagined so many people, from all across the planet, would care about our website, our shitposts, and the things we discuss. It's a surreal experience because all of this was a happy accident and we still have no idea what the hell is going on. Each day is something different and we just kind of go with the flow. ¯\_(ツ)_/¯
Just a few years ago malware development seemed taboo. We had many 'influential' people call us criminals, said we fueled or actively aided criminals. Now nearly 5 years later those same 'influencers' are polite to us and seem to forget the negative things they said about us.
Anyway, there is a lot that could be said, but thank you everyone for the love and support. Thank you to everyone who donates, sponsors us, gifts us things, and sends messages of support. On our side of the fence all we see is a big number of followers – we don't see the real world impact our website has created.
We are sometimes told stories that our website has helped them with their career, helped them improve their knowledge set, or aided their organization in some way. We didn't know this and we're still always amazed by this because on our side of the keyboard we're just kind of vibing out and doing what we think is cool.
We turn 5 years old soon. At our current pace we may hit 300,000 followers soon. Things we never expected. Thank you again for everything. It's been a crazy ride.
Cheers to (almost) 5 years of vx-underground and the many years to come.
❤156🔥13😘9👍6🫡6🤓2🤝2🎉1
You're all degenerates and CANNOT be trusted
https://github.com/NationalSecurityAgency/ghidra/assets/118324883/b8209e95-1bb7-4c1c-875b-8cceed44c3a1
https://github.com/NationalSecurityAgency/ghidra/assets/118324883/b8209e95-1bb7-4c1c-875b-8cceed44c3a1
🤣205🥰26😁13❤9👍5😱3🙏1