Total malware samples in the vx-underground malware collection: 2,348,257

Goal: 26,000,000

We've made updates to the vx-underground APT collection:

- FontOnLake, linux malware
- APT InSideCopy

Samples and papers included.

Check it out here: https://vx-underground.org/apts

We've updated the vx-underground malware source code repository. We have added Android.GhostBot. An Android spyware proof-of-concept capable of surveillance on the target, functionality similar to Pegasus

You can check it out here (under Android section): https://github.com/vxunderground/MalwareSourceCode

Friday, October 29th, 2021 we will release the ransomware toolkit we have acquired.

The tools we possess we have confirmed to be used by both Conti ransomware group and BlackMatter ransomware group. They are noscripts stolen from TeamTNT - modified to deliver ransomware.

We will be releasing the toolkit Conti ransomware group and Blackmatter ransomware group uses tomorrow on Twitter. However, to thank our supporters, and to thank individuals for following our Telegram we will be releasing a vx-underground Telegram exclusive.

Background information:

The files we have received were used noscripts by group TeamTNT in their Chimaera campaign. This campaign has been discussed multiple times by various security vendors and researchers.

1. TrendMicro discussed it here: https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html
2. PaloAlto Unit42 discussed it here: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

A security researcher on Twitter named r3dbU7z (https://twitter.com/r3dbU7z) tracked TeamTNT and uploaded a collection of TeamTNTs noscripts/toolkits onto VirusTotal. Threat Actors became aware of this, pulled the noscript compilation from a different location (we believe bazaar.abuse.ch), and have modified them for their personal usage and are being distributed to ransomware affiliates to aid to post-exploitation. The files we are sharing are NOT detected well on VirusTotal (they are bash noscripts, we are aware it is difficult to make YARA/SIGMA rules that cover them well).

The password: infected

We setup an AMA (Ask Me Anything) style interview with Kajit, the admin of the controversial RAMP (Ransomware Marketplace) forum and an ex-ransomware operator for REvil & Darkside

We allowed members of our Discord to ask him anything. It is coming soon.

Notes from UG, Volume 1.

Total malware samples in the vx-underground malware collection: 4,045,956

Goal: 26,000,000

We have archived the voicemail SunCrypt ransomware group left on a victim companies telephone.

You can listen to the voicemail here:
https://www.youtube.com/watch?v=htsSaPNgm8s

Notes from UG Vol. 1 has been released

We interviewed Kajit, a former REvil and DarkSide operator & the admin of the Ransomware Marketplace forum (RAMP)

In this interview we allowed members of our Discord to ask him anything

We've updated the vx-underground APT sample collection:

- WinDealer
- SQUIRRELWAFFLE
- WsLink

Have a nice day.

https://vx-underground.org/apts

Today Symantec released a paper on BlackMatters new exfiltration tool dubbed 'ExMatter'.

Samples attached:)

Morphisec announced a new ransomware variant written in GoLang dubbed 'Decaf ransomware'. More samples:)

Old samples - SentinelOne wrote a paper on MacOS.XLoader. Here are the samples:)

APT-C-59 paper + samples released today.

We've made an addition to the vx-underground WINAPI Tricks GitHub repository:

- Correct implementation of URLDownloadFileW using IBindStatusCallback callbacks to ensure remote file download was completed successfully

Check it out here: https://github.com/vxunderground/WinAPI-Tricks