We've made large updates to the VXUG APT collection

2021.11.24/APT-38
2021.12.07/TeamTNT
2021.12.08/ShadowPad
2021.12.13/APT-C-61
2021.12.13/Kimsuky
2021.12.14/DarkWatchman
2021.12.14/DoNot
2021.12.15/APT31
2021.12.15/Jolly Jellyfish

Check it out here: https://vx-underground.org

We've updated the VXUG Malware sample collection:

- GoLang-based Log4J malware
- BlackCat Ransomware (ALPHV), Rust-based and uses LLVM for obfuscation
- Yanluowang Ransomware, ransomware that is signed....

Check it out here: https://vx-underground.org

A Security researcher has identified the first Log4J worm. It is a self-propagating Mirai bot. We have aggregated the sample.

You can download the Log4J Mirai worm here: https://vx-underground.org

2022.01.12/Iranian intel cyber suite of malware uses open source tools (MuddyWater)

2022.01.12/OceanLotus (APT32) hackers turn to web archive files to deploy backdoors

REvil detained

Another REvil member detained

We've added a new paper to the VXUG AV paper collection: "In-Depth Analysis of Ransom Note Files" by Yassine Lemmou, Jean-Louis Lanet, El Mamoun Souidi

Analysis of ransomware notes & proposed prototype of identifying Threat Actors by their ransom notes

https://vx-underground.org/av.html

BlackBerry ThreatVector team identified a new ransomware variant dubbed "LokiLocker".

You can download LokiLocker ransomware samples here:

https://samples.vx-underground.org/samples/Families/LokiLockerRansomware/

Node-IPC latest update contains the "Peace not war" module which:

1. Wipes the disk of Belarusian and Russian computers
2. Leaves a note on the machine stressing the importance of peace

More info: https://twitter.com/bantg/status/1504213698658938881

We've updated the vx-underground APT collection.

Due to the volume of APT papers and samples being released we are unable to list everything being added. There have been 105 APT papers released in 80 days.

Recent additions can be viewed here: https://vx-underground.org/apts.html#2022

We've got more malware available for bulk download.

*Don't ask the password
*All files named using the Kaspersky naming convention
*8,500,000+ samples present

Have a nice day

Download: https://samples.vx-underground.org/samples/Blocks/

CaddyWiper, the destructive malware which previously targeted Ukrainian organizations, used "DsRoleGetPrimaryDomainInformation" to determine if the device it is running on is the Domain Controller.

Other malware families using this technique:
-TrickBot
-Maze ransomware

We have the Conti ransomware source code (version 3). This includes a compiled locker and decryptor. We have archived it.

You can download it here: https://share.vx-underground.org

Proofpoint released a paper on a malware campaign "Serpant Backdoor". This campaign targeted the French government as well as French Real Estate & Construction companies.

It also utilized steganography, an image from Dora the Explorer

Download: https://samples.vx-underground.org/APTs/2022/2022.03.21/

We have over 11,000,000 unique malware samples available for bulk download.

* Named using Kaspersky naming convention

Download available here: https://samples.vx-underground.org/samples/Blocks/

We've added a new paper to the vx-underground Windows paper collection

"Azure Outlook Command & Control that uses Microsoft Graph API for C2 communications & data exfiltration" by 0xBoku & C5pider

Check it out here: https://www.vx-underground.org/windows.html#scab

"Operation Dragon Castling", which has been targeting companies in South East Asia, has a stage 2 loader named CoreX. CoreX uses the same SYSCALL sorting method created by the folks over at MDSecLabs

Paper API Unhooking via SYSCALL sorting: https://papers.vx-underground.org/papers/VXUG/Mirrors/BypassingUserModeHooksandDirectInvocationofSystemCallsforRedTeams.pdf

Paper on OPERATION DRAGON CASTLING: https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/