REvil detained

Another REvil member detained

We've added a new paper to the VXUG AV paper collection: "In-Depth Analysis of Ransom Note Files" by Yassine Lemmou, Jean-Louis Lanet, El Mamoun Souidi

Analysis of ransomware notes & proposed prototype of identifying Threat Actors by their ransom notes

https://vx-underground.org/av.html

BlackBerry ThreatVector team identified a new ransomware variant dubbed "LokiLocker".

You can download LokiLocker ransomware samples here:

https://samples.vx-underground.org/samples/Families/LokiLockerRansomware/

Node-IPC latest update contains the "Peace not war" module which:

1. Wipes the disk of Belarusian and Russian computers
2. Leaves a note on the machine stressing the importance of peace

More info: https://twitter.com/bantg/status/1504213698658938881

We've updated the vx-underground APT collection.

Due to the volume of APT papers and samples being released we are unable to list everything being added. There have been 105 APT papers released in 80 days.

Recent additions can be viewed here: https://vx-underground.org/apts.html#2022

We've got more malware available for bulk download.

*Don't ask the password
*All files named using the Kaspersky naming convention
*8,500,000+ samples present

Have a nice day

Download: https://samples.vx-underground.org/samples/Blocks/

CaddyWiper, the destructive malware which previously targeted Ukrainian organizations, used "DsRoleGetPrimaryDomainInformation" to determine if the device it is running on is the Domain Controller.

Other malware families using this technique:
-TrickBot
-Maze ransomware

We have the Conti ransomware source code (version 3). This includes a compiled locker and decryptor. We have archived it.

You can download it here: https://share.vx-underground.org

Proofpoint released a paper on a malware campaign "Serpant Backdoor". This campaign targeted the French government as well as French Real Estate & Construction companies.

It also utilized steganography, an image from Dora the Explorer

Download: https://samples.vx-underground.org/APTs/2022/2022.03.21/

We have over 11,000,000 unique malware samples available for bulk download.

* Named using Kaspersky naming convention

Download available here: https://samples.vx-underground.org/samples/Blocks/

We've added a new paper to the vx-underground Windows paper collection

"Azure Outlook Command & Control that uses Microsoft Graph API for C2 communications & data exfiltration" by 0xBoku & C5pider

Check it out here: https://www.vx-underground.org/windows.html#scab

"Operation Dragon Castling", which has been targeting companies in South East Asia, has a stage 2 loader named CoreX. CoreX uses the same SYSCALL sorting method created by the folks over at MDSecLabs

Paper API Unhooking via SYSCALL sorting: https://papers.vx-underground.org/papers/VXUG/Mirrors/BypassingUserModeHooksandDirectInvocationofSystemCallsforRedTeams.pdf

Paper on OPERATION DRAGON CASTLING: https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

We have made an additional 2,400,000+ malware samples available for bulk download.

Total available for bulk download: approx. 15,000,000

Have a nice day.

Download: https://samples.vx-underground.org/samples/Blocks/

We have enabled reactions.

Volexity released a paper on a MacOS malware dubbed "GIMMICK". They shared the samples in the blog post! ♥️

We have never seen a company do this before!🥰

Paper: https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/

We've updated the vx-underground Malware Defense paper collection: "Anti-UPX Unpacking Technique" by Shusei Tomonaga

Have a nice day.

Check it out here: https://vx-underground.org/av.html

LAPSUS$ group has been arrested.
More info: https://www.bbc.com/news/technology-60864283

As ransomware groups, such as Lockbit, ALPHV, and HIVE, continue to ramp up operations it is important we review how these groups operate.