![Ax_Sharma's tweet photo. A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it.
The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo:
https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
But they are not. These ZIPs are #malware.
An attacker, while commenting on any GitHub commit/PR, can "attach" a file that gets assigned a URL slug containing the name of the repo where the comment was made. Even if the comment is never actually posted or later deleted by the attacker, the link to the file remains live!
And, the repo owner (Microsoft in this case) would have no knowledge of or control over such files.
Threat actors have been abusing this flaw to distribute malicious executables under the false pretense that these are coming from credible organizations' code repos.](https://pbs.twimg.com/media/GLniIaEW0AESezm.jpg)
Olivia
Online
Sandro
@7a6570
Joined March 2018
316 Following
26 Followers
1.2K Posts
A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it.
The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo:
https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
But they are not. These ZIPs are #malware.
An attacker, while commenting on any GitHub commit/PR, can "attach" a file that gets assigned a URL slug containing the name of the repo where the comment was made. Even if the comment is never actually posted or later deleted by the attacker, the link to the file remains live!
And, the repo owner (Microsoft in this case) would have no knowledge of or control over such files.
Threat actors have been abusing this flaw to distribute malicious executables under the false pretense that these are coming from credible organizations' code repos.
![Ax_Sharma's tweet photo. A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it.
The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo:
https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
But they are not. These ZIPs are #malware.
An attacker, while commenting on any GitHub commit/PR, can "attach" a file that gets assigned a URL slug containing the name of the repo where the comment was made. Even if the comment is never actually posted or later deleted by the attacker, the link to the file remains live!
And, the repo owner (Microsoft in this case) would have no knowledge of or control over such files.
Threat actors have been abusing this flaw to distribute malicious executables under the false pretense that these are coming from credible organizations' code repos.](https://pbs.twimg.com/media/GLniVxCW4AA-OJ3.jpg)
Did you know that LSASS has the ability to execute arbitrary kernel-mode addresses? I wrote a small proof of concept that allows administrators to execute unsigned code in the kernel if LSA Protection is disabled.
https://t.co/kN5MTieLLc
Some basic #IDA101 here: IDA does not support decompiling exception handlers; in other words, code that are within a catch block will not show up in the pseudocode view. A reminder that you should not blindly trust the pseudocode view.
This is a very common anti-analysis method, where an exception is intentionally thrown, triggering the code within the catch block that will not show up in the decompiled view in IDA.
Repeat after me:
Patching an already compromised system won’t solve the problem
#PaloAlto
Thanks to all who submitted to the Phrack #71 CFP! Expect a follow up in the coming weeks! Got something to say to Phrack? Email us at staff AT https://t.co/Zmk3X7sIsQ and we may just answer! Use the ANTISPAM keyword and include LOOPBACK in the subject.
This new book has finally arrived. Thank's to @nostarch as well as @billpollock for making it happen as well as @Lee_Holmes as my tech reviewer.
😂
Happy Monday: an IDA plugin to show a function's summary (calls, strings) as hover hints. https://t.co/zgZwZenQoD
Welcome to my 2023 Irreverant Red Team TTP Wrap Up (Trends, Trolls, Predictions)
It's likely some of these will ruffle feathers, but hackers break things right? 😁
🧵👇
Perspective is really important. It could be a lot worse.
You could be this person:
There will always be some Phish! 🎣 What makes a difference, is the price (referencing @mrgretzky). Check our latest blogpost on #cryptographic methods in the fight against reverse proxy attacks 👉 https://t.co/MzlraPkthA #x33fcon #phishing @ksei__
🕶️🧐👀🥷🥁A new project by the Security Response team of @Google: https://t.co/fTO9MvhPBa. It fills a gap I have seen for years, asking the same questions in similar investigations across analysts who might have different background and know how. 🕶️🧐👀🥷🥁
I wrote a little longer response to an issue in the #MCRIT repo, explaining the library filtering and how it influences scores shown in tables, using an example of PseudoManuscrypt and presence of libzlib code therein. https://t.co/nuAZZVFW4I
I have posted the slides for the #BlackHat talk @chompie1337 and I gave yesterday -> Close encounters of the advanced persistent kind: Leveraging rootkits for post-exploitation
https://t.co/8yovzWBn7I
🛠️Today we would like to introduce you to Dynmx (https://t.co/mWeECN0rbi). You can use it to analyse Windows API call sequences using signature-based detection.
Dumbest AMSI bypass I know so far, but it works: sideloading a fake amsi.dll to a copied version of powershell which simply return S_OK / AMSI_RESULT_CLEAN for every command. I would have thought that there was some kind of signature check upon loading amsi.dll but apparently not
First blog post in a while! This article describes an undocumented trick to embed executable code within (what appears to be) a read-only PE section.
https://t.co/IfK1dGaYTT
what feeling immediately hits you when you see this
Today VirusTotal announced that each sample uploaded will be accompanied by "Code Insight". Code Insight uses Sec-PaLM, one of the generative AI models by Google, to explain what the malicious binary is doing.
Code Insight is available to all users.
tl;dr "they took my job"
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers