Olivia
Online
Kevin Perlow
@KevinPerlow
RE and CTI. Feel free to take a gander at my past presentations:
Joined January 2011
21 Following
1.3K Followers
138 Posts
@coolestcatiknow What happens if I need to take 983,327 sticks
Some North Korean post infection malware. Nothing groundbreaking, I just always like to see the actual code when vendors gloss over it:
https://t.co/g2elohLVox
I’ve included hashes where the files were on VT, if you want to grab them to look for yourself.
Some notes and testing on (what I think is) a #VIRTUALGATE sample, following Mandiant's ESXI report:
https://t.co/XjHyQ2eaCs
MD5 3c7316012cba3bbfa8a95d7277cda873
-Opens VMCI listener on 25736
-Listens
-Runs what it receives via cmd
Post shows RE + how to test it. Cool malware
Who to follow
Arkbird
@Arkbird_SOLG
Malware slayer
Member of @CuratedIntel
RedDrip Team
@RedDrip7
Technical Twitter of QiAnXin Technology, leading Chinese security vendor. It is operated by RedDrip Team which focuses on malware, APT and threat intelligence.
CyberWar - 싸워
@cyberwar_15
Since. 2001. 8. 8
We have been fighting against North Korean cyber operatives since August 8, 2001.
@coolestcatiknow The real question is why didn’t I tweet it sooner
@0x466162 @jackcr In his defense, you get to work with the much more inviting “Dude With the Pretzel”
.@MITREattack v9 is out!!! A big shout out 🙌 to @patrickwardle, @thomasareed, @its_a_feature_ , and @xorrior for helping us update changes to macOS🍎. There is more to come...but let's take a moment to appreciate my new favorite gif, which summarizes this release perfectly!
Also, my personal favorite talk from the conference was from @JamesPavur - A fantastic presentation on eavesdropping on satellite internet conversations.
https://t.co/nnv9r88LoZ
No technical satellite knowledge required (I barely know how they get up there)
@DrunkBinary I’m still waiting for the Godzilla-MMPR crossover to happen
@cyb3rops Yeah, I think in production land you’d have to be combining it with a last write time or at least one other factor to really make it work.
In this case, it’s more of a starting point. I’ll add a little note to clarify.
@buherator @richinseattle @daveaitel I only wrote about the DLL. Had to pick what I could get through in a few hours. My understanding:
- If you visited via browser, you got the .sys file.
- If you interacted and they sent you a VS project, you got the DLL (and perhaps the C2 sent more later, who knows).
A look at some of the malware mentioned in this Google TAG research.
https://t.co/NTsIgMeNwT
- Two-stage (payload in ProgramData)
- AV Check (Kasp, Avast)
- Basic Persistence
- Multiple C2s per payload
More to be done re:C2 comm (unless someone does it first)
#DPRK
New blog post from TAG with details of a North Korean campaign targeting security researchers working on vulnerability research and development.
https://t.co/Ec2TaMMXeQ
Stay safe out there everyone!
Interesting possible relationship between #TinyPOS + #ProLocker
https://t.co/g5dh5nKA8V
I lean towards, "would makes sense if it's the same group," but far from definitive. Was trying to find infrastructure.
@DrunkBinary (for the hashes)
@cyb3rops (for code segments and YARA)
@markarenaau @markus_neis @craiu @Mao_Ware @VK_Intel @anthomsec @lazyactivist192 @nullcookies @0xAmit @sysopfb @WylieNewmark @saffronsec @DennisRand @JasonMilletary @darienhuss @kafeine @NateBeachW @bry_campbell @DeepSpaceEye @cahlberg @smoothimpact @Sachkov_GIB @bambenek @LexfoSecurite I told you at least one person to talk to for TrickBot primary source data.
@evilrez @markarenaau @craiu @Mao_Ware @VK_Intel @anthomsec @lazyactivist192 @nullcookies @0xAmit @sysopfb @WylieNewmark @markus_neis @saffronsec @DennisRand @JasonMilletary @darienhuss @kafeine @NateBeachW @bry_campbell @DeepSpaceEye @cahlberg @smoothimpact @Sachkov_GIB @bambenek @AepEap (I think. I could be misremembering and this is the same one just with a new time stamp).
@evilrez @markarenaau @craiu @Mao_Ware @VK_Intel @anthomsec @lazyactivist192 @nullcookies @0xAmit @sysopfb @WylieNewmark @markus_neis @saffronsec @DennisRand @JasonMilletary @darienhuss @kafeine @NateBeachW @bry_campbell @DeepSpaceEye @cahlberg @smoothimpact @Sachkov_GIB @bambenek @AepEap Misread. So, that’s not the one I mean. They had an older 2019 post that referenced the ecombox dot store C2 (as best I recall). That’s relevant to Mark’s question, because it provides a second independent source for the general claim.
Last Seen Users on Sotwe
Libertinosrj2
Seen from Israel
Double Fisting
Seen from Turkey
Ogah
Seen from Indonesia
Xixi
Seen from Indonesia
Güncel Türk Porno - Yeni Türk Pornoları
Seen from Turkey
Pecinta Tante
Seen from France
teman dekatmu
Seen from Indonesia
ตากล้องหุ่นหมี 
Seen from Singapore
gái dâm thích đụ
Seen from Singapore
SANDIKLI EVLİ GİZLİ AP
Seen from Turkey
Most Popular Users
Elon Musk
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.2M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.5M followers
Taylor Swift
@taylorswift13
81.3M followers
Lady Gaga
@ladygaga
72.8M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.6M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.3M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.5M followers