![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwfSYvXgAIgy5Z.jpg)
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwe4joWwAA2fCB.png)
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwexp0XQAEnVaL.png)
Olivia
Online
Caio
@clivoa
Joined August 2009
2.7K Following
103 Followers
25 Posts
For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwg5lEWAAIwmhv.png)
Brazil is a Linux kernel rootkit factory.
Diamorphine, Brokepkg, KoviD, Reptile and now Singularity. Some of the most well-known Linux kernel rootkits came from Brazilian researchers.
Brazil has a crazy strong scene in linux rootkit development
Publicly disclosing the bluehammer exploit, at the time of writing this, this vulnerability is still unpatched.
Full PoC source can be found here -
https://t.co/yk80ylIfBV
GitHub - clivoa/awesome-security-feeds: awesome security feeds https://t.co/mI3LJaDC4r
Over the last 12 months, watchTowr Labs uncovered thousands of leaked credentials: cloud keys, AD creds, API tokens, even KYC data - already being abused.
Join us on our journey into “innocent” developer tools.
https://t.co/0ozS0DWfuI
I'm glad this was debunked fast because holy shit.
Drama unfolding in Brazil right now where it was discovered a popular and trending Lesbian Dating App was vibe coded
Turns out all you need to do is a GET request and you can pull everything
Active Directory Security » Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia... https://t.co/1THTzBU4kQ
We've integrated the hashes of the vuln/mal drivers maintained in the LOLDrivers project by @M_haggis @_josehelps in the rule set used by the FREE THOR Lite
Hash IOCs
https://t.co/xwF688RhqP
LOLDrivers
https://t.co/EpG9IpWejV
Need an almost invisible, post-exploitation, persistent, fileless, LPE backdoor? There are many, but this one looks really beautiful for me: type "sc.exe sdset scmanager D:(A;;KA;;;WD)" from an elevated command prompt.
Here we go!
Pre-sale of RTO: MalDev Advanced (Vol.1) is now open
Pre-sale end: Sep 27th
Course release date: Sep 28th
Userland rootkit tech, building MSVC COFFs, custom "RPC" instrumentation and more...
You can't miss it!
https://t.co/nEYFgyS0pE
#RTO #redteam #onlinelearning
Recorded a video demonstration explaining hunting of memory artefacts from the stack of a process. It also explains how the Stack as well as Heap can be encrypted during runtime to avoid memory analysis with #BRc4 v1.2
https://t.co/lq0SUnmV4c
Se o Raidforum e Pastebin cair...
Como algumas empresas de Intel vão colocar medo em seus clientes? rsrsrs #FUD
Sigma rules for #CobaltStrike detection
- fresh and updated rules
- let's hunt these suckers down 🍼🤘
NamedPipes
https://t.co/SCV3fSgJ3Y
Process injection / hollowing
https://t.co/rJyZKTAetY
Service installations
https://t.co/y9FYWTgIng
Oops..🤣🤣
@lordman1982 ;) 🤘🏽
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.3M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers