blog.disasm.me @disasmdotme - Twitter Profile

disasmdotme retweeted

Escalator

@ptescalator

over 1 year ago

https://t.co/8pxT4wQpzb

0

3

2

0

949

blog.disasm.me @disasmdotme

almost 2 years ago

typo fix: "raquest" instead of "request" in 1/

0

24

blog.disasm.me @disasmdotme

almost 2 years ago

#python #trojan found and reported on #pypi: 1/ Andoid Stealer via Telegram Bot with packages like "request" and "ebell". Pics 1-2. 2/ Clipper with persist. "testjsonn1" and so. Pic 3. 3/ Multiplatform stealer that looks for .env and ssh-files. "popeye-pip-v3". Pic 4.

disasmdotme's tweet photo. #python #trojan found and reported on #pypi:

1/ Andoid Stealer via Telegram Bot with packages like "request" and "ebell". Pics 1-2.

2/ Clipper with persist. "testjsonn1" and so. Pic 3.

3/ Multiplatform stealer that looks for .env and ssh-files. "popeye-pip-v3". Pic 4. https://t.co/f3Zi5t0iCZ

1

0

45

blog.disasm.me @disasmdotme

almost 2 years ago

@decodebytes @TrustyPkg As I can see, these packages download wannacry executable without running it, just a security research :) But anyway thanks for your work and welcome to PyPI trojan reporting!

1

0

7

Who to follow

Aziz Farghly ⚡

@FarghlyMal

Threat Researcher @nextronsystems (The thoughts and content I share are personal and not representative of my employer.)

Leonid Bezvershenko

@bzvr_

Senior Security Researcher @ Kaspersky, GReAT | Drovosec CTF team | Tweets are my own

DoronZ

@doronz88

Cyber security researcher. Currently focusing on iOS. Developer of: #pymobiledevice3 #hilda #harlogger #RpcProject #cfprefsmon #fa

blog.disasm.me @disasmdotme

almost 2 years ago

Found interesting yet simple #python trojan on #pypi - "transformars" (typosquatting on popular "transformers" package). It decrypts binary data using random.seed + random.getrandbits, and will try to unpicke this blob. It hides XMR miner. Reported to pypi admins. Stay safe.

disasmdotme's tweet photo. Found interesting yet simple #python trojan on #pypi - "transformars" (typosquatting on popular "transformers" package).

It decrypts binary data using random.seed + random.getrandbits, and will try to unpicke this blob. It hides XMR miner.

Reported to pypi admins. Stay safe. https://t.co/A90VErHtrx

0

34

blog.disasm.me @disasmdotme

over 3 years ago

Ahh, previously mentioned package was really used by this "developer" to trojanize his own users! 11 forks, 31 stars :/ https://t.co/6VKXQ5n7Zh

disasmdotme's tweet photo. Ahh, previously mentioned package was really used by this "developer" to trojanize his own users! 11 forks, 31 stars :/

https://t.co/6VKXQ5n7Zh https://t.co/JUaAMTGJAq

0

blog.disasm.me @disasmdotme

over 3 years ago

3/ - Stealing not only #Exodus and #Atomic wallets and #Steam accounts, but also data from game called #NationsGlory (i haven't seen any malware that targets this game)

disasmdotme's tweet photo. 3/
- Stealing not only #Exodus and #Atomic wallets and #Steam accounts, but also data from game called #NationsGlory (i haven't seen any malware that targets this game) https://t.co/sr7nWRY6f6

0

blog.disasm.me @disasmdotme

over 3 years ago

1/ Found an interesting #pypi #trojan today ~~ Oddly named package `buildoslibuploader` hides a multifunctional #stealer Actions worth mention: - Installation of extra packages via pip (why not set them in https://t.co/fXYfVYqcYJ or requirements.txt?)

disasmdotme's tweet photo. 1/ Found an interesting #pypi #trojan today ~~

Oddly named package `buildoslibuploader` hides a multifunctional #stealer

Actions worth mention:
- Installation of extra packages via pip (why not set them in https://t.co/fXYfVYqcYJ or requirements.txt?) https://t.co/BHot4SwHhC

1

2

0

1

0

blog.disasm.me @disasmdotme

over 3 years ago

2/ - Trust factor based based on the presence of google subdomains in cookies (but with a sad mistake in regex) - Profiling stolen accounts not only by nitro and billing info, but also by "Discord Employee", "Bug Hunter Level 1" and other interesting badges

disasmdotme's tweet photo. 2/
- Trust factor based based on the presence of google subdomains in cookies (but with a sad mistake in regex)
- Profiling stolen accounts not only by nitro and billing info, but also by "Discord Employee", "Bug Hunter Level 1" and other interesting badges https://t.co/7ZEKUaYUVI

1

0

blog.disasm.me @disasmdotme

almost 4 years ago

Found new #trojan #ransomware on #pypi https://t.co/mof6EFYCLM It will encrypt documents from your home directory using 44-bytes XOR. It's a POC, and it will drop to your Desktop folder both decryptor and key. It also changes background on Windows :) Reported to pypi admins

disasmdotme's tweet photo. Found new #trojan #ransomware on #pypi

https://t.co/mof6EFYCLM

It will encrypt documents from your home directory using 44-bytes XOR. It's a POC, and it will drop to your Desktop folder both decryptor and key.

It also changes background on Windows :)

Reported to pypi admins https://t.co/UmN0xwwOPx

0

2

0

blog.disasm.me @disasmdotme

almost 4 years ago

2/ Interesting moment: this backdoor is Windows oriented, and #powershell was preferred over #cmd according to developer's comment And, as you can see, there is some protection against malware #analysis

disasmdotme's tweet photo. 2/ Interesting moment: this backdoor is Windows oriented, and #powershell was preferred over #cmd according to developer's comment

And, as you can see, there is some protection against malware #analysis https://t.co/B857bjLo67

0

blog.disasm.me @disasmdotme

almost 4 years ago

1/ "Email checker" #backdoor from #pypi strikes again! Proud to present you a new #malware package found: "Email-checkerV2". Unfortunately, there is no extra changes compared with "Email-checker" package. Funny: it tries to import non-default libraries before installing!

disasmdotme's tweet photo. 1/ "Email checker" #backdoor from #pypi strikes again! Proud to present you a new #malware package found: "Email-checkerV2". Unfortunately, there is no extra changes compared with "Email-checker" package.

Funny: it tries to import non-default libraries before installing! https://t.co/FQsUw4HraG

1

0

blog.disasm.me @disasmdotme

almost 4 years ago

Found simple yet interesting #backdoor #trojan on #pypi. Package name: Email-checker It has help menu, how convenient! It uses pretty popular technique that I often see on pypi: set popular #github project in metadata to automatically have a lot of stars and forks)

disasmdotme's tweet photo. Found simple yet interesting #backdoor #trojan on #pypi.
Package name: Email-checker
It has help menu, how convenient!

It uses pretty popular technique that I often see on pypi: set popular #github project in metadata to automatically have a lot of stars and forks) https://t.co/zH9PQOeIRc

0

blog.disasm.me @disasmdotme

almost 4 years ago

Found another #trojan package on #pypi with a pretty simple naming: discord_application. It's fairly common #discord token #stealer, no obfuscation at all. Be careful and do not download unknown packages, even if they have obvious functionality by name)

disasmdotme's tweet photo. Found another #trojan package on #pypi with a pretty simple naming: discord_application. It's fairly common #discord token #stealer, no obfuscation at all.

Be careful and do not download unknown packages, even if they have obvious functionality by name) https://t.co/7HhBy4z2nU

0

blog.disasm.me @disasmdotme

almost 4 years ago

3/ And what is the payload? It's a common #discord account #stealer + #chrome password and cookies stealer + discord backdoor #injector.

disasmdotme's tweet photo. 3/ And what is the payload? It's a common #discord account #stealer + #chrome password and cookies stealer + discord backdoor #injector. https://t.co/KtxRrupNnA

0

1

0

1

0

blog.disasm.me @disasmdotme

almost 4 years ago

1/ Heh, what is it, #FUD #trojan? Package saturnian by user scarycoder. Fragment of https://t.co/fXYfVYpF9b file on screen. Reported to pypi admins

disasmdotme's tweet photo. 1/ Heh, what is it, #FUD #trojan?

Package saturnian by user scarycoder. Fragment of https://t.co/fXYfVYpF9b file on screen. Reported to pypi admins https://t.co/oIEtbXSMse

1

0

1

0

blog.disasm.me @disasmdotme

almost 4 years ago

2/ What does it download? It'a a #pyinstaller file. Not 700+ MB like last time, but only 20 MB. Undetectable by #virustotal, it's really scary... Because my system already downloaded and analyzed this file, it's 100% Trojan

disasmdotme's tweet photo. 2/ What does it download? It'a a #pyinstaller file. Not 700+ MB like last time, but only 20 MB. Undetectable by #virustotal, it's really scary... Because my system already downloaded and analyzed this file, it's 100% Trojan https://t.co/F9FN7sLuTe

1

0

1

0

blog.disasm.me @disasmdotme

almost 4 years ago

Downloaded payload behind pyinstaller is a multifunctional backdoor, some of the comments are written in Slovak.

0

blog.disasm.me @disasmdotme

almost 4 years ago

1/ Found new #pypi #malware and it's awesome! Package named discord-install-helper is a #trojan-downloader and... the payload is 778 MB! It's a working method to protect against #virustotal It uses #powershell to download file packed with #pyinstaller.

disasmdotme's tweet photo. 1/ Found new #pypi #malware and it's awesome!

Package named discord-install-helper is a #trojan-downloader and... the payload is 778 MB! It's a working method to protect against #virustotal

It uses #powershell to download file packed with #pyinstaller. https://t.co/r9QgkCc2wB

1

0

blog.disasm.me @disasmdotme

almost 4 years ago

2/ Payload named "windows subsystem handler.exe" (3BF43CF03B656F71153D6E503B8961D108F1E962A3D6AD10416B614D4F7BD2BA). 718 MB of this executable is a video file "dummy.avi". It'a film called "50/50" -_-

1

0

blog.disasm.me

@disasmdotme

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users