Olivia
Online
Johann Aydinbas
@jaydinbas
Reverse engineering, malware
Joined December 2016
465 Following
2K Followers
549 Posts
Pinned Tweet
I'm also on Bluesky now:
https://t.co/EjlVqEy4t3
@YungBinary @AndreGironda The add x add r13 jmp reminded me of VMProtect, with r13 usually 0 (used for base relocation iirc)
Could this be VMProtect minus the VM?
I hate logging in.
I HATE LOGGING IN.
I log in to my password manager so I can login to my SSO account so I can login to the service so I can enter a 2FA for which I login to my phone so I login to the authenticator so I can get a 2FA code so I can finally login. GOD DAMNIT.
We report certificates for revocation when they sign malware.
What about before they sign malware?
I've started adding certificates to Cert Graveyard that are being used to "warm" the certificate and improve it's score before being sign malware.
1/4
Who to follow
t3ft3lb
@t3ft3lb
Threat researcher, Malware analyst
All tweets represent my personal opinion
Myrtus
@Myrtus0x0
Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA
bsky: [email protected]
Chris Duggan
@TLP_R3D
Full-Time Explorer | MDS Legendary Finisher | Ultra Endurance | From Cyber Intel to the Desert | Author- The Intent Model
Download our 142-page #EasterBunny report (open access):
EasterBunny: advanced espionage artifacts attributed to APT29 https://t.co/MZZ9iEhULM #APT29
We investigated a CN #APT that targeted multiple governments and companies with government contracts in Asia. In half of the targets we found a second group with different malware toolkit but sharing the infection vector and some post-exploitation tools https://t.co/IN12VBv5k4
We didn't know how an actor was using EV Certificates issued to Lenovo and others.
We now do.
From DigiCert's incident report:
"the threat actor used a compromised analyst endpoint to access DigiCert's internal support portal. The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts."
"Possession of the initialization code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate."
The full report can be found here and explains the incident in great detail: https://t.co/zceZsSg8yH
The report mentions "Where we got lucky: A community member involved in security research reported the evolving pattern of misused certificates and engaged in dialogue with our support team. Without that report, the undetected compromise of ENDPOINT2 and the associated mis-issuance might have remained undiscovered for a longer period."
Special thanks goes to the regular contributors to the Cert Graveyard; @g0njxa , @malwrhunterteam , and others.
Also special thanks to DigiCert: this report has a high level of transparency, which is warranted, and also well executed.
I converted the #fast16 patch engine instructions to human-readable to get a better understanding what exactly is being done
It's a pretty nifty engine:
- wildcards
- patterns can depend on other patterns
- scratch space
- fixup instruction
Full list:
https://t.co/RsVv2SSr2F
I couldn't find any further leads but I believe the 5966513a12a5601... (LS-DYNA related) is most promising:
- multiple pattern matches
- Intel check passes
- FPU stuff
Intel check makes a lot of sense here, as these early LS-DYNA solvers had to be compiled with Intel Fortran!
@cyb3rops For Windows binaries that are written well, switching from ASCII to Unicode strings is just a compiler switch so I can see people wanting to express "I do not care about the encoding of this string".
So if you find a hardcoded mutex, it doesn't matter if it's CreateMutexA or W
Europe is building stronger systems to report vulnerabilities, but it risks overlooking the people who discover the flaws first: independent security researchers, write @eubenincasa and Max van der Horst.
Read the article: https://t.co/ud4cJVCwxo #EUcybersecurity
YARA rule to filter for zips in which all files are newer than some date
https://t.co/Rn65l0wNM9
None of this is true. DailyDarkWeb is not conducting good faith journalism or research, there are no hard questions, no challenging of their responses - all this does is give a platform to threat actors to proliferate false-information.
Signed (revoked) AnyConnect installer with free credential stealer:
https://t.co/qWySA3s0o1
C2: 5.149.253[.]235
stealer in boost_stream.dll (0 AV detection) aligns with ZScaler reporting:
https://t.co/LkdWAswWfd
![jaydinbas's tweet photo. Signed (revoked) AnyConnect installer with free credential stealer:
https://t.co/qWySA3s0o1
C2: 5.149.253[.]235
stealer in boost_stream.dll (0 AV detection) aligns with ZScaler reporting:
https://t.co/LkdWAswWfd https://t.co/pisnYwLMTV](https://pbs.twimg.com/media/HCu4O4WXwAAd4z4.png)
Looks like I missed it since, but Strela / StrelaStealer returned on Feb 6, with some new nifty tricks:
- checks mouse movements
- shows a CAPTCHA you have to correctly enter before the download button is shown
dropped JS sample: https://t.co/vZ3NeHbaXq
@RedDrip7 Sounds like this (PNG, Filen API) vvv
https://t.co/nOZugUseCa
Useful for #idapro - you can add custom xrefs very easily, e.g. if you know a `call eax` references some function, you can manually add an edge:
add_cref(here(),get_name_ea_simple("some_func"),XREF_USER)
Then reanalyze the binary and get func parameter propagation for free!
Unk. C++ malware targeting Afghan users (decoy is in Pashto)
Hosted by 'afghanking777000' on Github
"Afghanistan Islami Emirates.iso"
IoCs
C2 IP 207.244.230[.]94
C2 theepad0loc93x.ddns[.]net
Appears to steal *.pdf, *.ppt(x), *.doc(x), *.csv and others
https://t.co/h7UtaId9iX
![jaydinbas's tweet photo. Unk. C++ malware targeting Afghan users (decoy is in Pashto)
Hosted by 'afghanking777000' on Github
"Afghanistan Islami Emirates.iso"
IoCs
C2 IP 207.244.230[.]94
C2 theepad0loc93x.ddns[.]net
Appears to steal *.pdf, *.ppt(x), *.doc(x), *.csv and others
https://t.co/h7UtaId9iX https://t.co/ndteTfOI4T](https://pbs.twimg.com/media/G9bKhGCXUAA-YA_.png)
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers