Olivia
Online
Lorenzo Maffia
@Maff1t
Malware for breakfast, Incidents for lunch, and Threat Hunting for dinner
Ring 0
Joined July 2019
318 Following
133 Followers
42 Posts
@AiBreakfast https://t.co/8C298yBcSQ
Today we (@antonio_ruggia, @_pox_, @dreamersball80, @_DarioNisi) disclose some vulnerabilities that we exploited to mount a novel phishing attack on @Android by abusing inotify.
Our research will be presented at @IEEEEUROSP 23
https://t.co/QAYowmxNco
Some comments below (1/n)
New Anti-VM technique used inside #raspberryrobin malicious DLL.
By simply using EnumDisplayDevicesA you can easily detect VMware virtual displays.
@packm4d I mean > 500MB usually (my experience). Agree on entropy 😉👍
Who to follow
sicehice
@sicehice
Follow us for IP address OSINT, threat data aggregation, bulk IP lookups, free API access and more - https://t.co/FdwKUSr0a0
3xp0rt 
@3xp0rtblog
Malware and cybercrime | Cyber Threat Intelligence Analyst at @PRODAFT https://t.co/FMGOkGnMR8
Team Cymru Research
@teamcymru_S2
Follow us for the latest blogs, detections, and IOCs from the Team Cymru Research Team.
A part of @teamcymru.
I'm seeing a lot of malware with a HUGE file size!
They do this by attaching a large random resource to the binary itself.
The resource consists of a few bytes repeated multiple times➡️When inserted inside an archive or MSI installer it becomes a few MBs !!
⬇️Why?
@JAMESWT_MHT @reecdeep @VirITeXplorer @AgidCert @guelfoweb @1ZRR4H @0xToxin @ffforward @fr0s7_ @StopMalvertisin @pr0xylife I wrongly supposed that the file was malicious. In this case, libcurl.dll seems legit, so the correlation is most probably wrong.
@JAMESWT_MHT @reecdeep @VirITeXplorer @AgidCert @guelfoweb @1ZRR4H @0xToxin @ffforward @fr0s7_ @StopMalvertisin @pr0xylife It seems that they are using the same Side loading as Mustang Panda (GUP.exe, libcurl.dll..... )🤔⁉️
https://t.co/XPXjCC92QR
You can easily remove the large resource using CFFExplorer
➡️ Then calculating the hash you can discover the real payload!
#malware #malwareanalysis #reversing
Why?
Here are some of the possible reasons:
1. EDR evasion: no hash calculation, no ML/Sandbox analysis
2. AV evasion: easily change hash and modify the overall features of the binary (e.g. entropy)
3. Amcache hash not calculated correctly
4. ... other ⁉️
⬇️Bonus Advice
#Malwarebytes scored 100% on Windows protection in @MITREattack's 2022 testing. @MITREengenuity
Dive into the results on our blog and see why we're in the top 10: https://t.co/PbrMuD47ni
A Process Injection technique that:
- doesn't read/write remote process memory
- doesn't execute a remote thread.
I took the amazing idea of @x86matthew to re-use ntdll code, and I moved the execution to a remote process.
https://t.co/W8sgFjFqjo
⚠️ In macOS 12 (beta 6), Apple patched an intriguing flaw. Discovered by Gordon Long (@ethicalhax), CVE-2021-30853 allowed attackers to bypass:
▫️Gatekeeper
▫️Notarization
▫️File Quarantine
Interested in exactly how?
Read: "Where's the Interpreter!?"
https://t.co/N3aZhkSW0L
💻 Fantastic experience for the @ZenHackTeam 🇮🇹 invited in Abu Dhabi 🇦🇪 to participate in the @hackinthebox #ProCTF 🚩with the top #CTF teams!
Many thanks to @l33tdawg and the #HITB team for the great organization of the #CyberWeek 2021!
#CyberSecurity #AbuDhabi #HITBCyberWeek
💻 @ZenHackTeam ready to capture flags 🚩 to the @hackinthebox #CyberWeek #ProCTF 🦾
From Italy 🇮🇹 with friends @mhackeroni & @pwnthem0le 🤌
#CTF #HITBCyberWeek #CyberSecurity
💻 @ZenHackTeam 🇮🇹 on the way to #AbuDhabi ready to partecipate in the @hackinthebox #HITBCyberweek #ProCTF! 🦾🚩
#CyberSecurity #HackInTheBox #HITB #CyberWeek
@UniGenova @InfUNIGE
Here you can see a use-case, analyzing CobaltStrike's beacon, in its two forms of injection.
One for post-exploitation (using ResumeThread) and the second for migration (using CreateRemoteThread).
The dumped PE is automatically unmapped from memory to be easily analyzed later.
InjectionTracer v0.1 is OUT!
A tool that aims to help you to ��𝐝𝐞𝐧𝐭𝐢𝐟𝐲, 𝐝𝐞𝐛𝐮𝐠 𝐚𝐧𝐝 𝐝𝐮𝐦𝐩 the injected code.
It supports most of the known process injection techniques.
https://t.co/ykuq6R2LK8
@LiveOverflow "Shoutout to the polish and indian video creators. I do not understand a single word, but you all seem very active". Finally someone has publicly said what everyone thinks 😂😂😂
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.5M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.3M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.5M followers
Taylor Swift
@taylorswift13
81.3M followers
Lady Gaga
@ladygaga
72.8M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.6M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.3M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.6M followers