What's new arround internet

Last one

Src Date (GMT) Titre Description Tags Stories Notes
News.webp 2023-02-18 03:02:00 Malware Arsenal used by Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) in attacks targeting Ukraine (samples) (lien direct)  2023-02-18Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) is an Advanced Persistent Threat (APT) group believed to be based in Russia. Their primary targets have been diplomatic and government entities in Europe, particularly Ukraine, and the United States. They have also targeted various industries, including defense, energy, and technology.Download the full collectionEmail me if you need the password (see in my profile) (209 MB. 218 samples listed in the hash tables below).The malware arsenal collected here includes:Elephant framework (GrimPlant (Backdoor) and GraphSteel (Stealer).)Graphiron BackdoorOutSteel (LorecDocStealer)BabaDedaCobalt Strike (Beacon)SaintBot DownloaderWhisperGate WiperAPT Group DescriptionAPT Group aliases:UAC-0056 (UA CERT)Ember Bear (Crowdstrike)Saint Bear (F-Secure)UNC2589 (Fireeye, IBM)Lorec53 (NSFOCUS)TA471 (Proofpoint)Nodaria (Symantec)Nascent Ursa (Palo Alto)LorecBearBleeding Bear (Elastic)DEV-0586 (MIcrosoft)The group is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.The group primarily targets Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations.The group is known for using various malicious implants such as GrimPlant, GraphSteel, and CobaltStrike Beacon, as well as spear phishing attacks with macro-embedded Excel documents.In January 2022, the group performed a destructive wiper attack on multiple Ukrainian government computers and websites, known as WhisperGate.The Lorec53 group is a new type of APT group fi Ransomware Malware Hack Tool Vulnerability Threat Medical ★★
News.webp 2023-01-21 01:58:26 DDE Command Execution malware samples (lien direct) Here are a few samples related to the recent DDE Command executionReading:10/18/2017 InQuest/yara-rules 10/18/2017 https://twitter.com/i/moments/918126999738175489 10/18/2017 Inquest: Microsoft Office DDE Macro-less Command Execution Vulnerability10/18/2017 Inquest: Microsoft Office DDE Vortex Ransomware Targeting Poland10/16/2017 https://twitter.com/noottrak/status/91997508182826188810/14/2017 Inquest: Microsoft Office DDE Freddie Mac Targeted Lure 10/14/2017 Inquest: Microsoft Office DDE SEC OMB Approval Lure10/12/2017 NViso labs: YARA DDE rules: DDE Command Execution observed in-the-wild 10/11/2017 Talos:Spoofed SEC Emails Distribute Evolved DNSMessenger 10/10/2017  NViso labs: MS Office DDE YARA rules Ransomware Malware ★★
News.webp 2023-01-21 01:53:30 Linux/AirDropBot samples (lien direct) Malware Must Die:  MMD-0064-2019 - Linux/AirDropBotMirai variant targeting Linksys E-series - Remote Code ExecutiontmUnblock.cgi Download. Email me if you need the password (see in my profile) Malware Inventory (work in progress)HashesMD5SHA256SHA185a8aad8 ★★
News.webp 2023-01-20 01:04:20 Masad Clipper and Stealer - Windows spyware exfiltrating data via Telegram (samples) (lien direct) 2019-09-25 Juniper. Masad Stealer: Exfiltrating using Telegram “Masad Clipper and Stealer” steals browser information, computer files,  and automatically replaces cryptocurrency wallets from the clipboard with its own.It is written using Autoit scripts and then compiled into a Windows executable.It uses Telegram to exfiltrate stolen information.Download             Other malware ★★★
News.webp 2023-01-20 00:49:24 APT Calypso RAT, Flying Dutchman Samples (lien direct) 2019-10-31 Calypso APT: new group attacking state institutions Attackers exploit Windows SMB vulnerability CVE-2017-0143 or use stolen credentials to gain access, deploy the custom Calypso RAT and use it to upload other tools such as Mimikatz, EternalBlue and EternalRomance. They move laterally and steal data.  Download. Email me if you need the password (see in my profile)Download             Other malwareDownload. Email me if you need the password (see in my profile)Hashes
News.webp 2022-07-04 22:50:21 Equation samples - from the Kaspersky Report and additional (lien direct) Here are a few samples from the report by Kaspersky Lab "Equation: The Death Star of Malware Galaxy" and additional samples of the same family. The full list is belowDownload all the samples listed below. Email me if you need the password (New link)List of filesFiles from the report:File NameMD5Size_SD_IP_CF.dll_03718676311DE33DD0B8F4F18CFFD48803718676311de33dd0b8f4f18cffd488368 KBDisk from Houston_6FE6C03B938580EBF9B82F3B9CD4C4AA6fe6c03b938580ebf9b82f3b9cd4c4aa61 KBDoubleFantasy_2A12630FF976BA0994143CA93FECD17F2a12630ff976ba0994143ca93fecd17f216 KBEquationDrug_4556CE5EB007AF1DE5BD3B457F0B216D4556ce5eb007af1de5bd3b457f0b216d372 KBEquationLaser_752AF597E6D9FD70396ACCC0B9013DBE752af597e6d9fd70396accc0b9013dbe130 KBFanny_0A209AC0DE4AC033F31D6BA9191A8F7A0a209ac0de4ac033f31d6ba9191a8f7a180 KBGrayFish_9B1CA66AAB784DC5F1DFE635D8F8A9049b1ca66aab784dc5f1dfe635d8f8a904560 KB Malware
News.webp 2020-12-15 00:41:04 2020-12-13 SUNBURST SolarWinds Backdoor samples (lien direct)  ReferenceI am sure you all saw the news.2020-12-13 Fireeye Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor2020-12-13 MicrosoftCustomer Guidance on Recent Nation-State Cyber Attacks Well, here are the Sunburst binaries. Download             Other malware Mobile Solardwinds
News.webp 2020-04-19 12:10:37 KPOT info stealer samples (lien direct) KPOT Stealer is a “stealer” malware that focuses on stealing account information and other data from various software applications and servicesReferences1.  2020-04-19 Didier Stevens posted analysis of KPOT infostealer on the Infosec Handlers Diary blog "KPOT Analysis: Obtaining the Decrypted KPOT EXE"These are samples to follow his analysis routine.2. 2019-05-09 Proofpoint. New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentialsDownload             Other malwareDownload. Email me if you need the password (see in my profile) Malware
News.webp 2019-10-06 17:17:18 Amnesia / Radiation Linux botnet targeting Remote Code Execution in CCTV DVR samples (lien direct) Reference Amnesia / Radiation botnet samples targeting Remote Code Execution in CCTV DVR 2017-04-06 Palo Alto Unit 42. New IoT/Linux Malware Targets DVRs, Forms Botnet2016-08-11 CyberX Radiation IoT Cybersecurity campaignDownload             Other malwareDownload. Email me if you need the password (see in my profile) Malware
News.webp 2019-06-04 00:31:09 HiddenWasp Linux malware backdoor samples (lien direct) Here are Hidden Wasp Linux backdoor samples. Enjoy Reference Intezer HiddenWasp Malware Stings Targeted Linux Systems  DownloadDownload. Email me if you need the password (see in my profile) File informatio8914fd1cfade5059e626be90f18972ec963bbed75101c7fbf4a88a6da2bc671b8f1c51c4963c0bad6cf04444feb411d7 shellf321685342fa373c33eb9479176a086a1c56c90a1826a0aef3450809ffc01e5d52137157fdf019145d7f524d1da884d7elff38ab11c28e944536e00ca14954df5f4d08c1222811fef49baded5009bbbc9a2ba02a964d08c2afe41963bf897 Malware
News.webp 2017-10-18 09:33:06 DDE Command Execution malware samples (lien direct) Here are a few samples related to the recent DDE Command executionReading:10/18/2017 InQuest/yara-rules 10/18/2017 https://twitter.com/i/moments/918126999738175489 10/18/2017 Inquest: Microsoft Office DDE Macro-less Command Execution Vulnerability10/18/2017 Inquest: Microsoft Office DDE Vortex Ransomware Targeting Poland10/16/2017 https://twitter.com/noottrak/status/91997508182826188810/14/2017 Inquest: Microsoft Office DDE Freddie Mac Targeted Lure 10/14/2017 Inquest: Microsoft Office DDE SEC OMB Approval Lure10/12/2017 NViso labs: YARA DDE rules: DDE Command Execution observed in-the-wild 10/11/2017 Talos:Spoofed SEC Emails Distribute Evolved DNSMessenger 10/10/2017  NViso labs: MS
News.webp 2017-04-05 22:57:33 Part II. APT29 Russian APT including Fancy Bear (lien direct) This is the second part of Russian APT series."APT29 - The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.1210 This group reportedly compromised the Democratic National Committee starting in the summer of 2015" (src.  Mitre ATT&CK)Please see the first post here: Russian APT - APT28 collection of samples including OSX XAgentI highly recommend reading and studying these resources first:Mitre ATT&CK2017-03 Disinformation. A Primer In Russian Active Measures And Influence Campaigns. Hearings before the   Select Committee on Intelligence, March 20172014-08 Mikko Hipponen. Governments as Malware Authors. Presentation ppt.2016. No Easy Breach: Challenges and Lessons from an Epic Investigation. Mandiant. Matthew Dunwoody, Nick Carr. VideoBeyond 'Cyber War': Russia's Use of Strategic Cyber Espionage and Information Operations in Ukraine. NATO Cooperative Cyber Defence Centre of Excellence/ Fireeye - Jen WeedonList of References (and samples mentioned) listed from oldest to newest:2012-02 FSecure. COZYDUKE2013-02_Crysys_Miniduke Indicators2013-04_Bitdefender_A Closer Look at MiniDuke2014-04 FSecure_Targeted Attacks and Ukraine2014-05_FSecure.Miniduke still duking it out2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen Studio2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day2014-11_FSecure_OnionDuke APT Attacks Via the Tor Network2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke2015-04_Kaspersky_CozyDuke-CozyBear APT 29 APT 28
News.webp 2017-03-31 02:03:28 Part I. Russian APT - APT28 collection of samples including OSX XAgent (lien direct)  This post is for all of you, Russian malware lovers/haters. Analyze it all to your heart's content. Prove or disprove Russian hacking in general or DNC hacking in particular, or find that "400 lb hacker" or  nail another country altogether.  You can also have fun and exercise your malware analysis skills without any political agenda.The post contains malware samples analyzed in the APT28 reports linked below. I will post APT29 and others later.Read about groups and types of targeted threats here: Mitre ATT&CKList of References (and samples mentioned) listed from oldest to newest:APT28_2011-09_Telus_Trojan.Win32.Sofacy.AAPT28_2014-08_MhtMS12-27_PrevenityAPT28_2014-10_Fireeye_A_Window_into_Russia_Cyber_Esp.OperationsAPT28_2014-10_Telus_Coreshell.AAPT28_2014-10_TrendMicro Operation Pawn StormUsing Decoys to Evade DetectionAPT28_2015-07_Digital Attack on German ParliamentAPT28_2015-07_ESET_Sednit_meet_HackingAPT28_2015-07_Telus_Trojan-Downloader.Win32.Sofacy.BAPT28_2015-09_Root9_APT28_Technical_FollowupAPT28_2015-09_SFecure_Sofacy-recycles-carberp-and-metasploit-codeAPT28_2015-10_New Adobe Flash Zero-Day Used in Pawn StormAPT28_2015-10_Root9_APT28_targets Financial MarketsAPT28_2015-12_Bitdefender_In-depth_anal APT 29 APT 28
News.webp 2015-05-13 00:05:32 An Overview of Exploit Packs (Update 25) May 2015 (lien direct) Update May 12, 2015Added CVE-2015-0359 and updates for CVE-2015-0336 Exploit kit table 2014- 2015 (Sortable HTML table)Reference table : Exploit References 2014-2015Update March 20, 2015Added CVE-2015-0336------------------------Update February 19, 2015Added Hanjuan Exploit kit and CVE-2015-3013 for Angler Update January 24, 2015 http://www.kahusecurity.comAdded CVE-2015-3010, CVE-2015-3011 for Agler and a few reference articles. If you notice any errors, or some CVE that need to be removed (were retired by the pack authors), please let me kn Guideline
News.webp 2015-01-27 23:11:24 Video archives of security conferences and workshops (lien direct) Just some links for your enjoymentList of security conferences in 2014Video archives:AIDE (Appalachian Institute of Digital Evidence)201320122011Blackhat2012 or 2012 torrentBotconf2013BsidesBSides DC 2014BSides Chicago 2014BSides Nashville 2014BSides Augusta 2014BSides Huntsville 2014BSides Las Vegas 2014BSidesDE 2013BSidesLV 2013BSidesRI 2013Bsides Cleveland 2012 BsidesCLEBsides Las Vegas 2012Chaos
News.webp 2013-12-08 17:54:45 OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis (lien direct) 'Tis the season.Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.Please send your favorite tools for OSX if they are not listed.CVE-2009-0563CVE-2009-0563Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."LinksSome OSX malware analysis tools and links http://computer-forensics.sans.org/community/papers/gcfa/mac-os-malware-analysis_2286http://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_Xhttp://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.htmlToolsActivity Monitor (Max OSX Utilities folder)MacMemoryze (support for Mountain Lion) free, Volatility (
News.webp 2013-09-09 00:21:11 Sandbox MIMIng. CVE-2012-0158 in MHTML samples and analysis (lien direct) WikipediaUpdate - Sept 4, 2013I added more descriptions and changed NjRat / Backdoor.LV to Vidgrab - in the traffic communications are similar to NjRat/Backdoor;lv but it does not use base64 and sends initial request starting with ...3 (0x01 0x00 0x00 0x00 0x33) followed by null bytes  - it does not start with  lv|I am still looking for names for a few other backdoors below, so if you recognize them, please let me know. Recently, my custom sandbox has been trying to open some Word attachments in a browser because the filetype fingerprint service detected them as MIME HTML files. Browsers are usually the default applications for such types and they did contain the CVE-2012-0158 exploit. A quick Google lookup yielded a May 2013 report from the Chinese company Antiy  "The Latest APT Attack by Exploiting CVE-2012-0158 Vulnerability", which described this new exploit vector.Antiy noted that these MHTML files evade antivirus and indeed only half of vendors represented on Virustotal detect. However, many companies rely on their automated tools, inline and standalone sandboxes not just Antivirus to determine if the file is malicious.I checked how these files (file without any extension) were processed by other commercial and open source mailboxes. 3 out of 5 well known commercial and open source mail scan and web sandbox vendors returned no output or informed me that that filetype was not supported. While writing this post, I noticed that Malwaretracker also mentioned the rise in this vector usage in his post on Friday, so I am sure the sandbox vendors are fixing the issue as we speak.I checked 25 MHTML CVE-2012-0158 files and compared their targets (at least those I could obtain) and payload. The analysis showed a good variety of trojans and predominantly human rights (Tibet, Uyghur) activists. I will post a month worth of these files.CVE #CVE-2012-0158The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2 Yahoo
Last update at: 2024-03-29 15:09:43
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter