Kevin Perlow

Not my usual subject, but I wrote my thoughts on NOAA and NWS cuts, particularly in light of the storms and tornadoes in the South/Midwest this weekend. norfolkinfosec.com/some-thoughts-… Reducing these services/relying on private companies would make these *more* dangerous. #weather #nws

@coolestcatiknow What happens if I need to take 983,327 sticks

Virus total community represented in dog culture

Some North Korean post infection malware. Nothing groundbreaking, I just always like to see the actual code when vendors gloss over it: norfolkinfosec.com/north-koreas-p… I’ve included hashes where the files were on VT, if you want to grab them to look for yourself.

Some notes and testing on (what I think is) a #VIRTUALGATE sample, following Mandiant's ESXI report: norfolkinfosec.com/some-notes-on-… MD5 3c7316012cba3bbfa8a95d7277cda873 -Opens VMCI listener on 25736 -Listens -Runs what it receives via cmd Post shows RE + how to test it. Cool malware

@wxs @digivector Or even just, “Mandiant reported…”

"On August 21, 2021, MSTIC observed a social media post by a Mandiant employee" - I guess MS still has a few more Mandiant employees to hire!

@coolestcatiknow The real question is why didn’t I tweet it sooner

@KevinPerlow I’m super curious as to what could inspire this tweet…

@0x466162 @jackcr In his defense, you get to work with the much more inviting “Dude With the Pretzel”

GE-CIRT has remote role open for an engineer working on our SOAR platform. Come be part of the team and help us fight bad guys! ge.wd5.myworkdayjobs.com/GE_ExternalSit… #DFIR

.@MITREattack v9 is out!!! A big shout out 🙌 to @patrickwardle, @thomasareed, @its_a_feature_ , and @xorrior for helping us update changes to macOS🍎. There is more to come...but let's take a moment to appreciate my new favorite gif, which summarizes this release perfectly!

Also, my personal favorite talk from the conference was from @JamesPavur - A fantastic presentation on eavesdropping on satellite internet conversations. youtu.be/d5Sbwlu6f8o No technical satellite knowledge required (I barely know how they get up there)

They put our BlackHat videos up the other day! :) It's a bit old now, but if you want to see how #Lazarus used ISO-8583 for the #FASTCash malware in past years, here's the URL: youtu.be/zGvQPtejX9w Feedback is always welcome - presenting to a glowing orb was not the easiest.

@DrunkBinary I’m still waiting for the Godzilla-MMPR crossover to happen

Last #Lazarus #ZINC update: a source gave me the missing registry data (~2mb reg entry). Sorry for the spam... have to do this after hours. Updated w/ brief analysis of Stage 2: #Stage2" target="_blank" rel="nofollow noopener">norfolkinfosec.com/dprk-targeting… Screengrab, process launching, recon etc. That's it from me for a while :)

@cyb3rops Yeah, I think in production land you’d have to be combining it with a last write time or at least one other factor to really make it work. In this case, it’s more of a starting point. I’ll add a little note to clarify.

@KevinPerlow Hi Kevin, we have a "big Registry key detection" in THOR for a long time now & found too many false positives, even with huge values, so that we had to reduce the msg level from "Warning" to "Notice", but we will look into these false positives & see if we can improve that check

Part II: Looking at the #DPRK /#Lazarus/#ZINC .sys malware targeting security researchers, with a hunt hypothesis as the highlight: norfolkinfosec.com/dprk-targeting… Note that I *don't* have the Stage 2 registry data. Would love to see it if someone has a copy!

@buherator @richinseattle @daveaitel I only wrote about the DLL. Had to pick what I could get through in a few hours. My understanding: - If you visited via browser, you got the .sys file. - If you interacted and they sent you a VS project, you got the DLL (and perhaps the C2 sent more later, who knows).

@richinseattle @daveaitel So they managed to load an unsigned driver, or it's not in fact a driver?

WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded

A look at some of the malware mentioned in this Google TAG research. norfolkinfosec.com/dprk-malware-t… - Two-stage (payload in ProgramData) - AV Check (Kasp, Avast) - Basic Persistence - Multiple C2s per payload More to be done re:C2 comm (unless someone does it first) #DPRK

Interesting possible relationship between #TinyPOS + #ProLocker norfolkinfosec.com/tinypos-and-pr… I lean towards, "would makes sense if it's the same group," but far from definitive. Was trying to find infrastructure. @DrunkBinary (for the hashes) @cyb3rops (for code segments and YARA)

@markarenaau @markus_neis @craiu @Mao_Ware @VK_Intel @anthomsec @lazyactivist192 @nullcookies @0xAmit @sysopfb @WylieNewmark @saffronsec @DennisRand @JasonMilletary @darienhuss @kafeine @NateBeachW @bry_campbell @DeepSpaceEye @cahlberg @smoothimpact @Sachkov_GIB @bambenek @LexfoSecurite I told you at least one person to talk to for TrickBot primary source data.

@evilrez @markarenaau @craiu @Mao_Ware @VK_Intel @anthomsec @lazyactivist192 @nullcookies @0xAmit @sysopfb @WylieNewmark @markus_neis @saffronsec @DennisRand @JasonMilletary @darienhuss @kafeine @NateBeachW @bry_campbell @DeepSpaceEye @cahlberg @smoothimpact @Sachkov_GIB @bambenek @AepEap (I think. I could be misremembering and this is the same one just with a new time stamp).

@evilrez @markarenaau @craiu @Mao_Ware @VK_Intel @anthomsec @lazyactivist192 @nullcookies @0xAmit @sysopfb @WylieNewmark @markus_neis @saffronsec @DennisRand @JasonMilletary @darienhuss @kafeine @NateBeachW @bry_campbell @DeepSpaceEye @cahlberg @smoothimpact @Sachkov_GIB @bambenek @AepEap Misread. So, that’s not the one I mean. They had an older 2019 post that referenced the ecombox dot store C2 (as best I recall). That’s relevant to Mark’s question, because it provides a second independent source for the general claim.