Navdeep

@nickharbour Looks like a couple of names from as early as top 30 were removed. That’s quite interesting..

#flareon11 I just removed (banned) 40 "finishers" for cheating. If you are a winner this year please recheck the scoreboard, you might have a better place than you thought!

@milved Thanks!

@ItsNavdeep Congratulations 👏👏

Just completed the Flare-On challenge for this year! Planning to do it at a more relaxed pace over the full six weeks next time. #flareon11

Every year I spend a lot of time learning some new witchcraft, thanks to @6502_ftw - only to realise later that I didn’t need to. #flareon11

@fsharp123 I patched the 10k score in memory after crc32 check.

Has anyone solved flake from #flareon10 the way I did? To bypass the snake length check, I patched the hardcoded high score to a low number. I then bypassed the constants object CRC check during runtime and played the game normally. No need to mess with the config file.

@thehellu Great analysis! Would like to just point out one minor oversight in the report: The bytes 08 08 08… are not a hard-coded delimiter. They are instead the 4 DNS lookup IP addresses used to resolve C2 domains: 8.8.8.8 8.8.4.4 4.4.4.4 4.2.2.2

The slides virusbulletin.com/uploads/pdf/co… and paper virusbulletin.com/uploads/pdf/co… are also available. In addition to what we published in July in our blog, the paper details our failed attempts to attribute this attack based on custom malware families and their links to other #APT groups

VB released my talk on a #Shadowpad sample delivered by a Pakistan gov application. It contains an analysis of the modified MSI installer, some tricks to pivot on old and new Shadowpad samples, an overview of the #APT campaign, and attribution discussion youtube.com/watch?v=i52MH-…

Completed another Flare-On challenge. FLARE team didn't hold back on difficulty this time around. Was (mostly) fun though! #flareon10

@m_r_tz Thanks! Definitely didn’t have Patience to type or try OCR..

lVHz/Pqbr8VCgd9KfqTrG9kg== FlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEonFlArEon #flareon10

Kaspersky has released a report on the malware I described in my blog last year. #EarlyRAT #Lazarus #Andariel

@IngHidaka @G2Thijs AAECAfHhBByW6AP36AOm7wPN+QPhpATlsATHsgSWtwSY1ASa1AS42QT04wT84wT+4wSU5ASJ5gSP7QSk7wSH9gSy9wSz9wS2+gSrgAWogQWimQWXpAWfpAXipAUBieQEAA==

@G2Thijs Code is not working

Tried something else and been on a sick streak with Highlander Blood DK. Suprisingly successful, nothing more fun than +45 lifes with Reno 😄 Deckcode: SJ5gSP7QSk7wSH9gSy9wSz9wS2+gSrgAWogQWimQWXpAWfpAXipAUBieQEAA==

@verixvogel Nice job. Congrats!

That's another #flareon9 defeated! Absolutely amazing challenges this year.

@milved @nickharbour Thanks!

@ItsNavdeep @nickharbour Congratulations 🎉 🥳

Time has been scarce recently.. happy to still complete #flareon9 much faster than last year. Thanks @nickharbour and rest of the FLARE team. Looking forward to next year!

@suvaditya_ @nickharbour Thank you!

@MrT4ntr4 @nickharbour Thanks!

@ItsNavdeep @nickharbour Congrats 👏

@suvaditya_ Congrats!

Blog post: “Operations of an APT malware written in PureBasic” #malware #PureBasic #APT #Lazarus nvdp01.github.io/re/2022/07/05/…

@gsatpathy I have submitted a PR with the changes to oletools repo. github.com/decalage2/olet…

@ItsNavdeep Nice work. Could you post your fix for oleform.

Blog post: “Extracting userform field values from VBA maldocs” nvdp01.github.io/analysis/2022/…

@milved Thanks!

@ItsNavdeep Great work 👍