L0Psec

2.8K posts

L0Psec

@L0Psec

reverse engineer | arm64 :) | macOS/iOS | YouTube: https://t.co/VdHNCl0Qfl

NC Katılım Ekim 2017

1.8K Takip Edilen3.5K Takipçiler

Sabitlenmiş Tweet

L0Psec@L0Psec·5 Oca

My new site for learning macOS malware reverse engineering: l0psec.github.io/Malware_RE_Blo… I got my start in RE by using @patrickwardle's awesome blog. I would download samples and follow along. So I created this to complement that with dives into specific code from recent samples.

English

401

23.7K

L0Psec@L0Psec·1d

Attempted to grab the next AppleScript file from the domain but was not available. ecoferros\.com, which has 1 detection on VT.

English

294

L0Psec@L0Psec·1d

Another double extension compiled AppleScript file shared by @malwrhunterteam: Digital Currency Group (DCG) - Audit Confirmation Request.docx.scpt - 61b56c8c2df374861c8b23e6c555456f34e17e5638ea9965f721c3ffe77f57ca. If you go to line #1649, you can see the actual commands. 🧵

English

4.5K

L0Psec@L0Psec·1d

@mattjay Looking forward to it!

English

315

Matt Johansen@mattjay·1d

I’ve been briefed on this one from the team that found it. I interviewed them yesterday and will put out a video soon. - it’s an insane story between Darksword and Coruna.

Andy Greenberg (@agreenberg at the other places)@a_greenberg

A second iOS exploit has been spotted in use by Russian spies to infect websites and hack visitors' iPhones. This one works on iOS 18, and appeared in a very reusable form, so will likely proliferate. If you haven't updated your iPhone, now's the time. wired.com/story/hundreds…

English

115

15K

L0Psec@L0Psec·2d

selfhonda\.com 1540cbb8eac28dab396cbd95445bc936d4114a0c2bcc48ffe9630896df09a8a1 - zip 60bdadd7c86d4f48ab01d3dc75efd8b627b15b92b3c908d86e37bec26214e94d - swift app mach-O http://31.57.35\.114:8080

English

255

L0Psec@L0Psec·2d

We've seen the backdoor functionality already but adding here.

English

297

L0Psec@L0Psec·2d

More DPRK Contagious Interview shared by @malwrhunterteam. We've seen these before. golang backdoor, swift password capture app, etc. FUD related domain: selfhonda\.com 1540cbb8eac28dab396cbd95445bc936d4114a0c2bcc48ffe9630896df09a8a1 - zip file (8 hits) 🧵

English

4.1K

L0Psec@L0Psec·2d

osascript does what we've come to expect. wallets, extensions, passwords, LaunchAgent, etc.

English

373

L0Psec@L0Psec·2d

FUD domain related to infostealer shared by @malwrhunterteam:) metramon\.com. GoogleUpdate script (8 VT hits) communicates with this domain and grabs osascript for exec. 7daeeec6a883165d6849e0611e7fe39fbc4ad340bb2aeba416fb7cec3cb92917

English

3.9K

L0Psec@L0Psec·4d

@blacktop__ Congrats!

English

326

Blacktop@blacktop__·4d

I’m pumped to be joining the team! This is going to be a great adventure 🦾🤖🍎

thaidn@XorNinja

We have some exciting news to share: @blacktop__ is joining Calif to work on a range of R&D projects focused on Apple and AI security. If you work in the Apple security ecosystem, he’s already a household name. He’s the creator of: * ipsw – the ubiquitous Apple firmware analysis tool: github.com/blacktop/ipsw * darwin-xnu-build – reproducible XNU kernel builds: github.com/blacktop/darwi… * ipsw-diffs – automated diffing of Apple releases: github.com/blacktop/ipsw-… * The only public deep-dive on Apple’s Lockdown Mode: github.com/blacktop/prese… His tooling is so good that even Apple engineers use it. If you do reverse engineering, chances are you’ve touched his Rust headless IDA MCP server: github.com/blacktop/ida-m…. People have literally collected CVEs and bug bounties just by digging through the diffs produced by his tools. With @brucedang, @Little_34306 and now @blacktop__, we're building a serious Apple security force at Calif. We’ll have more announcements in this space soon! If you're interested in Apple security, AI, automated bug discovery, reverse engineering, or hacking, we’re hiring: calif.io/jobs.

English

106

24.9K

L0Psec@L0Psec·12 Mar

@IceSolst @AstarteSecurity YouTube is hard (at least for me) but I think the content has been great.

English

solst/ICE of Astarte@IceSolst·12 Mar

Can you give me feedback on how to improve the YouTube videos on @AstarteSecurity? What do you think would make them better for you?

English

3.7K

L0Psec@L0Psec·12 Mar

@_clem1 @Now_on_VT @virustotal Thanks for sharing!!

English

557

clem1@_clem1·12 Mar

@Now_on_VT @virustotal virustotal.com/gui/file/76ff8… 🎁

QME

26.8K

Is Now on VT!@Now_on_VT·12 Mar

To date, none of the samples mentioned by hash in the Google Coruna blog or iVerify blog have been uploaded to @virustotal. Still monitoring the situation.

English

11.7K

L0Psec@L0Psec·12 Mar

@horsepower I’m a little biased but I love this chassis for drifting.

English

174

ٍ@horsepower·11 Mar

There are currently 4 platforms I’m eyeballing. - GT86/BRZ/FRS - E36 - RX-8 - G35/G37 I think at this point, it comes down to whatever good deal falls into my hands at the right time.

English

225

1.3K

43.6K

L0Psec@L0Psec·10 Mar

This appears to potentially be a part of a bigger project. NIM captures build info and we can see the name of this (GetAuditIp) often within the WebBrowserParsser path. (typo). If we look for this path in VT, there are other hits for matches in PE files with detections.

English

268

L0Psec@L0Psec·10 Mar

Telegram communication is set up in _sendToTg__71et65udit73p_u426(). I'll make this quick. Sets up HTTP client with chat ID info (1016845012), and other data, then we have a POST request created with the telegram bot info

English

368

L0Psec@L0Psec·10 Mar

Here's an interesting one shared by @malwrhunterteam: 1f174bb02bdf4758bfdde788bd581a8ff18378c223321c69ab5c9da8a2b6e342. NIM compiled, collects system info and sends via Telegram API bot net comms. 1 VT hit and code insights has a pretty good summary. 🧵Let's dig in.

English

3.9K

Keşfet

@malwrhunterteam @mattjay @blacktop__ @IceSolst @AstarteSecurity @_clem1 @Now_on_VT @virustotal