vx-underground

Big big big shout out to Eduardo Altares and Joie Salvio for initially reverse engineering this. This thing was really annoying.

> be me > schizo rant on xitter about malware someone sent me > deep rage > NODE JS SEA BLOB > obfuscation > annoyance > about to go to bed > brain thinks > google weird artifact in binary > found_it.jpeg This thing is a real pain in the fucking ass fortinet.com/blog/threat-re…

@The_Dr_Brule @moldslop no

@vxunderground @moldslop If I click on that will I get the blob

> be me > get dm > "smelly i think someone tried to send us malware" > look inside > furry video game > lolwtf > download > look inside > big big program > smells funny > weird resource section > header value never seen before IT'S A FUCKING SEA BLOB

@Rush2131 no, this thing is actually incredibly evasive and a huge pain in the ass. i hate it

@vxunderground Will AV easily flag this as malware since it has a very different header value?

I hate this fucking piece of shit

@moldslop nodejs.org/api/single-exe…

@vxunderground whats a sea blob

@Voltlighter You were correct. x.com/vxunderground/…

@vxunderground I'd look him up in a court records database, I'm sure John Strawberry has been having some interesting adventures.

Dawg, like, 8 months ago this dude randomly knocks on my door and he's like, "are you John Strawberry?" (not the actual name he said). I'm like, "....No?" and he's like, "Well, do you know where he is or how to find him?" I reply, "I have no idea who that is, sorry." and then I go on about my business and I forget about it. Bro shows up again a few months later knocking on my door asking for John Strawberry. This time my wife answered the door and he's yapping about how he has to return something really important to him. My wife is like "??? Who the FUCK is John Strawberry ???" Fast forward, this whacko shows up AGAIN. This time he parks outside my house. He knocks on the door. He says his car broke down and he needs help. I'm like, "weren't you the dude asking for John Strawberry?" and he's like, "Oh, do you know John Strawberry? How can I contact him?" I'm like ??? This dude drives by my house now AT LEAST once a week. He rolls by real slow and takes a look and then leaves. Then the police show up asking for John Strawberry. They say they have a warrant out for his arrest and my home was listed as last known good address. DAMN YOU JOHN STRAWBERRY

Per the comments, I decided to look up John Strawberry. It turns out John Strawberry is like, a general contractor or handyman, or something. He owns his own company and does stuff like painting, or drywall repair, or window installation. He used to live where I live now. His outdated business details lists my home as his companies address from 2016. John Strawberry has two warrants for his arrest. He also lost a court case against someone and owes them $250,000 ... because he never showed up to court because he has two warrants for his arrest. DAMN YOU JOHN STRAWBERRY

hahahahahaha. they use yr_compiler_add_file and this function expects a FILE* object when windows natively uses HANDLE. you can use fopen, but depending on how you compile the libyara64.dll in release mode it throws weird crt errors when trying to pass the FILE* ... because of some dumb shit, i cant remember now, i fixed it by using yr_compiler_add_string

@vxunderground "the YARA API is very POSIX-y but this can be dealt with easily" > #defines snake_case functions to CamelCase

IT'S NOT FAIR The samples the dorks over on Reddit shared are (sort of) a dead end. The SHA256 file hash they shared is a basic bitch malware loader. It's literally called "monthly.vbs", it isn't obfuscated, and it makes a plain HTTP (not HTTPS) call with WinHTTP to a clearly malicious Alibaba OSS (Object Storage Service) instance. The Threat Actor(s) didn't even have the common courtesy to make it look non-malicious. When you try cURLing that bby it replies: "AccessDenied You have no right to access this object because of bucket ACL" THEY MADE IT NON-PUBLIC BUT IT STILL EXISTS. LET ME IN

@MaplePrism nah, c2 is dead. need the malwares from vt, but dont have access to vt (they think im a nerd)

@vxunderground x.com/MaplePrism/sta…

EVERYONE GETS MALWARE EXCEPT ME ITS NOT FAIR

@drunkennutz no im small brain, was in bed, copied sha256 wrong. i thought you shared hashes not on vt lmfao

@vxunderground If you have VT enterprise you can pull them there

@drunkennutz What am I supposed to do with these if they're not shared anywhere

@vxunderground 3ccc5b5b2d6e59cb32d31394287630f007658d01ded68dedf8e7c25e1da0b5ab 2653fcfead0706674007ac0d2ae76fef6d694356c479aa0005c6c26828bcc3eb

@MaplePrism okie, in the meantime ill bonk the installer with a stick

@vxunderground IM TRYING SO HARD TO FIND YOU A SAMPLE

@MaplePrism gib malware plz

@vxunderground I am so shocked you're in my replies right now hello LMAO This is so cool But yeah, DNA gave out free malware to all its players with the update a week after they themselves got hacked HAHA

PSA FOR DUET NIGHT ABYSS PLAYERS THE LATEST GAME UPDATE INSTALLS MALWARE ON YOUR PC AS WELL AS A DELAYED TASK TRIGGER. PLEASE ENSURE YOU CHECK YOUR PC FOR THIS IF YOU'VE UPDATED THE GAME. The official subreddit has been suppressing and down playing this situation, shameful.