x3ph

@vxunderground @nikhil_mitt @struppigel I am not picky, and hello

Big giveaway. - (x3) Certified Red Team Expert (CRTE) - (x3) Certified by Altered Security Red Team Professional for Azure (CARTP) - (x10) Malware Analysis for Hedgehogs Bundle CTRE and CARTP sponsored by @nikhil_mitt Malware Analysis sponsored by @struppigel Leave a comment below on what you'd like. Winners chosen in 24 hours.

@vxunderground An meowvil act indeed. How on earth are we supposed to defend against such a high-skill cattack? Our furwalls clearly aren’t enough. 😔

gdbw v0.1.0 is released! 🥳 Currently working on the wiki to get everything documented, go try it out! github.com/iilegacyyii/gd…

gdbw v0.1.0 releasing tomorrow! 🐸 Still a lot to add but hoping to get it into user's hands sooner so that we can figure out pain points etc.

Excited to be teaching ARTOC @defcon this year! Focused on modern tradecraft, tooling development, and building real skills from preparation to execution of real-world adversary emulation engagements. #DEFCON #redteam

BOF is out now, enjoy! 🐸 github.com/iilegacyyii/Da…

Blog post is out, BOF coming tomorrow 🐸 legacyy.xyz/defenseevasion…

@Gi7w0rm @CISAgov @CISAJen Awesome work as always 👌

Dear friends and followers! It is with immense pride and greatefulness that today I received an official @CISAgov challenge coin, accompanied by a personal letter from CISA 's director @CISAJen. I am very happy to see see my work appreciated in this way! #infosec #reward 1/6

@luke92881 @SquiblydooBlog @JAMESWT_MHT @SebastianWalla @AnFam17 @osipov_ar I've seen this before and I had issues retrieving the script prior due to AV, but thank you for the sample. I got the the remaining pieces to the puzzle now. If you need the decryption method, its there for you. github.com/xephora/Threat…

#Solarmarker C2 85.17.9.32 app.any.run/tasks/eb4e5142… bazaar.abuse.ch/sample/16a58ba… @SquiblydooBlog @JAMESWT_MHT @SebastianWalla @AnFam17 @osipov_ar @x3ph1

@nosecurething Observed four hits so far, but different dir path. In the process of retrieving the file atm. Hashes were all the same. profile\AppData\Local\Installinipsk\avolkov.exe d75680a5fcfd6839d40e5b4e379726ec0c01278709265ace4f1ba7327886b41c

New #batloader IOCs (first major change I have seen): externalchecksso[.]com Instead of "update.bat" , an exe in a new directory create the connections to the C2: ➡️%appdata%local\SetupProject1\avolkov.exe It is also checking for more AVs to kill now. Using a dll now too.

@th3_protoCOL Any sandbox of the initial delivery mechanism that created this scheduled task? I am the threat actor may have taken a similar approach as to using an ISO to deliver the executable. Upon investigation, I did not see any signs of mounting of ISO or executable as of yet. 1/2

@Kostastsale @th3_protoCOL @cbecks_2 I've been downloading this big ol pw stealer for the past 15 minutes 🤣

@x3ph1 @th3_protoCOL @cbecks_2 Hmm, I don't think so. Could you upload the malware to bazaar.abuse.ch and share the link?

@DrStache_ @pr0xylife @ankit_anubhav @Max_Mal_ @1ZRR4H @Ledtech3 thank you for sharing this🙏

@pr0xylife @ankit_anubhav @x3ph1 @Max_Mal_ @1ZRR4H @Ledtech3 Panels' statistics azorult-tracker.net/s/asn/AS60567

#Azorult RabbitHole Malspam ⬇️ ISO attachment ⬇️ VBS unzip ⬇️ PowerShell launch ⬇️ Binary to ASCII conversion ⬇️ Download fake png from opendir ⬇️ Compile payload on fly using aspdot_net ⬇️ Theft ⬇️ POST to C2 ⬇️ Persistence by moving file to startup bazaar.abuse.ch/sample/e93cc14…

@LetsDefendIO awesome ty for sharing 🙏

Linux Log parsing cheat sheet

@ankit_anubhav @pr0xylife @Max_Mal_ @1ZRR4H @Ledtech3 Ah, I miss-read that, great thank you.

@x3ph1 @pr0xylife @Max_Mal_ @1ZRR4H @Ledtech3 Hi, the iso came as an attachment in malicious email.

@infosec_au @Hacker0x01 Great job @infosec_au! Your hard work paid off🏆

Yay, I was awarded $73,500 on @Hacker0x01 #TogetherWeHitHarder

@JAMESWT_MHT @malwrhunterteam @ffforward @pr0xylife @guelfoweb @FBussoletti @VK_Intel @Cryptolaemus1 @sugimu_sec @lazyactivist192 @fr0s7_ @struppigel Thank you for sharing this information

#Qbot #Quakbot #Qakbot #signed "DOD MEDIA LIMITED" Samples bazaar.abuse.ch/browse/tag/DOD… H/T @malwrhunterteam

@iHeartMalware @Kostastsale agreed, practice makes perfect.

@Kostastsale Hello me, it's me. You got this. ;)

I usually make short-form satirical videos for fun, but never share them with the world. This time tho, I thought I'd make one for the infosec community. Some might even find it educational 😅 If you're in #infosec and you feel a little down this week, this video is for you💙

@Kostastsale 🏆 awesome to watch