Adam

Google's Nino Isakovic analyses the ScatterBrain obfuscator, used on POISONPLUG variants. ScatterBrain appears to be a substantial evolution of ScatterBee, an obfuscating compiler previously analysed by PWC. cloud.google.com/blog/topics/th…

Ever wonder how attackers use advanced tools to evade detection? Mandiant analyzes #ScatterBrain, an obfuscator in the POISONPLUG.SHADOW backdoor, which is used by China-nexus actors. Learn how we’re unmasking these sophisticated threats. Read more: bit.ly/42xfceL

For anyone using Binary Ninja and wanting to use Mandiant's ShellcodeHashes IDA plugin-I ported a basic version of the IDA plugin to Binary Ninja: github.com/PwCUK-CTO/Bina… Known limitations - No GUI, no support for searching memory constants - but it works well for most use cases

We've got TWO roles open in Australia! Looking for both tech and strat threat intel analysts. Come work with all the awesome folks on the #pwc TI team. Bonus: Witness firsthand the epic banter between me and @pewpew_lazors. jobs-au.pwc.com/experiencedhir… jobs-au.pwc.com/experiencedhir…

Step 1: open a binary in IDA and press F5 Step 2: paste the decompiled code into OpenAI's chatbot Someone's job just got way easier.

#flareon9 Pre-registration is now live! flare-on9.ctfd.io

@c3rb3ru5d3d53c Looks very much like the technique lockbit is currently using to me 🧐

This appears to be an example of #malware creating it's own encrypted #VTable for #obfusucating cross references. 🧠🤯

@fr0gger_ Alt+F7 feels like a bit of an omission. Used way more by me than most on this list...

If you missed it, here is the ultimate IDA Pro Shortcut cheatsheet! Happy reversing! #reverseengineering #idapro #infosec hex-rays.com/products/ida/s…

@cyberoverdrive @PwC @MITREattack @rfackroyd @eral4m We're hiring for our #detectionengineering team. If you would like to join the team that helped produce this annex, the main report, and does so much more, then visit experiencedcareers.pwc.co.uk/job/14249418/e…

PwC is seeking a Cyber - Global Threat Intelligence - Technical Analyst - Sr Associate based in the Remote area. For more details, visit the listing. #ninjajobs #hiring #cybersecurity ninjajobs.org/job/2e436d5b6c…

This is cure to so much pain.

Recently uploaded ShadowPad #malware (6e99974b8d421f8923fc132487d7da0d22c5e0fa1940494f312f9c9389c3f4ca) uses C2 login[.]onesigh[.]com. The Root module is from November 2020. Working on ShadowPad? DMs are open for collaboration #threatintel

PwC is seeking a Threat intelligence / malware analyst based in the US / NL / DE area. For more details, visit the listing. #ninjajobs #hiring #cybersecurity ninjajobs.org/job/93ab2fb57f…

I never knew I needed this article until now 0xc0decafe.com/malware-analys…

What the heck is Shikata ga nai? Nothing can be done but spit out a thread

@zcracga Thanks a lot!

@malworms This is really awesome, good work!

For anyone interested in some #ShadowPad research- pwc.co.uk/issues/cyber-s… github.com/PwCUK-CTO/Scat… Takes a deep dive into the #ScatterBee (aka #ShadowShredder, #PoppingBee) packing mechanism used by some ShadowPad variants and has scripts to enable static analysis of the payloads

@LloydLabs Thanks mate, was a fun one to work through.

@malworms Damn, that’s a nice blog post 🔥

extra - IDA determines if a binary is Golang or not only by the presence of the Go build string. The build string does not need to be correctly formed, just finding space in the .text section with enough CC alignment and pasting that string in lets IDA work properly @HexRaysSA

In case you missed it, we recently released Season 1 of “Igor’s tip of the week” blog posts in PDF format (All 52 of them!). We hope you find it useful! Check it out : hex-rays.com/blog/igors-tip… #HexRays #Igorstipoftheweek #IDA #ReverseEngineering