Mark

Check out our latest report covering Ivanti CSA vulnerability with complete root cause analysis, detailed breakdown of ITW exploitation, overview of worldwide targets alongside comprehensive IoCs & detection rules 👇🏻 harfanglab.io/insidethelab/i…

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/pro…

Read “Behind Hacking-Team’s vector-edk“ on Medium: @wolfcod/behind-hacking-teams-vector-edk-dfc4b51705c8" target="_blank" rel="nofollow noopener">medium.com/@wolfcod/behin…

My old keybase is dead, if you want to reach me on keybase use this one.

Verifying myself: I am marklechtik on Keybase.io. 9RMVFje1UmWmrBeffCo6c69DF6sjVQ_FGpMI / keybase.io/marklechtik/si…

Writing an IDA processor module for the PigletVM youtu.be/JfPU31HLHrc

FLARE is releasing a tool today that I've been working on over this year that helps break down binaries into smaller functional clusters and uses Gemini to describe their relationships, behavior and the overall malware functionality. It's called XRefer and it is out for you to read about and try out. Check out the write up here, and look below for some examples: cloud.google.com/blog/topics/th…

Frequent freeloader part II: After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. These campaigns consistently led to the download of Secret Blizzard’s custom malware, with the #Tavdig backdoor creating the foothold to install their #Kazuar V2 backdoor. #SecretBlizzard microsoft.com/en-us/security…

Excited to be able to publicly share the research I've been focusing on (and off) for the past several months! ~ lookout.com/threat-intelli…

#FlareOn11 is over, so I published the repository with all my source codes: github.com/hasherezade/fl…. Write-ups coming soon!

tldw; For #flareon11 challenge #10 by @_marklech_, here's the approach I took: 1. Use UEFI Tool to extract the Shell app from the bios file 2. Use efiXplorer and Lumina to bring it as many symbols as possible 3. Use the angr framework to solve flag #1 and flag #2 4. For flag #3, full RE of the virtual machine 5. Implement a VM disassembler 6. Implement a VM decompiler: bytecode -> x64 assembly -> Hex-Rays decompiler -> C pseudocode 7. For fun, solve flag #1 and flag #2 again but with KLEE (on the decompiled bytecode which is now VM interpreter free and in clean C form) 8. Solve flag #3 with a bit of bruteforce The most fun part was converting the bytecode back to pseudocode (going through x64 assembly first) and taking the blackbox approach with both angr and KLEE. All files are online here: github.com/allthingsida/a… (fully documented IDB, KLEE adapated bytecode, angr driver, and bytecode decompiler via x64asm, etc.).

@hasherezade 💓

@_marklech_ I will miss your challenges, both Catbert ransomware, and Yoda from last year, were fantastic!

Earlier this year, before leaving Mandiant, I had the opportunity to create Challenge #10 for the #FlareOn11 CTF! Here’s a quick rundown of the challenge. 🧵⬇️

Solving (and Pwning) Flare-On Level 10 jro.sg/flareon11/solv… #flareon11

My solution for the 10-th task: hshrzd.wordpress.com/2024/10/27/fla… #FlareOn11

Flare-On 11's CatBert CTF challenge walkthrough youtu.be/B1hE2z5JmLo #flareon11

I hope you enjoyed tackling this year’s challenge! Looking forward to reading everyone’s solutions and learning from the unique approaches. #flareon11

In crafting my solution, I opted for a straightforward approach. For more advanced techniques, I often look to @allthingsida’s content. This year, he shared his own solution in a fantastic video that you can check here 🎥 :youtu.be/B1hE2z5JmLo?si…