Michal Malík

@michalmalik

Detection engineer

Bratislava
Vrijeme pridruživanja: listopad 2010.

Medijski sadržaj

  1. 3. pro 2019.

    OSX InstallCore used vm_allocate, vm_copy, NSCreateObjectFileImageFromMemory & NSLinkModule on MH_BUNDLE almost 3 years ago not that I remember too much about it ;-)

  2. 21. kol 2019.

    Linux Coinminer < Downloads components from rapid7cpfqnwxodo[.{tor2web[.io,onion[.glass,d2web[.org,onion[.mn,onion[.to,onion[.in[.net,onion[.ws,onion[.sh}/{cron[.sh,systemd-resolve,systemd-analyze,systemd[.sh} most likely related to LSD coinminer

  3. 8. kol 2019.
  4. 29. srp 2019.
  5. 19. srp 2019.

    Here is a x64 sample of Tsunami that first XORs 2046 bytes from EP and then returns to it. It has 3 (unusual) LOAD segments, first one is RWX (unusual) and the 3rd one is not in sequence with the other 2 (unusual). Not the first sample like this.

    Prikaži ovu nit
  6. 19. srp 2019.
    Odgovor korisniku/ci
  7. 19. srp 2019.

    Ah yes, the good ol' +- 5 encryption

  8. 19. srp 2019.
    Odgovor korisniku/ci

    Have you seen this part of it? 0aa89fdd2957c49604a0ab16490748a07f82f9ea -- it uploads a .jar via Apache Flink. The .jar executes the identical command that you show in your last screenshot

  9. 7. srp 2019.
    Prikaži ovu nit
  10. 6. srp 2019.

    pub fn read_var<T>(&self, offset: u64, var: &mut T) => if `var` is a member of `self`, you can't borrow `var` mutably because you borrowed `self` immutably => if you borrow `self` mutably, you can't borrow `var` mutably, because you are now borrowing twice Thanks, I hate it

    Prikaži ovu nit
  11. 4. srp 2019.

    This is wrong, change my mind

  12. 26. lip 2019.

    Artefacts from one of the Gates files (syn, 2a9bf4ee7d437ae0bc67d2da1e711aaa0d1aa302) - vpn.to0ls[.]com:443 - 115.231.218[.]64:8226

    Prikaži ovu nit
  13. 26. lip 2019.

    - It periodically tries to detect a running miner and kill it (it can also kill itself & Gates malware - to update) - Brootkit is "installed" to /etc/profile.d/emacs.sh - this confirms that EMACS is indeed a rootkit - The remote host is auth.to0ls[.]com

    Prikaži ovu nit
  14. 26. lip 2019.

    Very nasty Linux backdoor with multiple components - Kills & uninstalls AV: clamav, avast, avg, drweb, esets - Very persistent - Uses Gates malware - Uses Brootkit - Uses CVE-2016-5195 to get root - Infects other systems from known_hosts, .bash_history

    Prikaži ovu nit
  15. 27. svi 2019.

    The file is messed up btw. First is with USE PHT + USE SHT in IDA, second only USE PHT.

    Prikaži ovu nit
  16. 27. svi 2019.
    Prikaži ovu nit
  17. 15. svi 2019.
  18. 10. svi 2019.

    Well, that'd explain why only the arm5 files are dynamically linked

  19. 6. svi 2019.
  20. 8. tra 2019.

    4/n Oh, and if you modify the DYN segment offset to e.g. 0, leave the VA be, load it in IDA and tell it to ignore the sections (i.e. not sue .dynamic, it has same info as DYN segment when unmodified), it sees no imports.

    Prikaži ovu nit

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·