Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is “x999xx,” the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups.
x999xx is a well-known “access broker” who frequently sells access to hacked corporate networks — usually in the form of remote access credentials — as well as compromised databases containing large amounts of personal and financial data.
In an analysis published in February 2019, cyber intelligence firm Flashpoint called x999xx one of the most senior and prolific members of the top-tier Russian-language cybercrime forum Exploit, where x999xx could be seen frequently advertising the sale of stolen databases and network credentials.
In August 2023, x999xx sold access to a company that develops software for the real estate industry. In July 2023, x999xx advertised the sale of Social Security numbers, names, and birthdays for the citizenry of an entire U.S. state (unnamed in the auction).
A month earlier, x999xx posted a sales thread for 80 databases taken from Australia’s largest retail company. “You may use this data to demand a ransom or do something different with it,” x999xx wrote on Exploit. “Unfortunately, the flaw was patched fast. [+] no one has used the data yet [+] the data hasn’t been used to send spam [+] the data is waiting for its time.”
In October 2022, x999xx sold administrative access to a U.S. healthcare provider.
The oldest account by the name x999xx appeared in 2009 on the Russian language cybercrime forum Verified, under the email address maxnm@ozersk.com. Ozersk is a city in the Chelyabinsk region of west-central Russia.
According to the breach tracking service Constella Intelligence, the address maxnm@ozersk.com was used more than a decade ago to create an account at Vktontakte (the Russian answer to Facebook) under the name Maxim Kirtsov from Ozersk. Mr. Kirtsov’s profile — “maxnm” — says his birthday is September 5, 1991.
Personal photos Maxnm shared on Vktontakte in 2016. The caption has been machine translated from Russian.
The user x999xx registered on the Russian language cybercrime community Zloy in 2014 using the email address maxnmalias-1@yahoo.com. Constella says this email address was used in 2022 at the Russian shipping service cdek.ru in by a Maksim Georgievich Kirtsov from Ozersk.
Additional searches on these contact details reveal that prior to 2009, x999xx favored the handle Maxnm on Russian cybercrime forums. Cyber intelligence company Intel 471 finds the user Maxnm registered on Zloy in 2006 from an Internet address in Chelyabinsk, using the email address kirtsov@telecom.ozersk.ru.
That same email address was used to create Maxnm accounts on several other crime forums, including Spamdot and Exploit in 2005 (also from Chelyabinsk), and Damagelab in 2006.
A search in Constella for the Russian version of Kirtsov’s full name — Кирцов Максим Георгиевич — brings up multiple accounts registered to maksya@icloud.com.
A review of the digital footprint for maksya@icloud.com at osint.industries reveals this address was used a decade ago to register a still-active account at imageshack.com under the name x999xx. That account features numerous screenshots of financial statements from various banks, chat logs with other hackers, and even hacked websites.
x999xx’s Imageshack account includes screenshots of bank account balances from dozens of financial institutions, as well as chat logs with other hackers and pictures of homegrown weed.
Some of the photos in that Imageshack account also appear on Kirtsov’s Vkontakte page, including images of vehicles he owns, as well as pictures of potted marijuana plants. Kirtsov’s Vkontakte profile says that in 2012 he was a faculty member of the Ozersk Technological Institute National Research Nuclear University.
The Vkontakte page lists Kirtsov’s occupation as a website called ozersk[.]today, which on the surface appears to be a blog about life in Ozersk. However, in 2019 the security firm Recorded Future published a blog post which found this domain was being used to host a malicious Cobalt Strike server.
Cobalt Strike is a commercial network penetration testing and reconnaissance tool that is sold only to vetted partners. But stolen or ill-gotten Cobalt Strike licenses are frequently abused by cybercriminal gangs to help lay the groundwork for the installation of ransomware on a victim network.
In August 2023, x999xx posted a message on Exploit saying he was interested in buying a licensed version of Cobalt Strike. A month earlier, x999xx filed a complaint on Exploit against another forum member named Cobaltforce, an apparent onetime partner whose sudden and prolonged disappearance from the community left x999xx and others in the lurch. Cobaltforce recruited people experienced in using Cobalt Strike for ransomware operations, and offered to monetize access to hacked networks for a share of the profits.
DomainTools.com finds ozersk[.]today was registered to the email address dashin2008@yahoo.com, which also was used to register roughly two dozen other domains, including x999xx[.]biz. Virtually all of those domains were registered to Maxim Kirtsov from Ozersk. Below is a mind map used to track the identities mentioned in this story.
x999xx is a prolific member of the Russian webmaster forum “Gofuckbiz,” with more than 2,000 posts over nearly a decade, according to Intel 471. In one post from 2016, x999xx asked whether anyone knew where he could buy a heat lamp that simulates sunlight, explaining that one his pet rabbits had recently perished for lack of adequate light and heat. Mr. Kirtsov’s Vkontakte page includes several pictures of caged rabbits from 2015 and earlier.
Reached via email, Mr. Kirtsov acknowledged that he is x999xx. Kirtsov said he and his team are also regular readers of KrebsOnSecurity.
“We’re glad to hear and read you,” Kirtsov replied.
Asked whether he was concerned about the legal and moral implications of his work, Kirtsov downplayed his role in ransomware intrusions, saying he was more focused on harvesting data.
“I consider myself as committed to ethical practices as you are,” Kirtsov wrote. “I have also embarked on research and am currently mentoring students. You may have noticed my activities on a forum, which I assume you know of through information gathered from public sources, possibly using the new tool you reviewed.”
“Regarding my posts about selling access, I must honestly admit, upon reviewing my own actions, I recall such mentions but believe they were never actualized,” he continued. “Many use the forum for self-serving purposes, which explains why listings of targets for sale have dwindled — they simply ceased being viable.”
Kirtsov asserted that he is not interested in harming healthcare institutions, just in stealing their data.
“As for health-related matters, I was once acquainted with affluent webmasters who would pay up to $50 for every 1000 health-themed emails,” Kirtsov said. “Therefore, I had no interest in the more sensitive data from medical institutions like X-rays, insurance numbers, or even names; I focused solely on emails. I am proficient in SQL, hence my ease with handling data like IDs and emails. And i never doing spam or something like this.”
On the Russian crime forums, x999xx said he never targets anything or anyone in Russia, and that he has little to fear from domestic law enforcement agencies provided he remains focused on foreign adversaries.
x999xx’s lackadaisical approach to personal security mirrors that of Wazawaka, another top Russian access broker who sold access to countless organizations and even operated his own ransomware affiliate programs.
“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka said of his own personal mantra. “Mother Russia will help you. Love your country, and you will always get away with everything.”
In January 2022, KrebsOnSecurity followed clues left behind by Wazawaka to identify him as 32-year-old Mikhail Matveev from Khakassia, Russia. In May 2023, the U.S. Department of Justice indicted Matveev as a key figure in several ransomware groups that collectively extorted hundreds of millions of dollars from victim organizations. The U.S. State Department is offering a $10 million reward for information leading to the capture and/or prosecution of Matveev.
Perhaps in recognition that many top ransomware criminals are largely untouchable so long as they remain in Russia, western law enforcement agencies have begun focusing more on getting inside the heads of those individuals. These so-called “psyops” are aimed at infiltrating ransomware-as-a-service operations, disrupting major cybercrime services, and decreasing trust within cybercriminal communities.
When authorities in the U.S. and U.K. announced in February 2024 that they’d infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim shaming website to link instead to press releases about the takedown, and included a countdown timer that was eventually replaced with the personal details of LockBit’s alleged leader.
In May 2024, law enforcement agencies in the United States and Europe announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. The Operation Endgame website also included a countdown timer, which served to tease the release of several animated videos that mimic the same sort of flashy, short advertisements that established cybercriminals often produce to promote their services online.
The homepage of Stark Industries Solutions.
Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.
At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).”
This graphic comes from a recent report from NETSCOUT about DDoS attacks from Russian hacktivist groups.
As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes.
The NoName DDoS group advertising on Telegram. Image: SentinelOne.com.
A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.
Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes.
Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer.
These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.
What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system into a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone.
Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses available for rent across the globe.
Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS.
Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists.
“We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.”
Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine.
“How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed.
Richard Hummel is threat intelligence lead at NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list.
“The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,'” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.”
Hummel said NoName will typically launch their attacks using a mix of resources rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks.
Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services.
“What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.”
But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said.
“There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.”
Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries.
Ivan Neculiti, as pictured on LinkedIn.
Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.”
“PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.”
Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks.
“It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.”
DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war.
An ad for war.md, circa 2009.
Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain.
The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM.
Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers.
DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records.
Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru.
The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com.
Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru.
Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users.
Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates.
Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho.
“I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said.
Below is a mind map that shows the connections between the accounts mentioned above.
Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.”
“Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Team wrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.”
The German independent news outlet Correctiv.org last week published a scathing investigative report on Stark Industries and MIRhosting, which notes that Ivan Neculiti operates his hosting companies with the help of his brother, Yuri.
The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites.
“The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote.
“After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.”
Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack.
Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age.
DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.
This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.
Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers.
“Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.”
“We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.”
In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials.
Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM.
Mr. Nesterenko took exception to a story on that report from The Record, which is owned by Recorded Future.
“We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.”
Recorded Future said they updated their story with comments from Mr. Neculiti, but that they stand by their reporting.
Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting.
In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting.
Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting.
“We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said.
A February 2024 report from security firm ESET found Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites.
A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com).
Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications.
A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent.
Proxyline dot net.
Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases.
Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment.
EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT.
Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline.
Image: Interisle Consulting.
A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve.
The anti-spam organization SpamHaus reports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters.
It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”).
For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.”
A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service.
Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd.
According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ru — is the seventh-oldest domain in the entire history of the Runet.
Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting.
“We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.”
Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory.
The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States.
Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network.
“Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”
On April 30, the security firm Malwarebytes explored an extensive malware operation that targets corporate Internet users with malicious ads. Among the sites used as lures in that campaign were fake Wall Street Journal and CNN websites that told visitors they were required to install a WSJ or CNN-branded browser extension (malware). Malwarebytes found a domain name central to that operation was hosted at Internet addresses owned by Stark Industries.
Image: threatdown.com
A command line Windows API tracing tool for Golang binaries.
Note: This tool is a PoC and a work-in-progress prototype so please treat it as such. Feedbacks are always welcome!
Although Golang programs contains a lot of nuances regarding the way they are built and their behavior in runtime they still need to interact with the OS layer and that means at some point they do need to call functions from the Windows API.
The Go runtime package contains a function called asmstdcall and this function is a kind of "gateway" used to interact with the Windows API. Since it's expected this function to call the Windows API functions we can assume it needs to have access to information such as the address of the function and it's parameters, and this is where things start to get more interesting.
Asmstdcall receives a single parameter which is pointer to something similar to the following structure:
struct LIBCALL {
DWORD_PTR Addr;
DWORD Argc;
DWORD_PTR Argv;
DWORD_PTR ReturnValue;
[...]
}
Some of these fields are filled after the API function is called, like the return value, others are received by asmstdcall, like the function address, the number of arguments and the list of arguments. Regardless when those are set it's clear that the asmstdcall function manipulates a lot of interesting information regarding the execution of programs compiled in Golang.
The gftrace leverages asmstdcall and the way it works to monitor specific fields of the mentioned struct and log it to the user. The tool is capable of log the function name, it's parameters and also the return value of each Windows function called by a Golang application. All of it with no need to hook a single API function or have a signature for it.
The tool also tries to ignore all the noise from the Go runtime initialization and only log functions called after it (i.e. functions from the main package).
If you want to know more about this project and research check the blogpost.
Download the latest release.
gftrace.exe <filepath> <params>
All you need to do is specify which functions you want to trace in the gftrace.cfg file, separating it by comma with no spaces:
CreateFileW,ReadFile,CreateProcessW
The exact Windows API functions a Golang method X of a package Y would call in a specific scenario can only be determined either by analysis of the method itself or trying to guess it. There's some interesting characteristics that can be used to determine it, for example, Golang applications seems to always prefer to call functions from the "Wide" and "Ex" set (e.g. CreateFileW, CreateProcessW, GetComputerNameExW, etc) so you can consider it during your analysis.
The default config file contains multiple functions in which I tested already (at least most part of them) and can say for sure they can be called by a Golang application at some point. I'll try to update it eventually.
Tracing CreateFileW() and ReadFile() in a simple Golang file that calls "os.ReadFile" twice:
- CreateFileW("C:\Users\user\Desktop\doc.txt", 0x80000000, 0x3, 0x0, 0x3, 0x1, 0x0) = 0x168 (360)
- ReadFile(0x168, 0xc000108000, 0x200, 0xc000075d64, 0x0) = 0x1 (1)
- CreateFileW("C:\Users\user\Desktop\doc2.txt", 0x80000000, 0x3, 0x0, 0x3, 0x1, 0x0) = 0x168 (360)
- ReadFile(0x168, 0xc000108200, 0x200, 0xc000075d64, 0x0) = 0x1 (1)
Tracing CreateProcessW() in the TunnelFish malware:
- CreateProcessW("C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe", "powershell /c "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders"", 0x0, 0x0, 0x1, 0x80400, "=C:=C:\Users\user\Desktop", 0x0, 0xc0000ace98, 0xc0000acd68) = 0x1 (1)
- CreateProcessW("C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe", "powershell /c "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders"", 0x0, 0x0, 0x1, 0x80400, "=C:=C:\Users\user\Desktop", 0x0, 0xc0000c4ec8, 0xc0000c4d98) = 0x1 (1)
- CreateProcessW("C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe", "powershell /c "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddres s | ft -hidetableheaders"", 0x0, 0x0, 0x1, 0x80400, "=C:=C:\Users\user\Desktop", 0x0, 0xc00005eec8, 0xc00005ed98) = 0x1 (1)
- CreateProcessW("C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe", "powershell /c "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders"", 0x0, 0x0, 0x1, 0x80400, "=C:=C:\Users\user\Desktop", 0x0, 0xc0000bce98, 0xc0000bcd68) = 0x1 (1)
- CreateProcessW("C:\WINDOWS\system32\cmd.exe", "cmd /c "wmic computersystem get domain"", 0x0, 0x0, 0x1, 0x80400, "=C:=C:\Users\user\Desktop", 0x0, 0xc0000c4ef0, 0xc0000c4dc0) = 0x1 (1)
- CreateProcessW("C:\WINDOWS\system32\cmd.exe", "cmd /c "wmic computersystem get domain"", 0x0, 0x0, 0x1, 0x80400, "=C:=C:\Users\user\Desktop", 0x0, 0xc0000acec0, 0xc0000acd90) = 0x1 (1)
- CreateProcessW("C:\WINDOWS\system32\cmd.exe", "cmd /c "wmic computersystem get domain"", 0x0, 0x0, 0x1, 0x80400, "=C:=C:\Users\user\Desktop", 0x0, 0xc0000bcec0, 0xc0000bcd90) = 0x1 (1)
[...]
Tracing multiple functions in the Sunshuttle malware:
- CreateFileW("config.dat.tmp", 0x80000000, 0x3, 0x0, 0x3, 0x1, 0x0) = 0xffffffffffffffff (-1)
- CreateFileW("config.dat.tmp", 0xc0000000, 0x3, 0x0, 0x2, 0x80, 0x0) = 0x198 (408)
- CreateFileW("config.dat.tmp", 0xc0000000, 0x3, 0x0, 0x3, 0x80, 0x0) = 0x1a4 (420)
- WriteFile(0x1a4, 0xc000112780, 0xeb, 0xc0000c79d4, 0x0) = 0x1 (1)
- GetAddrInfoW("reyweb.com", 0x0, 0xc000031f18, 0xc000031e88) = 0x0 (0)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x1f0 (496)
- WSASend(0x1f0, 0xc00004f038, 0x1, 0xc00004f020, 0x0, 0xc00004eff0, 0x0) = 0x0 (0)
- WSARecv(0x1f0, 0xc00004ef60, 0x1, 0xc00004ef48, 0xc00004efd0, 0xc00004ef18, 0x0) = 0xffffffff (-1)
- GetAddrInfoW("reyweb.com", 0x0, 0xc000031f18, 0xc000031e88) = 0x0 (0)
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x200 (512)
- WSASend(0x200, 0xc00004f2b8, 0x1, 0xc00004f2a0, 0x0, 0xc00004f270, 0x0) = 0x0 (0)
- WSARecv(0x200, 0xc00004f1e0, 0x1, 0xc00004f1c8, 0xc00004f250, 0xc00004f198, 0x0) = 0xffffffff (-1)
[...]
Tracing multiple functions in the DeimosC2 framework agent:
- WSASocketW(0x2, 0x1, 0x0, 0x0, 0x0, 0x81) = 0x130 (304)
- setsockopt(0x130, 0xffff, 0x20, 0xc0000b7838, 0x4) = 0xffffffff (-1)
- socket(0x2, 0x1, 0x6) = 0x138 (312)
- WSAIoctl(0x138, 0xc8000006, 0xaf0870, 0x10, 0xb38730, 0x8, 0xc0000b746c, 0x0, 0x0) = 0x0 (0)
- GetModuleFileNameW(0x0, "C:\Users\user\Desktop\samples\deimos.exe", 0x400) = 0x2f (47)
- GetUserProfileDirectoryW(0x140, "C:\Users\user", 0xc0000b7a08) = 0x1 (1)
- LookupAccountSidw(0x0, 0xc00000e250, "user", 0xc0000b796c, "DESKTOP-TEST", 0xc0000b7970, 0xc0000b79f0) = 0x1 (1)
- NetUserGetInfo("DESKTOP-TEST", "user", 0xa, 0xc0000b7930) = 0x0 (0)
- GetComputerNameExW(0x5, "DESKTOP-TEST", 0xc0000b7b78) = 0x1 (1)
- GetAdaptersAddresses(0x0, 0x10, 0x0, 0xc000120000, 0xc0000b79d0) = 0x0 (0)
- CreateToolhelp32Snapshot(0x2, 0x0) = 0x1b8 (440)
- GetCurrentProcessId() = 0x2584 (9604)
- GetCurrentDirectoryW(0x12c, "C:\Users\user\AppData\Local\Programs\retoolkit\bin") = 0x39 (57 )
[...]
The gftrace is published under the GPL v3 License. Please refer to the file named LICENSE for more information.
RepoReaper is a precision tool designed to automate the identification of exposed .git
repositories across a list of domains and subdomains. By processing a user-provided text file with domain names, RepoReaper systematically checks each for publicly accessible .git
files. This enables rapid assessment and protection against information leaks, making RepoReaper an essential resource for security teams and web developers.
.git
repositories.Clone the repository and install the required dependencies:
git clone https://github.com/YourUsername/RepoReaper.git
cd RepoReaper
pip install -r requirements.txt
chmod +x RepoReaper.py
RepoReaper is executed from the command line and will prompt for the path to a file containing a list of domains or subdomains to be scanned.
To start RepoReaper, simply run:
./RepoReaper.py
or
python3 RepoReaper.py
Upon execution, RepoReaper will ask for the path to the file containing the domains or subdomains: Enter the path of the file containing domains
Provide the path to your text file when prompted. The file should contain one domain or subdomain per line, like so:
example.com
subdomain.example.com
anotherdomain.com
RepoReaper will then proceed to scan the provided domains or subdomains for exposed .git repositories and report its findings.
This tool is intended for educational purposes and security research only. The user assumes all responsibility for any damages or misuse resulting from its use.
SwaggerSpy is a tool designed for automated Open Source Intelligence (OSINT) on SwaggerHub. This project aims to streamline the process of gathering intelligence from APIs documented on SwaggerHub, providing valuable insights for security researchers, developers, and IT professionals.
Swagger is an open-source framework that allows developers to design, build, document, and consume RESTful web services. It simplifies API development by providing a standard way to describe REST APIs using a JSON or YAML format. Swagger enables developers to create interactive documentation for their APIs, making it easier for both developers and non-developers to understand and use the API.
SwaggerHub is a collaborative platform for designing, building, and managing APIs using the Swagger framework. It offers a centralized repository for API documentation, version control, and collaboration among team members. SwaggerHub simplifies the API development lifecycle by providing a unified platform for API design and testing.
Performing OSINT on SwaggerHub is crucial because developers, in their pursuit of efficient API documentation and sharing, may inadvertently expose sensitive information. Here are key reasons why OSINT on SwaggerHub is valuable:
Developer Oversights: Developers might unintentionally include secrets, credentials, or sensitive information in API documentation on SwaggerHub. These oversights can lead to security vulnerabilities and unauthorized access if not identified and addressed promptly.
Security Best Practices: OSINT on SwaggerHub helps enforce security best practices. Identifying and rectifying potential security issues early in the development lifecycle is essential to ensure the confidentiality and integrity of APIs.
Preventing Data Leaks: By systematically scanning SwaggerHub for sensitive information, organizations can proactively prevent data leaks. This is especially crucial in today's interconnected digital landscape where APIs play a vital role in data exchange between services.
Risk Mitigation: Understanding that developers might forget to remove or obfuscate sensitive details in API documentation underscores the importance of continuous OSINT on SwaggerHub. This proactive approach mitigates the risk of unintentional exposure of critical information.
Compliance and Privacy: Many industries have stringent compliance requirements regarding the protection of sensitive data. OSINT on SwaggerHub ensures that APIs adhere to these regulations, promoting a culture of compliance and safeguarding user privacy.
Educational Opportunities: Identifying oversights in SwaggerHub documentation provides educational opportunities for developers. It encourages a security-conscious mindset, fostering a culture of awareness and responsible information handling.
By recognizing that developers can inadvertently expose secrets, OSINT on SwaggerHub becomes an integral part of the overall security strategy, safeguarding against potential threats and promoting a secure API ecosystem.
SwaggerSpy obtains information from SwaggerHub and utilizes regular expressions to inspect API documentation for sensitive information, such as secrets and credentials.
To use SwaggerSpy, follow these steps:
git clone https://github.com/UndeadSec/SwaggerSpy.git
cd SwaggerSpy
pip install -r requirements.txt
python swaggerspy.py searchterm
SwaggerSpy is intended for educational and research purposes only. Users are responsible for ensuring that their use of this tool complies with applicable laws and regulations.
Contributions to SwaggerSpy are welcome! Feel free to submit issues, feature requests, or pull requests to help improve this tool.
SwaggerSpy is developed and maintained by Alisson Moretto (UndeadSec)
I'm a passionate cyber threat intelligence pro who loves sharing insights and crafting cybersecurity tools.
SwaggerSpy is licensed under the MIT License. See the LICENSE file for details.
Special thanks to @Liodeus for providing project inspiration through swaggerHole.
Execute code within Azure Automation service without getting charged
CloudMiner is a tool designed to get free computing power within Azure Automation service. The tool utilizes the upload module/package flow to execute code which is totally free to use. This tool is intended for educational and research purposes only and should be used responsibly and with proper authorization.
This flow was reported to Microsoft on 3/23 which decided to not change the service behavior as it's considered as "by design". As for 3/9/23, this tool can still be used without getting charged.
Each execution is limited to 3 hours
requirements.txt
pip install .
usage: cloud_miner.py [-h] --path PATH --id ID -c COUNT [-t TOKEN] [-r REQUIREMENTS] [-v]
CloudMiner - Free computing power in Azure Automation Service
optional arguments:
-h, --help show this help message and exit
--path PATH the script path (Powershell or Python)
--id ID id of the Automation Account - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/a
utomationAccounts/{automationAccountName}
-c COUNT, --count COUNT
number of executions
-t TOKEN, --token TOKEN
Azure access token (optional). If not provided, token will be retrieved using the Azure CLI
-r REQUIREMENTS, --requirements REQUIREMENTS
Path to requirements file to be installed and use by the script (relevant to Python scripts only)
-v, --verbose Enable verbose mode
CloudMiner is released under the BSD 3-Clause License. Feel free to modify and distribute this tool responsibly, while adhering to the license terms.
In 2021, the exclusive Russian cybercrime forum Mazafaka was hacked. The leaked user database shows one of the forum’s founders was an attorney who advised Russia’s top hackers on the legal risks of their work, and what to do if they got caught. A review of this user’s hacker identities shows that during his time on the forums he served as an officer in the special forces of the GRU, the foreign military intelligence agency of the Russian Federation.
Launched in 2001 under the tagline “Network terrorism,” Mazafaka would evolve into one of the most guarded Russian-language cybercrime communities. The forum’s member roster included a Who’s Who of top Russian cybercriminals, and it featured sub-forums for a wide range of cybercrime specialities, including malware, spam, coding and identity theft.
One representation of the leaked Mazafaka database.
In almost any database leak, the first accounts listed are usually the administrators and early core members. But the Mazafaka user information posted online was not a database file per se, and it was clearly edited, redacted and restructured by whoever released it. As a result, it can be difficult to tell which members are the earliest users.
The original Mazafaka is known to have been launched by a hacker using the nickname “Stalker.” However, the lowest numbered (non-admin) user ID in the Mazafaka database belongs to another individual who used the handle “Djamix,” and the email address djamix@mazafaka[.]ru.
From the forum’s inception until around 2008, Djamix was one of its most active and eloquent contributors. Djamix told forum members he was a lawyer, and nearly all of his posts included legal analyses of various public cases involving hackers arrested and charged with cybercrimes in Russia and abroad.
“Hiding with purely technical parameters will not help in a serious matter,” Djamix advised Maza members in September 2007. “In order to ESCAPE the law, you need to KNOW the law. This is the most important thing. Technical capabilities cannot overcome intelligence and cunning.”
Stalker himself credited Djamix with keeping Mazafaka online for so many years. In a retrospective post published to Livejournal in 2014 titled, “Mazafaka, from conception to the present day,” Stalker said Djamix had become a core member of the community.
“This guy is everywhere,” Stalker said of Djamix. “There’s not a thing on [Mazafaka] that he doesn’t take part in. For me, he is a stimulus-irritant and thanks to him, Maza is still alive. Our rallying force!”
Djamix told other forum denizens he was a licensed attorney who could be hired for remote or in-person consultations, and his posts on Mazafaka and other Russian boards show several hackers facing legal jeopardy likely took him up on this offer.
“I have the right to represent your interests in court,” Djamix said on the Russian-language cybercrime forum Verified in Jan. 2011. “Remotely (in the form of constant support and consultations), or in person – this is discussed separately. As well as the cost of my services.”
A search on djamix@mazafaka[.]ru at DomainTools.com reveals this address has been used to register at least 10 domain names since 2008. Those include several websites about life in and around Sochi, Russia, the site of the 2014 Winter Olympics, as well as a nearby coastal town called Adler. All of those sites say they were registered to an Aleksei Safronov from Sochi who also lists Adler as a hometown.
The breach tracking service Constella Intelligence finds that the phone number associated with those domains — +7.9676442212 — is tied to a Facebook account for an Aleksei Valerievich Safronov from Sochi. Mr. Safronov’s Facebook profile, which was last updated in October 2022, says his ICQ instant messenger number is 53765. This is the same ICQ number assigned to Djamix in the Mazafaka user database.
The Facebook account for Aleksey Safronov.
A “Djamix” account on the forum privetsochi[.]ru (“Hello Sochi”) says this user was born Oct. 2, 1970, and that his website is uposter[.]ru. This Russian language news site’s tagline is, “We Create Communication,” and it focuses heavily on news about Sochi, Adler, Russia and the war in Ukraine, with a strong pro-Kremlin bent.
Safronov’s Facebook profile also gives his Skype username as “Djamixadler,” and it includes dozens of photos of him dressed in military fatigues along with a regiment of soldiers deploying in fairly remote areas of Russia. Some of those photos date back to 2008.
In several of the images, we can see a patch on the arm of Safronov’s jacket that bears the logo of the Spetsnaz GRU, a special forces unit of the Russian military. According to a 2020 report from the Congressional Research Service, the GRU operates both as an intelligence agency — collecting human, cyber, and signals intelligence — and as a military organization responsible for battlefield reconnaissance and the operation of Russia’s Spetsnaz military commando units.
Mr. Safronov posted this image of himself on Facebook in 2016. The insignia of the GRU can be seen on his sleeve.
“In recent years, reports have linked the GRU to some of Russia’s most aggressive and public intelligence operations,” the CRS report explains. “Reportedly, the GRU played a key role in Russia’s occupation of Ukraine’s Crimea region and invasion of eastern Ukraine, the attempted assassination of former Russian intelligence officer Sergei Skripal in the United Kingdom, interference in the 2016 U.S. presidential elections, disinformation and propaganda operations, and some of the world’s most damaging cyberattacks.”
According to the Russia-focused investigative news outlet Meduza, in 2014 the Russian Defense Ministry created its “information-operation troops” for action in “cyber-confrontations with potential adversaries.”
“Later, sources in the Defense Ministry explained that these new troops were meant to ‘disrupt the potential adversary’s information networks,'” Meduza reported in 2018. “Recruiters reportedly went looking for ‘hackers who have had problems with the law.'”
Mr. Safronov did not respond to multiple requests for comment. A 2018 treatise written by Aleksei Valerievich Safronov titled “One Hundred Years of GRU Military Intelligence” explains the significance of the bat in the seal of the GRU.
“One way or another, the bat is an emblem that unites all active and retired intelligence officers; it is a symbol of unity and exclusivity,” Safronov wrote. “And, in general, it doesn’t matter who we’re talking about – a secret GRU agent somewhere in the army or a sniper in any of the special forces brigades. They all did and are doing one very important and responsible thing.”
It’s unclear what role Mr. Safronov plays or played in the GRU, but it seems likely the military intelligence agency would have exploited his considerable technical skills, knowledge and connections on the Russian cybercrime forums.
Searching on Safronov’s domain uposter[.]ru in Constella Intelligence reveals that this domain was used in 2022 to register an account at a popular Spanish-language discussion forum dedicated to helping applicants prepare for a career in the Guardia Civil, one of Spain’s two national police forces. Pivoting on that Russian IP in Constella shows three other accounts were created at the same Spanish user forum around the same date.
Mark Rasch is a former cybercrime prosecutor for the U.S. Department of Justice who now serves as chief legal officer for the New York cybersecurity firm Unit 221B. Rasch said there has always been a close relationship between the GRU and the Russian hacker community, noting that in the early 2000s the GRU was soliciting hackers with the skills necessary to hack US banks in order to procure funds to help finance Russia’s war in Chechnya.
“The guy is heavily hooked into the Russian cyber community, and that’s useful for intelligence services,” Rasch said. “He could have been infiltrating the community to monitor it for the GRU. Or he could just be a guy wearing a military uniform.”
Nemesis is an offensive data enrichment pipeline and operator support system.
Built on Kubernetes with scale in mind, our goal with Nemesis was to create a centralized data processing platform that ingests data produced during offensive security assessments.
Nemesis aims to automate a number of repetitive tasks operators encounter on engagements, empower operators’ analytic capabilities and collective knowledge, and create structured and unstructured data stores of as much operational data as possible to help guide future research and facilitate offensive data analysis.
See the setup instructions.
See development.md
Post Name | Publication Date | Link |
---|---|---|
Hacking With Your Nemesis | Aug 9, 2023 | https://posts.specterops.io/hacking-with-your-nemesis-7861f75fcab4 |
Challenges In Post-Exploitation Workflows | Aug 2, 2023 | https://posts.specterops.io/challenges-in-post-exploitation-workflows-2b3469810fe9 |
On (Structured) Data | Jul 26, 2023 | https://posts.specterops.io/on-structured-data-707b7d9876c6 |
Nemesis is built on large chunk of other people's work. Throughout the codebase we've provided citations, references, and applicable licenses for anything used or adapted from public sources. If we're forgotten proper credit anywhere, please let us know or submit a pull request!
We also want to acknowledge Evan McBroom, Hope Walker, and Carlo Alcantara from SpecterOps for their help with the initial Nemesis concept and amazing feedback throughout the development process.
The tool was published as part of a research about Docker named pipes:
"Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 1"
"Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2"
PipeViewer is a GUI tool that allows users to view details about Windows Named pipes and their permissions. It is designed to be useful for security researchers who are interested in searching for named pipes with weak permissions or testing the security of named pipes. With PipeViewer, users can easily view and analyze information about named pipes on their systems, helping them to identify potential security vulnerabilities and take appropriate steps to secure their systems.
Double-click the EXE binary and you will get the list of all named pipes.
We used Visual Studio to compile it.
When downloading it from GitHub you might get error of block files, you can use PowerShell to unblock them:
Get-ChildItem -Path 'D:\tmp\PipeViewer-main' -Recurse | Unblock-File
We built the project and uploaded it so you can find it in the releases.
One problem is that the binary will trigger alerts from Windows Defender because it uses the NtObjerManager package which is flagged as virus.
Note that James Forshaw talked about it here.
We can't change it because we depend on third-party DLL.
We want to thank James Forshaw (@tyranid) for creating the open source NtApiDotNet which allowed us to get information about named pipes.
Copyright (c) 2023 CyberArk Software Ltd. All rights reserved
This repository is licensed under Apache-2.0 License - see LICENSE
for more details.
For more comments, suggestions or questions, you can contact Eviatar Gerzi (@g3rzi) and CyberArk Labs.
PoC for an SMS-based shell. Send commands and receive responses over SMS from mobile broadband capable computers.
This tool came as an insipiration during a research on eSIM security implications led by Markus Vervier, presented at Offensivecon 2023
This is not a complete C2 but rather a simple Proof of Concept for executing commands remotely over SMS.
For the shell to work you need to devices capable of sending SMS. The victim's computer should be equiped with WWAN module with either a physical SIM or eSIM deployed.
On the operator's end, two tools are provided:
Of course, you could in theory use any online SMS provider on the operator's end via their API.
On the victim simply execute the client-agent.exe
binary. If the agent is compiled as a Console Application
you should see some verbose messages. If it's compiled as a Windows Application
(best for real engagements), there will be no GUI.
The operator must specify the victim's phone number as a parameter:
server-console.exe +306912345678
Whereas if you use the python script you must additionally specify the MiFi details:
python3 server-console.py --mifi-ip 192.168.0.1 --mifi-username admin --mifi-password 12345678 --number +306912345678 -v
A demo as presented by Markus at Offensive is shown below. On the left is the operator's VM with a MiFi attached, whereas on the right window is client agent.
ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities. It leverages features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure. Please note that the ADCSKiller is currently in its first drafts and will undergo further refinements and additions in future updates for sure.
Since this tool relies on Certipy and Coercer, both tools have to be installed first.
git clone https://github.com/ly4k/Certipy && cd Certipy && python3 setup.py install
git clone https://github.com/p0dalirius/Coercer && cd Coercer && pip install -r requirements.txt && python3 setup.py install
git clone https://github.com/grimlockx/ADCSKiller/ && cd ADCSKiller && pip install -r requirements.txt
Usage: adcskiller.py [-h] -d DOMAIN -u USERNAME -p PASSWORD -t TARGET -l LEVEL -L LHOST
Options:
-h, --help Show this help message and exit.
-d DOMAIN, --domain DOMAIN
Target domain name. Use FQDN
-u USERNAME, --username USERNAME
Username.
-p PASSWORD, --password PASSWORD
Password.
-dc-ip TARGET, --target TARGET
IP Address of the domain controller.
-L LHOST, --lhost LHOST
FQDN of the listener machine - An ADIDNS is probably required
The VX-API is a collection of malicious functionality to aid in malware development. It is recommended you clone and/or download this entire repo then open the Visual Studio solution file to easily explore functionality and concepts.
Some functions may be dependent on other functions present within the solution file. Using the solution file provided here will make it easier to identify which other functionality and/or header data is required.
You're free to use this in any manner you please. You do not need to use this entire solution for your malware proof-of-concepts or Red Team engagements. Strip, copy, paste, delete, or edit this projects contents as much as you'd like.
Function Name | Original Author |
---|---|
AdfCloseHandleOnInvalidAddress | Checkpoint Research |
AdfIsCreateProcessDebugEventCodeSet | Checkpoint Research |
AdfOpenProcessOnCsrss | Checkpoint Research |
CheckRemoteDebuggerPresent2 | ReactOS |
IsDebuggerPresentEx | smelly__vx |
IsIntelHardwareBreakpointPresent | Checkpoint Research |
Function Name | Original Author |
---|---|
HashStringDjb2 | Dan Bernstein |
HashStringFowlerNollVoVariant1a | Glenn Fowler, Landon Curt Noll, and Kiem-Phong Vo |
HashStringJenkinsOneAtATime32Bit | Bob Jenkins |
HashStringLoseLose | Brian Kernighan and Dennis Ritchie |
HashStringRotr32 | T. Oshiba (1972) |
HashStringSdbm | Ozan Yigit |
HashStringSuperFastHash | Paul Hsieh |
HashStringUnknownGenericHash1A | Unknown |
HashStringSipHash | RistBS |
HashStringMurmur | RistBS |
CreateMd5HashFromFilePath | Microsoft |
CreatePseudoRandomInteger | Apple (c) 1999 |
CreatePseudoRandomString | smelly__vx |
HashFileByMsiFileHashTable | smelly__vx |
CreatePseudoRandomIntegerFromNtdll | smelly__vx |
LzMaximumCompressBuffer | smelly__vx |
LzMaximumDecompressBuffer | smelly__vx |
LzStandardCompressBuffer | smelly__vx |
LzStandardDecompressBuffer | smelly__vx |
XpressHuffMaximumCompressBuffer | smelly__vx |
XpressHuffMaximumDecompressBuffer | smelly__vx |
XpressHuffStandardCompressBuffer | smelly__vx |
XpressHuffStandardDecompressBuffer | smelly__vx |
XpressMaximumCompressBuffer | smelly__vx |
XpressMaximumDecompressBuffer | smelly__vx |
XpressStandardCompressBuffer | smelly__vx |
XpressStandardDecompressBuffer | smelly__vx |
ExtractFilesFromCabIntoTarget | smelly__vx |
Function Name | Original Author |
---|---|
GetLastErrorFromTeb | smelly__vx |
GetLastNtStatusFromTeb | smelly__vx |
RtlNtStatusToDosErrorViaImport | ReactOS |
GetLastErrorFromTeb | smelly__vx |
SetLastErrorInTeb | smelly__vx |
SetLastNtStatusInTeb | smelly__vx |
Win32FromHResult | Raymond Chen |
Function Name | Original Author |
---|---|
AmsiBypassViaPatternScan | ZeroMemoryEx |
DelayedExecutionExecuteOnDisplayOff | am0nsec and smelly__vx |
HookEngineRestoreHeapFree | rad9800 |
MasqueradePebAsExplorer | smelly__vx |
RemoveDllFromPeb | rad9800 |
RemoveRegisterDllNotification | Rad98, Peter Winter-Smith |
SleepObfuscationViaVirtualProtect | 5pider |
RtlSetBaseUnicodeCommandLine | TheWover |
Function Name | Original Author |
---|---|
GetCurrentLocaleFromTeb | 3xp0rt |
GetNumberOfLinkedDlls | smelly__vx |
GetOsBuildNumberFromPeb | smelly__vx |
GetOsMajorVersionFromPeb | smelly__vx |
GetOsMinorVersionFromPeb | smelly__vx |
GetOsPlatformIdFromPeb | smelly__vx |
IsNvidiaGraphicsCardPresent | smelly__vx |
IsProcessRunning | smelly__vx |
IsProcessRunningAsAdmin | Vimal Shekar |
GetPidFromNtQuerySystemInformation | smelly__vx |
GetPidFromWindowsTerminalService | modexp |
GetPidFromWmiComInterface | aalimian and modexp |
GetPidFromEnumProcesses | smelly__vx |
GetPidFromPidBruteForcing | modexp |
GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk |
GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp |
Function Name | Original Author |
---|---|
CreateLocalAppDataObjectPath | smelly__vx |
CreateWindowsObjectPath | smelly__vx |
GetCurrentDirectoryFromUserProcessParameters | smelly__vx |
GetCurrentProcessIdFromTeb | ReactOS |
GetCurrentUserSid | Giovanni Dicanio |
GetCurrentWindowTextFromUserProcessParameter | smelly__vx |
GetFileSizeFromPath | smelly__vx |
GetProcessHeapFromTeb | smelly__vx |
GetProcessPathFromLoaderLoadModule | smelly__vx |
GetProcessPathFromUserProcessParameters | smelly__vx |
GetSystemWindowsDirectory | Geoff Chappell |
IsPathValid | smelly__vx |
RecursiveFindFile | Luke |
SetProcessPrivilegeToken | Microsoft |
IsDllLoaded | smelly__vx |
TryLoadDllMultiMethod | smelly__vx |
CreateThreadAndWaitForCompletion | smelly__vx |
GetProcessBinaryNameFromHwndW | smelly__vx |
GetByteArrayFromFile | smelly__vx |
Ex_GetHandleOnDeviceHttpCommunication | x86matthew |
IsRegistryKeyValid | smelly__vx |
FastcallExecuteBinaryShellExecuteEx | smelly__vx |
GetCurrentProcessIdFromOffset | RistBS |
GetPeBaseAddress | smelly__vx |
LdrLoadGetProcedureAddress | c5pider |
IsPeSection | smelly__vx |
AddSectionToPeFile | smelly__vx |
WriteDataToPeSection | smelly__vx |
GetPeSectionSizeInByte | smelly__vx |
ReadDataFromPeSection | smelly__vx |
GetCurrentProcessNoForward | ReactOS |
GetCurrentThreadNoForward | ReactOS |
Function Name | Original Author |
---|---|
GetKUserSharedData | Geoff Chappell |
GetModuleHandleEx2 | smelly__vx |
GetPeb | 29a |
GetPebFromTeb | ReactOS |
GetProcAddress | 29a Volume 2, c5pider |
GetProcAddressDjb2 | smelly__vx |
GetProcAddressFowlerNollVoVariant1a | smelly__vx |
GetProcAddressJenkinsOneAtATime32Bit | smelly__vx |
GetProcAddressLoseLose | smelly__vx |
GetProcAddressRotr32 | smelly__vx |
GetProcAddressSdbm | smelly__vx |
GetProcAddressSuperFastHash | smelly__vx |
GetProcAddressUnknownGenericHash1 | smelly__vx |
GetProcAddressSipHash | RistBS |
GetProcAddressMurmur | RistBS |
GetRtlUserProcessParameters | ReactOS |
GetTeb | ReactOS |
RtlLoadPeHeaders | smelly__vx |
ProxyWorkItemLoadLibrary | Rad98, Peter Winter-Smith |
ProxyRegisterWaitLoadLibrary | Rad98, Peter Winter-Smith |
Function Name | Original Author |
---|---|
MpfGetLsaPidFromServiceManager | modexp |
MpfGetLsaPidFromRegistry | modexp |
MpfGetLsaPidFromNamedPipe | modexp |
Function Name | Original Author |
---|---|
UrlDownloadToFileSynchronous | Hans Passant |
ConvertIPv4IpAddressStructureToString | smelly__vx |
ConvertIPv4StringToUnsignedLong | smelly__vx |
SendIcmpEchoMessageToIPv4Host | smelly__vx |
ConvertIPv4IpAddressUnsignedLongToString | smelly__vx |
DnsGetDomainNameIPv4AddressAsString | smelly__vx |
DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx |
GetDomainNameFromUnsignedLongIPV4Address | smelly__vx |
GetDomainNameFromIPV4AddressAsString | smelly__vx |
Function Name | Original Author |
---|---|
OleGetClipboardData | Microsoft |
MpfComVssDeleteShadowVolumeBackups | am0nsec |
MpfComModifyShortcutTarget | Unknown |
MpfComMonitorChromeSessionOnce | smelly__vx |
MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
Function Name | Original Author |
---|---|
CreateProcessFromIHxHelpPaneServer | James Forshaw |
CreateProcessFromIHxInteractiveUser | James Forshaw |
CreateProcessFromIShellDispatchInvoke | Mohamed Fakroud |
CreateProcessFromShellExecuteInExplorerProcess | Microsoft |
CreateProcessViaNtCreateUserProcess | CaptMeelo |
CreateProcessWithCfGuard | smelly__vx and Adam Chester |
CreateProcessByWindowsRHotKey | smelly__vx |
CreateProcessByWindowsRHotKeyEx | smelly__vx |
CreateProcessFromINFSectionInstallStringNoCab | smelly__vx |
CreateProcessFromINFSetupCommand | smelly__vx |
CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx |
CreateProcessFromIeFrameOpenUrl | smelly__vx |
CreateProcessFromPcwUtil | smelly__vx |
CreateProcessFromShdocVwOpenUrl | smelly__vx |
CreateProcessFromShell32ShellExecRun | smelly__vx |
MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
CreateProcessFromWmiWin32_ProcessW | CIA |
CreateProcessFromZipfldrRouteCall | smelly__vx |
CreateProcessFromUrlFileProtocolHandler | smelly__vx |
CreateProcessFromUrlOpenUrl | smelly__vx |
CreateProcessFromMsHTMLW | smelly__vx |
Function Name | Original Author |
---|---|
MpfPiControlInjection | SafeBreach Labs |
MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs |
MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs |
MpfProcessInjectionViaProcessReflection | Deep Instinct |
Function Name | Original Author |
---|---|
IeCreateFile | smelly__vx |
CopyFileViaSetupCopyFile | smelly__vx |
CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
DeleteFileWithCreateFileFlag | smelly__vx |
IsProcessRunningAsAdmin2 | smelly__vx |
IeCreateDirectory | smelly__vx |
IeDeleteFile | smelly__vx |
IeFindFirstFile | smelly__vx |
IEGetFileAttributesEx | smelly__vx |
IeMoveFileEx | smelly__vx |
IeRemoveDirectory | smelly__vx |
Function Name | Original Author |
---|---|
MpfSceViaImmEnumInputContext | alfarom256, aahmad097 |
MpfSceViaCertFindChainInStore | alfarom256, aahmad097 |
MpfSceViaEnumPropsExW | alfarom256, aahmad097 |
MpfSceViaCreateThreadpoolWait | alfarom256, aahmad097 |
MpfSceViaCryptEnumOIDInfo | alfarom256, aahmad097 |
MpfSceViaDSA_EnumCallback | alfarom256, aahmad097 |
MpfSceViaCreateTimerQueueTimer | alfarom256, aahmad097 |
MpfSceViaEvtSubscribe | alfarom256, aahmad097 |
MpfSceViaFlsAlloc | alfarom256, aahmad097 |
MpfSceViaInitOnceExecuteOnce | alfarom256, aahmad097 |
MpfSceViaEnumChildWindows | alfarom256, aahmad097, wra7h |
MpfSceViaCDefFolderMenu_Create2 | alfarom256, aahmad097, wra7h |
MpfSceViaCertEnumSystemStore | alfarom256, aahmad097, wra7h |
MpfSceViaCertEnumSystemStoreLocation | alfarom256, aahmad097, wra7h |
MpfSceViaEnumDateFormatsW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumDesktopWindows | alfarom256, aahmad097, wra7h |
MpfSceViaEnumDesktopsW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumDirTreeW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumDisplayMonitors | alfarom256, aahmad097, wra7h |
MpfSceViaEnumFontFamiliesExW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumFontsW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumLanguageGroupLocalesW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumObjects | alfarom256, aahmad097, wra7h |
MpfSceViaEnumResourceTypesExW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumSystemCodePagesW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumSystemGeoID | alfarom256, aahmad097, wra7h |
MpfSceViaEnumSystemLanguageGroupsW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumSystemLocalesEx | alfarom256, aahmad097, wra7h |
MpfSceViaEnumThreadWindows | alfarom256, aahmad097, wra7h |
MpfSceViaEnumTimeFormatsEx | alfarom256, aahmad097, wra7h |
MpfSceViaEnumUILanguagesW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumWindowStationsW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumWindows | alfarom256, aahmad097, wra7h |
MpfSceViaEnumerateLoadedModules64 | alfarom256, aahmad097, wra7h |
MpfSceViaK32EnumPageFilesW | alfarom256, aahmad097, wra7h |
MpfSceViaEnumPwrSchemes | alfarom256, aahmad097, wra7h |
MpfSceViaMessageBoxIndirectW | alfarom256, aahmad097, wra7h |
MpfSceViaChooseColorW | alfarom256, aahmad097, wra7h |
MpfSceViaClusWorkerCreate | alfarom256, aahmad097, wra7h |
MpfSceViaSymEnumProcesses | alfarom256, aahmad097, wra7h |
MpfSceViaImageGetDigestStream | alfarom256, aahmad097, wra7h |
MpfSceViaVerifierEnumerateResource | alfarom256, aahmad097, wra7h |
MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h |
Function Name | Original Author |
---|---|
ByteArrayToCharArray | smelly__vx |
CharArrayToByteArray | smelly__vx |
ShlwapiCharStringToWCharString | smelly__vx |
ShlwapiWCharStringToCharString | smelly__vx |
CharStringToWCharString | smelly__vx |
WCharStringToCharString | smelly__vx |
RtlInitEmptyUnicodeString | ReactOS |
RtlInitUnicodeString | ReactOS |
CaplockString | simonc |
CopyMemoryEx | ReactOS |
SecureStringCopy | Apple (c) 1999 |
StringCompare | Apple (c) 1999 |
StringConcat | Apple (c) 1999 |
StringCopy | Apple (c) 1999 |
StringFindSubstring | Apple (c) 1999 |
StringLength | Apple (c) 1999 |
StringLocateChar | Apple (c) 1999 |
StringRemoveSubstring | smelly__vx |
StringTerminateStringAtChar | smelly__vx |
StringToken | Apple (c) 1999 |
ZeroMemoryEx | ReactOS |
ConvertCharacterStringToIntegerUsingNtdll | smelly__vx |
MemoryFindMemory | KamilCuk |
Function Name | Original Author |
---|---|
UacBypassFodHelperMethod | winscripting.blog |
Function Name | Original Author |
---|---|
InitHardwareBreakpointEngine | rad98 |
ShutdownHardwareBreakpointEngine | rad98 |
ExceptionHandlerCallbackRoutine | rad98 |
SetHardwareBreakpoint | rad98 |
InsertDescriptorEntry | rad98 |
RemoveDescriptorEntry | rad98 |
SnapshotInsertHardwareBreakpointHookIntoTargetThread | rad98 |
Function Name | Original Author |
---|---|
GenericShellcodeHelloWorldMessageBoxA | SafeBreach Labs |
GenericShellcodeHelloWorldMessageBoxAEbFbLoop | SafeBreach Labs |
GenericShellcodeOpenCalcExitThread | MsfVenom |
A story of how an analysis of a supposed game cheat turned into the discovery of a powerful UEFI threat
The post ESET Research Podcast: Finding the mythical BlackLotus bootkit appeared first on WeLiveSecurity
A view of the H1 2023 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
The post ESET Threat Report H1 2023 appeared first on WeLiveSecurity
YARA rule Analyzer to improve rule quality and performance
YARA rules can be syntactically correct but still dysfunctional. yaraQA tries to find and report these issues to the author or maintainer of a YARA rule set.
The issues yaraQA tries to detect are e.g.:
2 of them
in the condition)$ = "\\Debug\\" fullword
)$ = "AA"
; can be excluded from the analysis using --ignore-performance
)I'm going to extend the test set over time. Each minor version will include new features or new tests.
pip install -r requirements.txt
usage: yaraQA.py [-h] [-f yara files [yara files ...]] [-d yara files [yara files ...]] [-o outfile] [-b baseline] [-l level]
[--ignore-performance] [--debug]
YARA RULE ANALYZER
optional arguments:
-h, --help show this help message and exit
-f yara files [yara files ...]
Path to input files (one or more YARA rules, separated by space)
-d yara files [yara files ...]
Path to input directory (YARA rules folders, separated by space)
-o outfile Output file that lists the issues (JSON, default: 'yaraQA-issues.json')
-b baseline Use a issues baseline (issues found and reviewed before) to filter issues
-l level Minium level to show (1=informational, 2=warning, 3=critical)
--ignore-performance Suppress performance-related rule issues
--debug Debug output
python3 yaraQA.py -d ./test/
Suppress all performance issues and only show detection / logic issues.
python3 yaraQA.py -d ./test/ --ignore-performance
Suppress all issues of informational character
python3 yaraQA.py -d ./test/ -level 2
Use a baseline to only see new issues (not the ones that you've already reviewed). The baseline file is an old JSON output of a reviewed state.
python3 yaraQA.py -d ./test/ -b yaraQA-reviewed-issues.json
Example rules with issues can be found in the ./test
folder.
yaraQA writes the detected issues to a file named yaraQA-issues.json
by default.
This listing shows an example of the output generated by yaraQA in JSON format:
[
{
"rule": "Demo_Rule_1_Fullword_PDB",
"id": "SM1",
"issue": "The rule uses a PDB string with the modifier 'wide'. PDB strings are always included as ASCII strings. The 'wide' keyword is unneeded.",
"element": {
"name": "$s1",
"value": "\\\\i386\\\\mimidrv.pdb",
"type": "text",
"modifiers": [
"ascii",
"wide",
"fullword"
]
},
"level": "info",
"type": "logic",
"recommendation": "Remove the 'wide' modifier"
},
{
"rule": "Demo_Rule_1_Fullword_PDB",
"id": "SM2",
"issue": "The rule uses a PDB string with the modifier 'fullword' but it starts with two backslashes and thus the modifier could lead to a dysfunctional rule.",
"element": {
"name": " $s1",
"value": "\\\\i386\\\\mimidrv.pdb",
"type": "text",
"modifiers": [
"ascii",
"wide",
"fullword"
]
},
"level": "warning",
"type": "logic",
"recommendation": "Remove the 'fullword' modifier"
},
{
"rule": "Demo_Rule_2_Short_Atom",
"id": "PA2",
"issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",
"element": {
"name": "$s1",
"value": "{ 01 02 03 }",
"type": "byte"
},
"level": "warning",
"type": "performance",
"recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."
},
{
"rule": "Demo_Rule_3_Fullword_FilePath_Section",
"id": "SM3",
"issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",
"element": {
"name": "$s1",
"value": "\\\\ZombieBoy\\\\",
"type": "text",
"modifiers": [
"ascii",
"fullword"
]
},
"level": "warning",
"type": "logic",
"recommendation": "Remove the 'fullword' modifier"
},
{
"rule": "Demo_Rule_4_Condition_Never_Matches",
"id": "CE1",
"issue": "The rule uses a condition that will never match",
"element": {
"condition_segment": "2 of",
"num_of_strings": 1
},
"level": "error",
"type": "logic",
"recommendation": "Fix the condition"
},
{
"rule": "Demo_Rule_5_Condition_Short_String_At_Pos",
"id": "PA1",
"issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",
"element": {
"condition_segment": "$mz at 0",
"string": "$mz",
"value": "MZ"
},
"level": "warning",
"type": "performance",
"recommendation": ""
},
{
"rule": "Demo_Rule_5_Condition_Short_String_At_Pos",
"id": "PA2",
"issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",< br/> "element": {
"name": "$mz",
"value": "MZ",
"type": "text",
"modifiers": [
"ascii"
]
},
"level": "warning",
"type": "performance",
"recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."
},
{
"rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",
"id": "PA1",
"issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",
"element": {
"condition_segment": "$mz at 0",
"string": "$mz",
"value": "{ 4d 5a }"
},
"level": "warning",
"type": "performance",
"recommendation": ""
},
{
"rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",
"id": "PA2",
"issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",
"element": {
"name": "$mz",
"value": "{ 4d 5a }",
"type": "byte"
},
"level": "warning",
"type": "performance",
"recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."
},
{
"rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",
"id": "SM3",
"issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backsla shes and thus the modifier could lead to a dysfunctional rule.",
"element": {
"name": "$s1",
"value": "\\\\Section\\\\in\\\\Path\\\\",
"type": "text",
"modifiers": [
"ascii",
"fullword"
]
},
"level": "warning",
"type": "logic",
"recommendation": "Remove the 'fullword' modifier"
}
]
A brief summary of what happened with Emotet since its comeback in November 2021
The post What’s up with Emotet? appeared first on WeLiveSecurity
Handle hijacking is a technique used in Windows operating systems to gain access to resources and resources of a system without permission. It is a type of privilege escalation attack in which a malicious user takes control of an object handle, which is an identifier that is used to reference a system object, such as a file, a directory, a process, or an event. This allows the malicious user to gain access to resources that should be inaccessible to them.
Handle hijacking is a serious threat to system security as it allows a malicious user to access resources and data that should otherwise be protected. It can also be used to inject code into a vulnerable system, allowing the attacker to gain access to information and resources.
Handle hijacking techniques are becoming increasingly prevalent as hackers develop more sophisticated methods of exploiting vulnerabilities in Windows systems. As such, it is important that system administrators understand the risks associated with handle hijacking and take proactive measures to protect their systems.
To perform a handle hijacking attack, an attacker must first identify a handle that is being used by a legitimate process and that they want to access. This can be done using various techniques, such as scanning the handle table of a process, monitoring handle creation events, or using a tool that can enumerate handles on the system ,Once the attacker has identified the handle they want to access, they can use the DuplicateHandle
function to create a copy of the handle with their own process. This function takes the following parameters:
hSourceProcessHandle
: A handle to the process that contains the source handle.hSourceHandle
: A handle to the object to duplicate.hTargetProcessHandle
: A handle to the process that is to receive the duplicated handle.lpTargetHandle
: A pointer to a variable that receives the handle value.dwDesiredAccess
: The access rights for the duplicated handle.bInheritHandle
: A value that specifies whether the handle is inheritable.dwOptions
: Additional options for the handle duplication.The DuplicateHandle
function will create a new handle with the specified access rights and options, and return it in the lpTargetHandle
parameter. The attacker can then use this handle to access the resource that it represents, allowing them to perform actions on the resource that they would not normally be able to do.
ESET researchers analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete files
The post Android GravityRAT goes after WhatsApp backups appeared first on WeLiveSecurity
Sandboxes are commonly used to analyze malware. They provide a temporary, isolated, and secure environment in which to observe whether a suspicious file exhibits any malicious behavior. However, malware developers have also developed methods to evade sandboxes and analysis environments. One such method is to perform checks to determine whether the machine the malware is being executed on is being operated by a real user. One such check is the RAM size. If the RAM size is unrealistically small (e.g., 1GB), it may indicate that the machine is a sandbox. If the malware detects a sandbox, it will not execute its true malicious behavior and may appear to be a benign file
The GetPhysicallyInstalledSystemMemory
API retrieves the amount of RAM that is physically installed on the computer from the SMBIOS firmware tables. It takes a PULONGLONG
parameter and returns TRUE
if the function succeeds, setting the TotalMemoryInKilobytes
to a nonzero value. If the function fails, it returns FALSE
.
The amount of physical memory retrieved by the GetPhysicallyInstalledSystemMemory
function must be equal to or greater than the amount reported by the GlobalMemoryStatusEx
function; if it is less, the SMBIOS data is malformed and the function fails with ERROR_INVALID_DATA
, Malformed SMBIOS data may indicate a problem with the user's computer .
The register rcx
holds the parameter TotalMemoryInKilobytes
. To overwrite the jump address of GetPhysicallyInstalledSystemMemory
, I use the following opcodes: mov qword ptr ss:[rcx],4193B840
. This moves the value 4193B840
(or 1.1 TB) to rcx
. Then, the ret instruction is used to pop the return address off the stack and jump to it, Therefore, whenever GetPhysicallyInstalledSystemMemory
is called, it will set rcx
to the custom value."
A curious case of a threat actor at the border between crimeware and cyberespionage
The post Asylum Ambuscade: crimeware or cyberespionage? appeared first on WeLiveSecurity
ESET researchers reveal details about a prevalent cryptor, operating as a cryptor-as-a-service used by tens of malware families
The post Shedding light on AceCryptor and its operation appeared first on WeLiveSecurity
ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio
The post Android app breaking bad: From legitimate screen recording to file exfiltration within a year appeared first on WeLiveSecurity
ESET Research uncovers a campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software
The post Evasive Panda APT group delivers malware via updates for popular Chinese software appeared first on WeLiveSecurity
KubeStalk is a tool to discover Kubernetes and related infrastructure based attack surface from a black-box perspective. This tool is a community version of the tool used to probe for unsecured Kubernetes clusters around the internet during Project Resonance - Wave 9.
The GIF below demonstrates usage of the tool:
KubeStalk is written in Python and requires the requests
library.
To install the tool, you can clone the repository to any directory:
git clone https://github.com/redhuntlabs/kubestalk
Once cloned, you need to install the requests
library using python3 -m pip install requests
or:
python3 -m pip install -r requirements.txt
Everything is setup and you can use the tool directly.
A list of command line arguments supported by the tool can be displayed using the -h
flag.
$ python3 kubestalk.py -h
+---------------------+
| K U B E S T A L K |
+---------------------+ v0.1
[!] KubeStalk by RedHunt Labs - A Modern Attack Surface (ASM) Management Company
[!] Author: 0xInfection (RHL Research Team)
[!] Continuously Track Your Attack Surface using https://redhuntlabs.com/nvadr.
usage: ./kubestalk.py <url(s)>/<cidr>
Required Arguments:
urls List of hosts to scan
Optional Arguments:
-o OUTPUT, --output OUTPUT
Output path to write the CSV file to
-f SIG_FILE, --sig-dir SIG_FILE
Signature directory path to load
-t TIMEOUT, --timeout TIMEOUT
HTTP timeout value in seconds
-ua USER_AGENT, --user-agent USER_AGENT
User agent header t o set in HTTP requests
--concurrency CONCURRENCY
No. of hosts to process simultaneously
--verify-ssl Verify SSL certificates
--version Display the version of KubeStalk and exit.
To use the tool, you can pass one or more hosts to the script. All targets passed to the tool must be RFC 3986 complaint, i.e. must contain a scheme and hostname (and port if required).
A basic usage is as below:
$ python3 kubestalk.py https://███.██.██.███:10250
+---------------------+
| K U B E S T A L K |
+---------------------+ v0.1
[!] KubeStalk by RedHunt Labs - A Modern Attack Surface (ASM) Management Company
[!] Author: 0xInfection (RHL Research Team)
[!] Continuously Track Your Attack Surface using https://redhuntlabs.com/nvadr.
[+] Loaded 10 signatures to scan.
[*] Processing host: https://███.██.██.██:10250
[!] Found potential issue on https://███.██.██.██:10250: Kubernetes Pod List Exposure
[*] Writing results to output file.
[+] Done.
HTTP requests can be fine-tuned using the -t
(to mention HTTP timeouts), -ua
(to specify custom user agents) and the --verify-ssl
(to validate SSL certificates while making requests).
You can control the number of hosts to scan simultanously using the --concurrency
flag. The default value is set to 5.
The output is written to a CSV filea and can be controlled by the --output
flag.
A sample of the CSV output rendered in markdown is as belows:
host | path | issue | type | severity |
---|---|---|---|---|
https://█.█.█.█:10250 | /pods | Kubernetes Pod List Exposure | core-component | vulnerability/misconfiguration |
https://█.█.█.█:443 | /api/v1/pods | Kubernetes Pod List Exposure | core-component | vulnerability/misconfiguration |
http://█.█.██.█:80 | / | etcd Viewer Dashboard Exposure | add-on | vulnerability/exposure |
http://██.██.█.█:80 | / | cAdvisor Metrics Web UI Dashboard Exposure | add-on | vulnerability/exposure |
The tool is licensed under the BSD 3 Clause License and is currently at v0.1.
To know more about our Attack Surface Management platform, check out NVADR.
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack
The post Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack appeared first on WeLiveSecurity
When decommissioning their old hardware, many companies 'throw the baby out with the bathwater'
The post Discarded, not destroyed: Old routers reveal corporate secrets appeared first on WeLiveSecurity
ESET experts share their insights on the cyber-elements of the first year of the war in Ukraine and how a growing number of destructive malware variants tried to rip through critical Ukrainian systems
The post ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine appeared first on WeLiveSecurity
ESET researchers analyzed Android and Windows clippers that can tamper with instant messages and use OCR to steal cryptocurrency funds
The post Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets appeared first on WeLiveSecurity
ESET Research uncovered a campaign by APT group Tick against a data-loss prevention company in East Asia and found a previously unreported tool used by the group
The post The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia appeared first on WeLiveSecurity
ESET researchers analyze a cyberespionage campaign that distributes CapraRAT backdoors through trojanized and supposedly secure Android messaging apps – but also exfiltrates sensitive information
The post Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials appeared first on WeLiveSecurity
ESET researchers tease apart MQsTTang, a new backdoor used by Mustang Panda, which communicates via the MQTT protocol
The post MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT appeared first on WeLiveSecurity
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality
The post BlackLotus UEFI bootkit: Myth confirmed appeared first on WeLiveSecurity
And that’s just the tip of the iceberg when it comes to the trends that defined the cyberthreat landscape in the final four months of 2022.
The post ESET Research Podcast: Ransomware trashed data, Android threats soared in T3 2022 appeared first on WeLiveSecurity
The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group
The post WinorDLL64: A backdoor from the vast Lazarus arsenal? appeared first on WeLiveSecurity
ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributed via malicious websites linked in ads that appear in Google search results
The post These aren’t the apps you’re looking for: fake installers targeting Southeast and East Asia appeared first on WeLiveSecurity
sandfly-entropyscan
is a utility to quickly scan files or running processes and report on their entropy (measure of randomness) and if they are a Linux/Unix ELF type executable. Some malware for Linux is packed or encrypted and shows very high entropy. This tool can quickly find high entropy executable files and processes which often are malicious.
Entropy is a measure of randomness. For binary data 0.0 is not-random and 8.0 is perfectly random. Good crypto looks like random white noise and will be near 8.0. Good compression removes redundant data making it appear more random than if it was uncompressed and usually will be 7.7 or above.
A lot of malware executables are packed to avoid detection and make reverse engineering harder. Most standard Linux binaries are not packed because they aren't trying to hide what they are. Searching for high entropy files is a good way to find programs that could be malicious just by having these two attributes of high entropy and executable.
Usage of sandfly-entropyscan
:
-csv
output results in CSV format (filename, path, entropy, elf_file [true|false], MD5, SHA1, SHA256, SHA512)
-delim
change the default delimiter for CSV files of "," to one of your choosing ("|", etc.)
-dir string
directory name to analyze
-file string
full path to a single file to analyze
-proc
check running processes (defaults to ELF only check)
-elf
only check ELF executables
-entropy float
show any file/process with entropy greater than or equal to this value (0.0 min - 8.0 max, defaults 0 to show all files)
-version
show version and exit
Search for any file that is executable under /tmp:
sandfly-entropyscan -dir /tmp -elf
Search for high entropy (7.7 and higher) executables (often packed or encrypted) under /var/www:
sandfly-entropyscan -dir /var/www -elf -entropy 7.7
Generates entropy and cryptographic hashes of all running processes in CSV format:
sandfly-entropyscan -proc -csv
Search for any process with an entropy higher than 7.7 indicating it is likely packed or encrypted:
sandfly-entropyscan -proc -entropy 7.7
Generate entropy and cryptographic hash values of all files under /bin and output to CSV format (for instance to save and compare hashes):
sandfly-entropyscan -dir /bin -csv
Scan a directory for all files (ELF or not) with entropy greater than 7.7: (potentially large list of files that are compressed, png, jpg, object files, etc.)
sandfly-entropyscan -dir /path/to/dir -entropy 7.7
Quickly check a file and generate entropy, cryptographic hashes and show if it is executable:
sandfly-entropyscan -file /dev/shm/suspicious_file
Do spot checks on systems you think have a malware issue. Or you can automate the scan so you will get an output if we find something show up that is high entropy in a place you didn't expect. Or simply flag any executable ELF type file that is somewhere strange (e.g. hanging out in /tmp or under a user's HTML directory). For instance:
Did a high entropy binary show up under the system /var/www directory? Could be someone put a malware dropper on your website:
sandfly-entropyscan -dir /var/www -elf -entropy 7.7
Setup a cron task to scan your /tmp, /var/tmp, and /dev/shm directories for any kind of executable file whether it's high entropy or not. Executable files under tmp directories can frequently be a malware dropper.
sandfly-entropyscan -dir /tmp -elf
sandfly-entropyscan -dir /var/tmp -elf
sandfly-entropyscan -dir /dev/shm -elf
Setup another cron or automated security sweep to spot check your systems for highly compressed or encrypted binaries that are running:
sandfly-entropyscan -proc -entropy 7.7
git clone https://github.com/sandflysecurity/sandfly-entropyscan.git
go build
./sandfly-entropyscan
There are a some basic build scripts that build for various platforms. You can use these to build or modify to suit. For Incident Responders, it might be useful to keep pre-compiled binaries ready to go on your investigation box.
build.sh
- Build for current OS you're running on when you execute it.
We use a simple method for seeing if a file may be an executable ELF type. We can spot ELF format files for multiple platforms. Even if malware has Intel/AMD, MIPS and Arm dropper binaries we will still be able to spot all of them.
It's possible to flag a legitimate binary that has a high entropy because of how it was compiled, or because it was packed for legitimate reasons. Other files like .zip, .gz, .png, .jpg and such also have very high entropy because they are compressed formats. Compression removes redundancy in a file which makes it appear to be more random and has higher entropy.
On Linux, you may find some kinds of libraries (.so files) get flagged if you scan library directories.
However, it is our experience that executable binaries that also have high entropy are often malicious. This is especially true if you find them in areas where executables normally shouldn't be (such as again tmp
or html
directories).
The entropy calculation requires reading in all the bytes of the file and tallying them up to get a final number. It can use a lot of CPU and disk I/O, especially on very large file systems or very large files. The program has an internal limit where it won't calculate entropy on any file over 2GB, nor will it try to calculate entropy on any file that is not a regular file type (e.g. won't try to calculate entropy on devices like /dev/zero
).
Then we calculate MD5, SHA1, SHA256 and SHA512 hashes. Each of these requires going over the file as well. It's reasonable speed on modern systems, but if you are crawling a very large file system it can take some time to complete.
If you tell the program to only look at ELF files, then the entropy/hash calculations won't happen unless it is an ELF type and this will save a lot of time (e.g. it will ignore massive database files that aren't executable).
If you want to automate this program, it's best to not have it crawl the entire root file system unless you want that specifically. A targeted approach will be faster and more useful for spot checks. Also, use the ELF flag as that will drastically reduce search times by only processing executable file types.
For incident responders, running sandfly-entropyscan
against the entire top-level "/" directory may be a good idea just to quickly get a list of likely packed candidates to investigate. This will spike CPU and disk I/O. However, you probably don't care at that point since the box has been mining cryptocurrency for 598 hours anyway by the time the admins noticed.
Again, use the ELF flag to get to the likely problem candidate executables and ignore the noise.
There is a script called scripts/testfiles.sh
that will make two files. One will be full of random data and one will not be random at all. When you run the script it will make the files and run sandfly-entropyscan
in executable detection mode. You should see two files. One with very high entropy (at or near 8.0) and one full of non-random data that should be at 0.00 for low entropy. Example:
./testfiles.sh
Creating high entropy random executable-like file in current directory.
Creating low entropy executable-like file in current directory.
high.entropy.test, entropy: 8.00, elf: true
low.entropy.test, entropy: 0.00, elf: true
You can also load up the upx
utility and compress an executable and see what values it returns.
Sandfly Security produces an agentless endpoint detection and incident response platform (EDR) for Linux. Automated entropy checks are just one of thousands of things we search for to find intruders without loading any software on your Linux endpoints.
Get a free license and learn more below:
https://www.sandflysecurity.com @SandflySecurity
ESET Research announces IPyIDA 2.0, a Python plugin integrating IPython and Jupyter Notebook into IDA
The post Introducing IPyIDA: A Python plugin for your reverse‑engineering toolkit appeared first on WeLiveSecurity
KRIe is a research project that aims to detect Linux Kernel exploits with eBPF. KRIe is far from being a bulletproof strategy: from eBPF related limitations to post exploitation detections that might rely on a compromised kernel to emit security events, it is clear that a motivated attacker will eventually be able to bypass it. That being said, the goal of the project is to make attackers' lives harder and ultimately prevent out-of-the-box exploits from working on a vulnerable kernel.
KRIe has been developed using CO-RE (Compile Once - Run Everywhere) so that it is compatible with a large range of kernel versions. If your kernel doesn't export its BTF debug information, KRIe will try to download it automatically from BTFHub. If your kernel isn't available on BTFHub, but you have been able to manually generate your kernel's BTF data, you can provide it in the configuration file (see below).
This project was developed on Ubuntu Focal 20.04 (Linux Kernel 5.15) and has been tested on older releases down to Ubuntu Bionic 18.04 (Linux Kernel 4.15).
lib/modules/$(uname -r)
, update the Makefile
with their location otherwise.Optional fields are required to recompile the eBPF programs.
# ~ make build-ebpf
# ~ make build
# ~ make install
KRIe needs to run as root. Run sudo krie -h
to get help.
# ~ krie -h
Usage:
krie [flags]
Flags:
--config string KRIe config file (default "./cmd/krie/run/config/default_config.yaml")
-h, --help help for krie
## Log level, options are: panic, fatal, error, warn, info, debug or trace
log_level: debug
## JSON output file, leave empty to disable JSON output.
output: "/tmp/krie.json"
## BTF information for the current kernel in .tar.xz format (required only if KRIE isn't able to locate it by itself)
vmlinux: ""
## events configuration
events:
## action taken when an init_module event is detected
init_module: log
## action taken when an delete_module event is detected
delete_module: log
## action taken when a bpf event is detected
bpf: log
## action taken when a bpf_filter event is detected
bpf_filter: log
## action taken when a ptrace event is detected
ptrace: log
## action taken when a kprobe event is detected
kprobe: log
## action taken when a sysctl event is detected
sysctl:
action: log
## Default settings for sysctl programs (kernel 5.2+ only)
sysctl_default:
block_read_access: false
block_write_access: false
## Custom settings for sysctl programs (kernel 5.2+ only)
sysctl_parameters:
kernel/yama/ptrace_scope:
block_write_access: true
kernel/ftrace_enabled:
override_input_value_with: "1\n"
## action taken when a hooked_syscall_table event is detected
hooked_syscall_table: log
## action taken when a hooked_syscall event is detected
hooked_syscall: log
## kernel_parameter event configuration
kernel_parameter:
action: log
periodic_action: log
ticker: 1 # sends at most one event every [ticker] second(s)
list:
- symbol: system/kprobes_all_disarmed
expected_value: 0
size: 4
# - symbol: system/selinux_state
# expecte d_value: 256
# size: 2
# sysctl
- symbol: system/ftrace_dump_on_oops
expected_value: 0
size: 4
- symbol: system/kptr_restrict
expected_value: 0
size: 4
- symbol: system/randomize_va_space
expected_value: 2
size: 4
- symbol: system/stack_tracer_enabled
expected_value: 0
size: 4
- symbol: system/unprivileged_userns_clone
expected_value: 0
size: 4
- symbol: system/unprivileged_userns_apparmor_policy
expected_value: 1
size: 4
- symbol: system/sysctl_unprivileged_bpf_disabled
expected_value: 1
size: 4
- symbol: system/ptrace_scope
expected_value: 2
size: 4
- symbol: system/sysctl_perf_event_paranoid
expected_value: 2
size: 4
- symbol: system/kexe c_load_disabled
expected_value: 1
size: 4
- symbol: system/dmesg_restrict
expected_value: 1
size: 4
- symbol: system/modules_disabled
expected_value: 0
size: 4
- symbol: system/ftrace_enabled
expected_value: 1
size: 4
- symbol: system/ftrace_disabled
expected_value: 0
size: 4
- symbol: system/sysctl_protected_fifos
expected_value: 1
size: 4
- symbol: system/sysctl_protected_hardlinks
expected_value: 1
size: 4
- symbol: system/sysctl_protected_regular
expected_value: 2
size: 4
- symbol: system/sysctl_protected_symlinks
expected_value: 1
size: 4
- symbol: system/sysctl_unprivileged_userfaultfd
expected_value: 0
size: 4
## action to check when a regis ter_check fails on a sensitive kernel space hook point
register_check: log
ESET researchers identified an active StrongPity campaign distributing a trojanized version of the Android Telegram app, presented as the Shagle app – a video-chat service that has no app version
The post StrongPity espionage campaign targeting Android users appeared first on WeLiveSecurity
Subparse, is a modular framework developed by Josh Strochein, Aaron Baker, and Odin Bernstein. The framework is designed to parse and index malware files and present the information found during the parsing in a searchable web-viewer. The framework is modular, making use of a core parsing engine, parsing modules, and a variety of enrichers that add additional information to the malware indices. The main input values for the framework are directories of malware files, which the core parsing engine or a user-specified parsing engine parses before adding additional information from any user-specified enrichment engine all before indexing the information parsed into an elasticsearch index. The information gathered can then be searched and viewed via a web-viewer, which also allows for filtering on any value gathered from any file. There are currently 3 parsing engine, the default parsing modules (ELFParser, OLEParser and PEParser), and 4 enrichment modules (ABUSEEnricher, C APEEnricher, STRINGEnricher and YARAEnricher).
To get started using Subparse there are a few requrired/recommened programs that need to be installed and setup before trying to work with our software.
Software | Status | Link |
---|---|---|
Docker | Required | Installation Guide |
Python3.8.1 | Required | Installation Guide |
Pyenv | Recommended | Installation Guide |
After getting the required/recommended software installed to your system there are a few other steps that need to be taken to get Subparse installed.
sudo get apt install build-essential
pip3 install -r ./requirements.txt
docker-compose up
Note: This might take a little time due to downloading the images and setting up the containers that will be needed by Subparse.
Command line options that are available for subparse/parser/subparse.py:
Argument | Alternative | Required | Description |
---|---|---|---|
-h | --help | No | Shows help menu |
-d SAMPLES_DIR | --directory SAMPLES_DIR | Yes | Directory of samples to parse |
-e ENRICHER_MODULES | --enrichers ENRICHER_MODULES | No | Enricher modules to use for additional parsing |
-r | --reset | No | Reset/delete all data in the configured Elasticsearch cluster |
-v | --verbose | No | Display verbose commandline output |
-s | --service-mode | No | Enters service mode allowing for mode samples to be added to the SAMPLES_DIR while processing |
To view the results from Subparse's parsers, navigate to localhost:8080. If you are having trouble viewing the site, make sure that you have the container started up in Docker and that there is not another process running on port 8080 that could cause the site to not be available.
Before any parser is executed general information is collected about the sample regardless of the underlying file type. This information includes:
Parsers are ONLY executed on samples that match the file type. For example, PE files will by default have the PEParser executed against them due to the file type corresponding with those the PEParser is able to examine.
These modules are optional modules that will ONLY get executed if specified via the -e | --enrichers flag on the command line.
Subparse's web view was built using Bootstrap for its CSS, this allows for any built in Bootstrap CSS to be used when developing your own custom Parser/Enricher Vue.js files. We have also provided an example for each to help get started and have also implemented a few custom widgets to ease the process of development and to promote standardization in the way information is being displayed. All Vue.js files are used for dynamically displaying information from the custom Parser/Enricher and are used as templates for the data.
Note: Naming conventions with both class and file names must be strictly adheared to, this is the first thing that should be checked if you run into issues now getting your custom Parser/Enricher to be executed. The naming convention of your Parser/Enricher must use the same name across all of the files and class names.
The logger object is a singleton implementation of the default Python logger. For indepth usage please reference the Offical Doc. For Subparse the only logging methods that we recommend using are the logging levels for output. These are:
ESET researchers discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer
The post Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities appeared first on WeLiveSecurity
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry
The post Fantasy – a new Agrius wiper deployed through a supply‑chain attack appeared first on WeLiveSecurity
ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group
The post Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin appeared first on WeLiveSecurity
Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram
The post Bahamut cybermercenary group targets Android users with fake VPN apps appeared first on WeLiveSecurity
APT-C-50’s Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app
The post Domestic Kitten campaign spying on Iranian citizens with new FurBall malware appeared first on WeLiveSecurity
ESET researchers analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group
The post POLONIUM targets Israel with Creepy malware appeared first on WeLiveSecurity
ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers
The post Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium appeared first on WeLiveSecurity
ESET researchers have uncovered another tool in the already extensive arsenal of the SparklingGoblin APT group: a Linux variant of the SideWalk backdoor
The post You never walk alone: The SideWalk backdoor gets a Linux variant appeared first on WeLiveSecurity
Pinecone is a WLAN networks auditing tool, suitable for red team usage. It is extensible via modules, and it is designed to be run in Debian-based operating systems. Pinecone is specially oriented to be used with a Raspberry Pi, as a portable wireless auditing box.
This tool is designed for educational and research purposes only. Only use it with explicit permission.
For running Pinecone, you need a Debian-based operating system (it has been tested on Raspbian, Raspberry Pi Desktop and Kali Linux). Pinecone has the following requirements:
apt-get install python3
.apt-get install dnsmasq
.apt-get install hostapd-wpe
. If your distribution repository does not have a hostapd-wpe package, you can either try to install it using a Kali Linux repository pre-compiled package, or compile it from its source code.After installing the necessary packages, you can install the Python packages requirements for Pinecone using pip3 install -r requirements.txt
in the project root folder.
For starting Pinecone, execute python3 pinecone.py
from within the project root folder:
root@kali:~/pinecone# python pinecone.py
[i] Database file: ~/pinecone/db/database.sqlite
pinecone >
Pinecone is controlled via a Metasploit-like command-line interface. You can type help
to get the list of available commands, or help 'command'
to get more information about a specific command:
pinecone > help
Documented commands (type help <topic>):
========================================
alias help load pyscript set shortcuts use
edit history py quit shell unalias
Undocumented commands:
======================
back run stop
pinecone > help use
Usage: use module [-h]
Interact with the specified module.
positional arguments:
module module ID
optional arguments:
-h, --help show this help message and exit
Use the command use 'moduleID'
to activate a Pinecone module. You can use Tab auto-completion to see the list of current loaded modules:
pinecone > use
attack/deauth daemon/hostapd-wpe report/db2json scripts/infrastructure/ap
daemon/dnsmasq discovery/recon scripts/attack/wpa_handshake
pinecone > use discovery/recon
pcn module(discovery/recon) >
Every module has options, that can be seen typing help run
or run --help
when a module is activated. Most modules have default values for their options (check them before running):
pcn module(discovery/recon) > help run
usage: run [-h] [-i INTERFACE]
optional arguments:
-h, --help show this help message and exit
-i INTERFACE, --iface INTERFACE
monitor mode capable WLAN interface (default: wlan0)
When a module is activated, you can use the run [options...]
command to start its functionality. The modules provide feedback of their execution state:
pcn script(attack/wpa_handshake) > run -s TEST_SSID
[i] Sending 64 deauth frames to all clients from AP 00:11:22:33:44:55 on channel 1...
................................................................
Sent 64 packets.
[i] Monitoring for 10 secs on channel 1 WPA handshakes between all clients and AP 00:11:22:33:44:55...
If the module runs in background (for example, scripts/infrastructure/ap), you can stop it using the stop
command when the module is running:
back
command. You can also activate another module issuing the use
command again. Shell commands may be executed with the command shell
or the !
shortcut:
pinecone > !ls
LICENSE modules module_template.py pinecone pinecone.py README.md requirements.txt TODO.md
Currently, Pinecone reconnaissance SQLite database is stored in the db/ directory inside the project root folder. All the temporary files that Pinecone needs to use are stored in the tmp/ directory also under the project root folder.
Misconfigured remote access services continue to give bad actors an easy access path to company networks – here’s how you can minimize your exposure to attacks misusing Remote Desktop Protocol
The post RDP on the radar: An up‑close view of evolving remote access threats appeared first on WeLiveSecurity
Focused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files
The post Worok: The big picture appeared first on WeLiveSecurity
Listen to Cameron Camp, Juraj Jánošík, and Filip Mazán discuss the use of machine learning in cybersecurity, followed by Cameron’s insights into the security of medical devices
The post ESET Research Podcast: Hot security topics at RSA or mostly hype? appeared first on WeLiveSecurity
Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs
The post I see what you did there: A look at the CloudMensis macOS spyware appeared first on WeLiveSecurity