/r/Malware
A place for malware reports, analysis and information for [anti]malware professionals and enthusiasts.
A place for malware reports and information for [anti]malware professionals and enthusiasts.
This is NOT a place for help with malware removal or any type of tech support. Ask your IT support staff, your search engine of choice, another subreddit (/r/antivirus or /r/techsupport for example), or a friend or relative. In that order.
Content rules:
You might also be interested in:
Chat with us:
/r/Malware
soo i somehow encountered an malicious extension(and i didnt think about the fact that it just opened somehow) that seemed like a legitimate google extension, bc the chrome web store tab opened while i was on a google page just messing around, and what it does(as far as i figured out while trying to get rid of it) was it forces your focus to your browser window, and it wont let you open the extension menu(you can open the yourbrowsername://extensions page), and it wont let you remove the extension. and funnily enough, the only reason i was able to get rid of it, was because of chatgpt(no really) also the extension's chrome web store url is: https://chromewebstore.google.com/detail/ssh-for-google-cloud-plat/ojilllmhjhibplnppnamldakhpmdnibd/
Like the title says, I'm working on this analysis of EternalBlue/DoublePulsar for my computer systems security class. Grad level class so unfortunately super broad-strokes report won't suffice, and I had some questions about EternalBlue, DoublePulsar, and other Equation Group malware from the 2017 Shadoww Brokers leaks. Before anybody asks, I finished the actual implementation portion of this project, I'm just struggling with some minor details in my final report.
Specifically I'm at a loss when it comes to it's relevance today. Obviously there were a lot of practices that had to change after EternalBlue attacks in the wild (WannaCry, NotPetya, etc.) like patching systems in a timely manner, but I'm kind of lost on the technical details of how this is still a threat today. I understand that MS17-010 patch largely addressed the SMB1 OS2/NT packet threat, but there are still apparently lots of cases of EternalBlue being leveraged in the wild like with StripedFly, at least as I understood it. see https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/
I guess where I'm lost is in understanding just how relevant (or irrelevant) this exploit really is. Modern versions of Windows don't use SMBv1 afaik, but Shadow Brokers leak contained exploits like EducatedScholar, EmeraldThread, EternalChampion, etc. which targeted SMBv2 and SMBv3 which is used in modern Windows iirc. I know the shadow brokers leaks have been patched for the most part, but we're still seeing implementations of this code being used (or at least found) today.
Another detail I'm getting hung up on is the detection methods used in legacy systems that can't be, or won't be, patched. I tried asking GPT but it's not giving me a straight answer on what detection methods are being used. It's my understanding that the primary reason EternalBlue is so easy to detect now is because of the spike of network use on TCP 445, since the payload is so large. However, the payload is only really that large because it contains shellcode for both x86 and x86_64 systems, so if you only included 64-bit shellcode wouldn't that theoretically avoid detection, or at least make it harder to detect? Or do modern IDS solutions (if they're even compatible with unpatched windows versions) detect the direct manipulation of packets after call to SrvOS2FeaListSizeToNt (or NT_TRANSACT/_SECONDARY)?
tl;dr: Can modified EternalBlue/EducatedScholar/EternalSynergy code be used today in attacks? How is EternalBlue exploit really detected, just a spike in TCP 445 traffic or tracking functions like SrvOS2FeaListSizeToNT? Is EternalBlue at all adaptable for modern systems or is it more of a case study for OPSEC practices?
My firewall (Firewalla Gold) recently started alarming daily port scans from the desktop out. No pirated software on the machine. Running most up to date Norton AV.
Norton actually flagged/quarantined two file(gpu.exe & idp.generic). Deleted both, but made note of where the files were. Ran full scans with NAV, Malwarebytes, nothing flagged. However, even after files were removed, still seeing daily port scans.
Is it possible NAV or Windows are doing the scans? Or do I likely have some malware buried deep in my machine? Thanks in advance.
Im a college student in comp-sci and wanted to do a small project on assembly/ malware for my git page. I wanted to try “dynamic malware analysis” so I can download and run malware in remnux/vmware then translate from bin-C-assembly or what have you and basically return the instructions where malicious activity happens, any advice on resources or anything else? lmk!
Hi everyone, I started learning malware recently, sorry for my lack of knowledge in malware. My teacher assigned me a project called "Methods for creating variants of malware embedded in pdf files". I'm having trouble classifying PDF malware variants and finding methods for creating them. I've read some research about PDF malware. They are classified into JavaScript-based and non-JavaScript-based. In another document, they are classified into OpenAction feature, Launch action, Embedded files, GotoEmbedded action, and URI action. Can I ask your opinion about how you classify variants of PDF malware?
I am doing some research and I am interested in looking at some Chinese databases, basically the Chinese equivalent of „Mitre ATT&CK Groups“. Ideally, it would be an official release from the government, but from a Chinese cybersecurity company is also okay.
Can anyone point me in the right direction or share a link?
It does not matter if it’s in Chinese language.
Thanks in advance!
I am trying to create a User-mode rootkit detection program(as it seems suitable right now for my level, as kernel-level rootkit detection seems daunting, although I want to try that later when I have done this one), which uses signatures based detection and integrity checks for detection . I will be using python for this project.
However, I have been facing dilemma regarding should I create the signatures myself by analyzing the samples or would you suggest using some other tools like virus total, and malware bazaar ( I don't know must about these tools, I was suggested these by other people in the internet, however I have been doing some malware analysis and have some knowledge in it).
Some of the resources I have goon through:
If anyone has done something like this before and provide me with more resources related to rootkits I would be grateful.
I have read about detection process as well but not able to find much resources about it. So if you know any resources please share so that I could understand the process for detection even better.
If anyone was created some similar projects are knows about some project share your project so I could learn more.
Hey all I have a proxmox instance running in a laptop on a separate VLan with 2 boxes (flare VM and remnux), Within my edge router I have a firewall rule setup to deny any packets from the malware Vlan to my other vlans, but allows connecting into the malware vlan from my other vlan so that I can rdp in to the machines.
Does this sound secure?, would you recommend any other changes?
Last thing I need to do is create another Vlan within proxmos so that I can get Inetsim working.
Hi. I'm looking to further my knowledge in malware development. for now all I can do is teach myself from what's freely provided. Do you guys know of any good books/resources I can learn malware development from in depth, especially as a beginner. I just started familiarizing myself with all this computer stuff, and recently learnt to use python and its basics. Any help will be appreciated.
For almost 5+ years, there was a stealer called Redline/Meta. While the second one is pretty much new, they both operated on the same servers. But their time's over:
"On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the Redline and META infostealers.
Involved parties will be notified, and legal actions are underway." (c) https://operation-magnus.com/
Hi all,
I’ve been waiting over 7 months for a Triage API key, but my status is still “pending.” Does anyone have advice on getting access, or possibly let me use theirs?
Feel free to add me on Discord @_h3 if you can help. Thanks!
Does anybody at all recognize a R.A.T named Phoenix in 2022? Due to my exit of the cyber community, I lost track of it and now I'm trying to figure out if its name was changed or if the owner completely abandoned the project.
A few days ago I received a message to a friend that I haven't spoken to a while on discord. They told me that they had a game project titled "Yemoza" that they worked on with friends and they wanted me to test it. Upon installing it it crashed my discord and my firefox and he informed me that I was hacked. he sent me passwords that he stole. Of the 6 he grabbed only 2 we're right, one of them being my discord. Shortly after I was kicked out. I deleted all traces of it, cleared all cache and temporarily files, did several virus scans using several platforms, and changed all my passwords. The only thing the hacker truly compromised was my discord but after communicating with discord support I got it back the next day. I haven't been able to find much on this Trojan, so I wanted to shed some light on it and maybe find a little bit more information. If there's anything you know about this virus please let me know
Malware analysis: https://www.vmray.com/latrodectus-a-year-in-the-making/
Good day friends. Hope this complies with the rules.
I'm working on my master's thesis. The project somewhat mirrors what DISCOVER did, so an automated cybersecurity warning generator. Right now, I'm looking for new sources to pull the data from. I'd like to use anything relevant to malware/vuln discussion, so tweets, potentially relevant, subreddits, hacker blogs/forums (anything in english, russian or chinese is fair game), any other social media/blog, anything that can anticipate official reports is welcome. Ideally I'd like to find dumps/datasets, but I'm prepared to scrape.
For now, I'm looking into this dataset on tweets and this more general one, as well as the russian and english forums listed on the wiki. I'm having trouble finding more underground sources.
Any suggestion is welcome, and I thank you for your time.