/r/Malware
A place for malware reports, analysis and information for [anti]malware professionals and enthusiasts.
A place for malware reports and information for [anti]malware professionals and enthusiasts.
This is NOT a place for help with malware removal or any type of tech support. Ask your IT support staff, your search engine of choice, another subreddit (/r/antivirus or /r/techsupport for example), or a friend or relative. In that order.
Content rules:
You might also be interested in:
Chat with us:
/r/Malware
i just started my journey with Practical Malware Analysis. its been good so far but the book was published in 2012. i want to read more recent works. do you have any suggestions?
Does anyone know how the oietif virus works? I only know that it somehow overwrites the flash bios and the PC simply does not start, it would be interesting to know how it works
This is my first crack at writing malware. Its a lightweight Remote Access Trojan in Rust. Any feedback and suggestions would be greatly appreciated, especially in regards to advancing the obfuscation and evasion mechanisms. If you wanna play around with it the pre built release is on github along with the source, here: (Art3misRAT Github). Note that the ip is set to 127.0.0.1 in the release so it will only work on local machine, if you wanna connect to a remote ip you'll have to build from source. Hoping to evolve it into a free tool for the community with enough useful features, but primarily to evade AV detection since Meterpreter seems to be very difficult to get past windows defender lately. Hope yall like it and any feedback is greatly appreciated! Use it responsibly and legally!
one of those fake updates, it appears to be a randomly generated url base64 encoded style, like everything else it used for obfuscation. It downloads the first one into the cache and decrypts it and links to it that way, interesting evasion, but I cant seem to figure out how to manually pull the other payloads. I grabbed everything when it popped up on the compromised page, but I'm unable to figure out the initial compromise.
how might I grab the other payloads it has, even the origin url doesnt appear to be working. Maybe it's the type of download request? or is it checking the origin somehow, it's an injected iframe. Learning more about javascript, so I'm probably missing something obvious.
For C2, I'd like to know how common it is for malware authors to develop checks for VPN exit nodes from popular ones like Express, Nord, etc. It's hard to find any links on this, but I find it interesting that exit nodes are publicly plastered all over the net, lol.
I noticed strange behaviour on my computer a few days ago and decided to look into it I found several 1MB EFI partitions on boot drives and when restarting the computer a tell-tale sign is that it takes a long time for the BIOS splash screen to show up. I didn't realise at first exactly what it was so was trying conventional means within the OS to combat it which obviously failed as they had a kernel mode driver already loaded. Every USB stick I plugged in was also infected for when I was trying to make new OS images.
After realising what it was and reading this Microsoft advisory https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d?preview=true
I managed to get a friend to bring a clean laptop and USB stick round and install Windows 11 and follow those steps. Luckily the certificate was revoked and the bootkit could no longer load.
I have several large 10TB+ drives attached to my computer which I didn't want to lose the data from which I have been able to recover everything now. I can't believe microsoft have not done something more about this or published it more to revoke the impacted certificate as this is one of the worst malwares out there at the moment.
I have also lost access to all three of my gmail accounts which really sucks as it had all my youtube subscriptions and everything else.
I am looking to pivot to growing my iOS malware analysis skills for the next few months. As I have the most personal experience with iOS devices, specifically iPhones, I want to start there. I am curious as to how security researchers perform analysis on samples to write their respective reports. For example, are they infecting a real iOS device or are there methods of emulating an iOS device like you would a Windows or Linux environment in a VM.
I look forward to any discussion.
research on how to implement execution delaying, through the RDTSC, using only 1 call, bypassing analyses of published researches.
Just wanted to share my initial thoughts on Malsearch.com
I first saw this on Twitter and didn't hesitate to sign up as the idea of a malware source code search engine would greatly help me in my current job in cybersecurity.
I've only used it for a few days but I want to say this has been very helpful for me when analyzing and building malware code. Usually I have to use Github which is annoying because the search results are noisey and filled with unrelated stuff. Additionally, I like how I can filter by the different types of malware and OSs.
The search can take a little bit long (5-15 secs) when the term is too general which might be annoying for some people however, considering the amount of lines of code that's in their database it makes sense that the results would not be instantous and I don't really have a problem because I normally am able to find what I am looking for.
When it comes to their repository of malware, it is quite extensive. I believe the owner stated on Twitter that they have an additional 2-3 thousand malware source code projects they are planning to add over the following months. They also stated that they are going out of their way to purchase malware and upload it directly to their site to grow their repository. Their goal seems to be a centralized place for all malware source code on the internet which would greatly help me in my work when searching for specific types of malware.
Overall for 7 bucks it seems to be a really great time saver for me and helps out significantly at work. I want to thank the community for the great developments you guys are making, this is like the 3rd big project i've seen in just the last couple months and Im so excited to see and review whats next!
something like rensenware: https://github.com/0x00000FF/rensenware-cut
"it does not demand victims any money, but makes them play Touhou Project game and unlocks files when player reaches 200 million points of score"
what are samples you guys know of that dont steal from you (no botnets, rats, loaders or ransomware)
and it is grabbing it's trying to grab it's next stage or payload from a domain that is down what do you do at that point?
i can't find any recent samples also
Title. I’d love to be able to have malware pull further stages and execute its intended network behavior. I’m pretty sure that residential proxies are a decent way to accomplish this for home lab use.
Hi everyone,
In my team we would like to have our own sandbox for Malware Analysis with access to the internet (Separate netwokr) to make our own researches.
Does anyone here have any ideas for a cool setup for this?
At home I got my own setup with Flare VM + CAPE (No internet access), but I was wondering if someone got something better maybe using cloud VM (Azure/AWS) instead of a physical host.
Thanks!
Hey guys, hoping to get some good advice. We are a new firm and we are trying to get our foot in the door with ransomware reversal and recovery assistance.
My question is, how do you get these companies to hire a third party firm to help with their attack?
Any advice is welcome
I have just setup my flarevm and remnux to learn malware analysis
Ive taken the step of using vmwares lan segment to isolate the machines on a different ethernet network and statically assign IPs to it
now my question is how do I copy malware I want to inspect onto these machines without infecting the host?
Do I change my configuration to NAT and access internet to get the malware? or do I create a shared folder with host and vm (I dont think this is safe?)
Any help would be appreciated
Hi everyone,
I’m working on a project where I need to automatically create alerts and cases in TheHive based on CVE data. Here’s a brief overview of my setup and the challenges I’m facing :
>> Project Overview :
Script Functionality : I’ve written a script that pulls CVE details from Elasticsearch and generates alerts in TheHive based on a specific condition ( specific affected product for example). The script then converts these alerts into cases.
Team-Based Assignment : I want to assign cases to specific teams (e.g., Apps team for WordPress CVEs, Networking team for Cisco CVEs) based on the nature of the CVE.
Email Notifications : I need to notify all members of the relevant team when a new case is created.
>> The Problem :
1. Case Assignment : TheHive doesn’t seem to support direct assignment of cases to multiple users or groups based on tags or other criteria. I can create user profiles and organizations, but the API doesn’t allow assigning cases to multiple users in a straightforward way.
2. Notification : I need an efficient method to notify all members of a team about new cases.
>> What I’ve Tried :
1. Multiple Organizations : Creating separate organizations for each team and assigning users accordingly. This allows team members to see only their relevant cases.
2. Tags and Profiles : Using tags to identify teams and manually assigning cases based on these tags.
3. Email Notifications : Considering using an external script to send email notifications to team members.
What can I do to fix my issue or does anyone suggest any alternative solutions or tools that might be better suited to this requirement.
Thanks in advance for your he
I've wanted to write a serious RAT or a botnet for quite some time now, but I don't know where to start - I have ideas of things I could exploit and utilize, but I can't think of how to practically achieve it.
For example - in Linux, I thought of bootstrapping my malware by adding it to the default.target file read by systemd, or adding a cron job, but I have no idea how to get to the point I have the privileges to do that.
I figured this just means that I don't have enough experience and knowledge, but if so, how should I learn? I try reading documentation, but just end up overwhelmed with information that is hard to remember all at once, without any practical understanding of how a certain concept works - everything is just so theoretical (another example off the top of my head is initramfs - I could recite that "it's a file system initially loaded temporarly to provide the kernel with an environment to boot the rest of the system up" but what does it mean? How does it actually work?
And another thing is I keep getting lost - so many things I want and need to learn, and I don't know where to start, how to learn and what should I learn.
Hello everyone, I hope you are well. I'm a student of cybersecurity and I have an internship. Actually, I don't have an exact project yet. I use OpenVAS, OSINT for web scraping, and SonarQube. I don't have a way or method to link all these tools together and create a good project. Therefore, I decided to choose my own project to integrate OpenVAS with Elasticsearch and use Suricata, Wazuh,filebeat, and Kibana to improve security.
However, it's only 15 days until my defense, and I installed these on Docker Compose to automate the process, but they are not working well. I still have a problem with the Wazuh dashboard; it's not working.
My question is: is there any help or method to link OpenVAS with these tools and create a good project? Any help, please?
Hey Everyone,
I’m working on my end-of-study project titled "Implementation of a Vulnerability Solution
Management and Threat Intel," and I’d love to get your feedback and suggestions. Here’s what I’ve done so far and my current plan:
Current Setup:
Plan to Enhance :
Example Workflow :
Questions :