/r/Malware

Photograph via snooOG

A place for malware reports, analysis and information for [anti]malware professionals and enthusiasts.

A place for malware reports and information for [anti]malware professionals and enthusiasts.

This is NOT a place for help with malware removal or any type of tech support. Ask your IT support staff, your search engine of choice, another subreddit (/r/antivirus or /r/techsupport for example), or a friend or relative. In that order.

Content rules:

  • This is a subreddit for readers to discuss technical malware news, malware internals and infection techniques, malware tools, and anything related to the professional world of [anti]malware. Technical Support posts are forbidden and will result in removal and a possible ban.
  • Our readers are intelligent, or at the very least technically curious. Posted content must be highly technical, wel-researched, and of good quality.
  • Do not sensationalize or otherwise unnecessarily change the original title of the article you are linking. Clickbait will result in an immediate and permanent ban.

You might also be interested in:

Chat with us:

#reddit-malware:matrix.org

/r/Malware

82,203 Subscribers

7

Microsoft’s Azure Blob Storage Abused in Phishing Campaigns

0 Comments
2024/12/02
14:07 UTC

1

Malicious chrome extension

soo i somehow encountered an malicious extension(and i didnt think about the fact that it just opened somehow) that seemed like a legitimate google extension, bc the chrome web store tab opened while i was on a google page just messing around, and what it does(as far as i figured out while trying to get rid of it) was it forces your focus to your browser window, and it wont let you open the extension menu(you can open the yourbrowsername://extensions page), and it wont let you remove the extension. and funnily enough, the only reason i was able to get rid of it, was because of chatgpt(no really) also the extension's chrome web store url is: https://chromewebstore.google.com/detail/ssh-for-google-cloud-plat/ojilllmhjhibplnppnamldakhpmdnibd/

0 Comments
2024/12/02
03:53 UTC

3

Some questions about EternalBlue/DoublePulsar for CS class report.

Like the title says, I'm working on this analysis of EternalBlue/DoublePulsar for my computer systems security class. Grad level class so unfortunately super broad-strokes report won't suffice, and I had some questions about EternalBlue, DoublePulsar, and other Equation Group malware from the 2017 Shadoww Brokers leaks. Before anybody asks, I finished the actual implementation portion of this project, I'm just struggling with some minor details in my final report.

Specifically I'm at a loss when it comes to it's relevance today. Obviously there were a lot of practices that had to change after EternalBlue attacks in the wild (WannaCry, NotPetya, etc.) like patching systems in a timely manner, but I'm kind of lost on the technical details of how this is still a threat today. I understand that MS17-010 patch largely addressed the SMB1 OS2/NT packet threat, but there are still apparently lots of cases of EternalBlue being leveraged in the wild like with StripedFly, at least as I understood it. see https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/

I guess where I'm lost is in understanding just how relevant (or irrelevant) this exploit really is. Modern versions of Windows don't use SMBv1 afaik, but Shadow Brokers leak contained exploits like EducatedScholar, EmeraldThread, EternalChampion, etc. which targeted SMBv2 and SMBv3 which is used in modern Windows iirc. I know the shadow brokers leaks have been patched for the most part, but we're still seeing implementations of this code being used (or at least found) today.

Another detail I'm getting hung up on is the detection methods used in legacy systems that can't be, or won't be, patched. I tried asking GPT but it's not giving me a straight answer on what detection methods are being used. It's my understanding that the primary reason EternalBlue is so easy to detect now is because of the spike of network use on TCP 445, since the payload is so large. However, the payload is only really that large because it contains shellcode for both x86 and x86_64 systems, so if you only included 64-bit shellcode wouldn't that theoretically avoid detection, or at least make it harder to detect? Or do modern IDS solutions (if they're even compatible with unpatched windows versions) detect the direct manipulation of packets after call to SrvOS2FeaListSizeToNt (or NT_TRANSACT/_SECONDARY)?

tl;dr: Can modified EternalBlue/EducatedScholar/EternalSynergy code be used today in attacks? How is EternalBlue exploit really detected, just a spike in TCP 445 traffic or tracking functions like SrvOS2FeaListSizeToNT? Is EternalBlue at all adaptable for modern systems or is it more of a case study for OPSEC practices?

3 Comments
2024/12/01
07:10 UTC

2

Desktop Machine Started daily port scans recently.

My firewall (Firewalla Gold) recently started alarming daily port scans from the desktop out. No pirated software on the machine. Running most up to date Norton AV.

Norton actually flagged/quarantined two file(gpu.exe & idp.generic). Deleted both, but made note of where the files were. Ran full scans with NAV, Malwarebytes, nothing flagged. However, even after files were removed, still seeing daily port scans.

Is it possible NAV or Windows are doing the scans? Or do I likely have some malware buried deep in my machine? Thanks in advance.

7 Comments
2024/11/30
20:04 UTC

2 Comments
2024/11/26
22:06 UTC

5

VM for malware analysis hsing assembly

Im a college student in comp-sci and wanted to do a small project on assembly/ malware for my git page. I wanted to try “dynamic malware analysis” so I can download and run malware in remnux/vmware then translate from bin-C-assembly or what have you and basically return the instructions where malicious activity happens, any advice on resources or anything else? lmk!

8 Comments
2024/11/21
13:58 UTC

5

methods for creating variants of malware embedded in pdf files

Hi everyone, I started learning malware recently, sorry for my lack of knowledge in malware. My teacher assigned me a project called "Methods for creating variants of malware embedded in pdf files". I'm having trouble classifying PDF malware variants and finding methods for creating them. I've read some research about PDF malware. They are classified into JavaScript-based and non-JavaScript-based. In another document, they are classified into OpenAction feature, Launch action, Embedded files, GotoEmbedded action, and URI action. Can I ask your opinion about how you classify variants of PDF malware?

2 Comments
2024/11/20
13:49 UTC

11

Fileless malware attack leveraging PowerShell

3 Comments
2024/11/20
13:38 UTC

5

New Frostygoop (BUSTLEBERM) Indicators of Compromise

0 Comments
2024/11/19
14:47 UTC

7

Looking for a malware dataset released by China

I am doing some research and I am interested in looking at some Chinese databases, basically the Chinese equivalent of „Mitre ATT&CK Groups“. Ideally, it would be an official release from the government, but from a Chinese cybersecurity company is also okay.

Can anyone point me in the right direction or share a link?

It does not matter if it’s in Chinese language.

Thanks in advance!

3 Comments
2024/11/12
15:50 UTC

10

Rootkit Detection Program

I am trying to create a User-mode rootkit detection program(as it seems suitable right now for my level, as kernel-level rootkit detection seems daunting, although I want to try that later when I have done this one), which uses signatures based detection and integrity checks for detection . I will be using python for this project.

However, I have been facing dilemma regarding should I create the signatures myself by analyzing the samples or would you suggest using some other tools like virus total, and malware bazaar ( I don't know must about these tools, I was suggested these by other people in the internet, however I have been doing some malware analysis and have some knowledge in it).

Some of the resources I have goon through:

  1. Application level rootkit detection program for debian 9.8 by Batsal Nepal
  2. The Rootkit arsenal
  3. Fast User-Mode Rootkit Scanner for the Enterprise Yi-Min Wang and Doug Beck– Microsoft Research, Redmond

If anyone has done something like this before and provide me with more resources related to rootkits I would be grateful.

I have read about detection process as well but not able to find much resources about it. So if you know any resources please share so that I could understand the process for detection even better.

If anyone was created some similar projects are knows about some project share your project so I could learn more.

10 Comments
2024/11/08
10:35 UTC

2

Secure set-up

Hey all I have a proxmox instance running in a laptop on a separate VLan with 2 boxes (flare VM and remnux), Within my edge router I have a firewall rule setup to deny any packets from the malware Vlan to my other vlans, but allows connecting into the malware vlan from my other vlan so that I can rdp in to the machines.

Does this sound secure?, would you recommend any other changes?

Last thing I need to do is create another Vlan within proxmos so that I can get Inetsim working.

1 Comment
2024/11/07
10:59 UTC

50

Malware Development Resources

Hi. I'm looking to further my knowledge in malware development. for now all I can do is teach myself from what's freely provided. Do you guys know of any good books/resources I can learn malware development from in depth, especially as a beginner. I just started familiarizing myself with all this computer stuff, and recently learnt to use python and its basics. Any help will be appreciated.

20 Comments
2024/11/07
07:42 UTC

3

Emmenhtal loader uses LOLBAS to deliver malware

0 Comments
2024/11/06
13:44 UTC

19

One of the biggest private CIS/USA stealer has been compromised by the law enforcement

For almost 5+ years, there was a stealer called Redline/Meta. While the second one is pretty much new, they both operated on the same servers. But their time's over:

"On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the Redline and META infostealers.
Involved parties will be notified, and legal actions are underway." (c) https://operation-magnus.com/

Video, made by Dutch police

5 Comments
2024/11/05
11:05 UTC

4

AMA Crosspost

0 Comments
2024/10/30
06:22 UTC

6

Assistance Needed For Triage API Access

Hi all,

I’ve been waiting over 7 months for a Triage API key, but my status is still “pending.” Does anyone have advice on getting access, or possibly let me use theirs?

Feel free to add me on Discord @_h3 if you can help. Thanks!

1 Comment
2024/10/27
13:00 UTC

4

PhoenixRat

Does anybody at all recognize a R.A.T named Phoenix in 2022? Due to my exit of the cyber community, I lost track of it and now I'm trying to figure out if its name was changed or if the owner completely abandoned the project.

5 Comments
2024/10/26
17:54 UTC

7

Building an EDR From Scratch Part 4 - Kernel Driver (Endpoint Detection and Response)

0 Comments
2024/10/24
19:42 UTC

15

Yemoza Trojan

A few days ago I received a message to a friend that I haven't spoken to a while on discord. They told me that they had a game project titled "Yemoza" that they worked on with friends and they wanted me to test it. Upon installing it it crashed my discord and my firefox and he informed me that I was hacked. he sent me passwords that he stole. Of the 6 he grabbed only 2 we're right, one of them being my discord. Shortly after I was kicked out. I deleted all traces of it, cleared all cache and temporarily files, did several virus scans using several platforms, and changed all my passwords. The only thing the hacker truly compromised was my discord but after communicating with discord support I got it back the next day. I haven't been able to find much on this Trojan, so I wanted to shed some light on it and maybe find a little bit more information. If there's anything you know about this virus please let me know

13 Comments
2024/10/23
03:43 UTC

10

Latrodectus Loader - A year in the making

0 Comments
2024/10/21
17:10 UTC

3

Looking for resources on malware and vulnerabilities discussions for my master's thesis

Good day friends. Hope this complies with the rules.

I'm working on my master's thesis. The project somewhat mirrors what DISCOVER did, so an automated cybersecurity warning generator. Right now, I'm looking for new sources to pull the data from. I'd like to use anything relevant to malware/vuln discussion, so tweets, potentially relevant, subreddits, hacker blogs/forums (anything in english, russian or chinese is fair game), any other social media/blog, anything that can anticipate official reports is welcome. Ideally I'd like to find dumps/datasets, but I'm prepared to scrape.

For now, I'm looking into this dataset on tweets and this more general one, as well as the russian and english forums listed on the wiki. I'm having trouble finding more underground sources.

Any suggestion is welcome, and I thank you for your time.

2 Comments
2024/10/21
09:56 UTC

Back To Top