Robert Giczewski
@lazy_daemon
Interested in CTI/Malware Analysis/RE, DFIR and windows exploitation. I like video games & tech as well 🙂. CTI @ Deutsche Telekom Security. Tweets are my own.
قد يعجبك
🚨 ALERT: Cybercriminals are sending out fake Telekom invoices via phishing emails to deliver multiple malicious RAT payloads. The activity originates from an attack cluster tracked by Telekom Security under the name "Rodent Weed". 🧵1/6
this part is brutal.
🛡️ Then read the next blog post to learn how to defend: bit.ly/4kSWrbc
Some folks took my post as “detection > TI” or assumed I believe TI is just IOCs. Let’s clarify. I wrote that post after being called a threat intel company four times this month. We’re not. We do detection engineering - and yes, that often integrates TI, but it produces a…
Threat intel analysts produce threat intelligence. Detection engineers produce detection intelligence. Big difference. Gartner doesn’t list the second one yet. TI is about indicators tied to a known threat. DI is about rules that catch malicious behavior across threats. One…
Reading Microsoft’s new Void Blizzard report, one thing stands out (again): Everything is about credential theft, phishing, and tokens. Initial access comes from buying or stealing creds - often through low-effort phishing. All the real action happens in the cloud, not on…
Microsoft has discovered worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America. msft.it/6011S9JpN
Fraudsters have now started using EPC QR codes in fake invoices that can be opened by many banking apps. These codes already contain all the necessary transfer information for the app to start a simple transfer action for the victim. (1/3)
This is a great summary. We (and by we I mean mostly @willoram) have been using variants of this diagram to describe the inversion of attack paths to identity-based intrusions - a major trend in our incident response cases over the past year.
In the past, you had to: phish a user, drop malware, escalate privileges, pivot to servers, evade EDR, dump creds, move laterally, exfiltrate quietly, clean up, leave a backdoor. Today, you just: phish a user, steal an OAuth token, access everything from anywhere. Cloud…
Microsoft Threat Intelligence observed a new and notable method used by the threat actor Storm-0249 for distributing the Latrodectus trojan, a malware loader designed to facilitate multi-stage attacks by downloading and installing additional payloads onto compromised devices.
🚨 Telekom Security detected a major #vishing campaign against multiple targets in #Germany, likely related to a ransomware group. We are still analyzing, but here is what we know so far 🧵1/x
I interviewed 57 security leaders to answer one question: What sucks in security right now? The answers were fascinating, frustrating, and occasionally funny 🧵
At this year's #DEATHCon I was fortunate enough to present my workshop on #Kusto graph semantics. Now I release it for free to everybody. #KQL #Security #Kraph cloudbrothers.info/en/workshop-ku…
We have also detected this campaign. It starts with an email 📧 containing an SVG file which, when opened, drops an HTML file. The HTML file displays a spoofed PDF file and tricks the victim into clicking the "Open" button 🧵1/4
WsgiDAV opendir: https://german-multiple-reunion-foundation.trycloudflare[.]com/
![malwrhunterteam's tweet image. WsgiDAV opendir: https://german-multiple-reunion-foundation.trycloudflare[.]com/](https://pbs.twimg.com/media/GcqmUS_XgAASUd2.png)
Had fun presenting #WARMCOOKIE research at #VB2024. The malware was recently updated with new handlers. Our team wrote some tooling to simulate the C2 server to help organizations build better detections. Tooling: github.com/elastic/labs-r…
🚨🔥 LOLRMM IS LIVE! 🔥🚨 The wait is over, folks! 🥳🎉 We’re thrilled to announce the official release of LOLRMM — your new go-to tool to detect and counter RMM abuse! 🕵️♂️💻 👉 Check it out NOW at LOLRMM.io 👈 This couldn’t have been possible without our amazing…
What's new in IDA 9.0? youtu.be/c9ehQfLY-d4 - No more IDA 32 - IDA as a library (for C++ and Python headless development) - New and updated signatures (for FLIRT) - Legacy 'structs' and 'enums' windows and APIs are gone - Plugin binaries not compatible with 9.0; need to…
youtube.com
YouTube
What's new in IDA 9.0?
Bellingcat’s Online Open Source Investigation Toolkit bellingcat.gitbook[.]io/toolkit
![blackorbird's tweet image. Bellingcat’s Online Open Source Investigation Toolkit
bellingcat.gitbook[.]io/toolkit](https://pbs.twimg.com/media/GYOq4-EbUAAIYx4.jpg)
#Latrodectus Infection lead to #BruteRatel🕷️🦫 #MalwareAnalysis & #TTPs Several unpacking routine (VirtualAlloc & VirtualProtect) lead to 2 DLLs [+] Rundll32.exe T1218.011 Internal name: badger_x64_stealth_rtl.bin.packed.dll Export Func: DllMain StartW unpac.me/results/fe22fa…
![Max_Mal_'s tweet image. #Latrodectus Infection lead to #BruteRatel🕷️🦫
#MalwareAnalysis & #TTPs
Several unpacking routine (VirtualAlloc & VirtualProtect) lead to 2 DLLs
[+] Rundll32.exe T1218.011
Internal name: badger_x64_stealth_rtl.bin.packed.dll
Export Func: DllMain StartW
unpac.me/results/fe22fa…](https://pbs.twimg.com/media/GX7dlJ0WAAECp8n.jpg)
![Max_Mal_'s tweet image. #Latrodectus Infection lead to #BruteRatel🕷️🦫
#MalwareAnalysis & #TTPs
Several unpacking routine (VirtualAlloc & VirtualProtect) lead to 2 DLLs
[+] Rundll32.exe T1218.011
Internal name: badger_x64_stealth_rtl.bin.packed.dll
Export Func: DllMain StartW
unpac.me/results/fe22fa…](https://pbs.twimg.com/media/GX7dmZiWUAAGF-S.jpg)
![Max_Mal_'s tweet image. #Latrodectus Infection lead to #BruteRatel🕷️🦫
#MalwareAnalysis & #TTPs
Several unpacking routine (VirtualAlloc & VirtualProtect) lead to 2 DLLs
[+] Rundll32.exe T1218.011
Internal name: badger_x64_stealth_rtl.bin.packed.dll
Export Func: DllMain StartW
unpac.me/results/fe22fa…](https://pbs.twimg.com/media/GX7fCPVWUAAU6PC.png)
#Latrodectus - #BruteRatel - .pdf > url > .js > .msi > .dll 18.09.2024 👇 wscript.exe Document-21-29-08.js msiexec.exe /V MSI152A.tmp /DontWait rundll32.exe C:\Users\Admin\AppData\Roaming\x64_stealth.dll, clBuildProgram (1/3) 👇 IOC's github.com/pr0xylife/Latr…
#Latrodectus - #BruteRatel - .pdf > url > .js > .msi > .dll 18.09.2024 👇 wscript.exe Document-21-29-08.js msiexec.exe /V MSI152A.tmp /DontWait rundll32.exe C:\Users\Admin\AppData\Roaming\x64_stealth.dll, clBuildProgram (1/3) 👇 IOC's github.com/pr0xylife/Latr…
The people who claimed the ‘EU version of iOS is the most fun version of iOS’ are awful quiet today
We joined US & international partners 🇳🇱🇨🇿🇩🇪🇪🇪🇱🇻🇺🇦🇨🇦🇦🇺🇬🇧 to issue a Cybersecurity Advisory on malware used by Russian-state affiliated cyber actors for espionage, theft/leakage of sensitive info & sabotage/data destruction. Read the full advisory here: ic3.gov/Media/News/202…
#ElasticSecurityLabs is introducing HexForge, our tool that enhances #IDAPro with manipulation capabilities built into the hex and disassembly views. HexForge makes it easy to copy and patch binary data and currently supports RC4, AES, ChaCha20, and XOR: go.es.io/4cTCME2
United States الاتجاهات
- 1. Mariners 73.7K posts
- 2. World Series 72.9K posts
- 3. World Series 72.9K posts
- 4. George Springer 31.3K posts
- 5. #WWERaw 53.4K posts
- 6. Baker 35.1K posts
- 7. Dan Wilson 3,305 posts
- 8. Texans 24.3K posts
- 9. #ALCS 9,384 posts
- 10. Mike Evans 14.5K posts
- 11. Munoz 9,347 posts
- 12. Lions 89.5K posts
- 13. Gibbs 23.1K posts
- 14. Bazardo 2,303 posts
- 15. LA Knight 6,196 posts
- 16. White House 96.5K posts
- 17. Seahawks 24K posts
- 18. Jeff Hoffman 2,151 posts
- 19. Kendrick 15.3K posts
- 20. #WANTITALL 41.2K posts
قد يعجبك
-
Kyle Cucci
@d4rksystem -
UNPACME
@unpacme -
Deutsche Telekom CERT
@DTCERT -
Silas Cutler (p1nk)
@silascutler -
Myrtus
@Myrtus0x0 -
Dee
@ViriBack -
Chuong Dong
@cPeterr -
Johann Aydinbas
@jaydinbas -
ReversingLabs
@ReversingLabs -
Dray Agha
@Purp1eW0lf -
Zach
@svch0st -
4rchib4ld
@4rchib4ld -
Matt Anderson
@nosecurething -
marc ochsenmeier
@ochsenmeier -
f0wL
@f0wlsec
Something went wrong.
Something went wrong.