Fantasy
@0xFantasy
Followers
2K
Following
26K
Media
79
Statuses
638
Intel @DoppelHQ, Investigations @Fairside, Contributor @BoringSecurity
news: t.me/fable_n
Joined October 2021
Does @ProtonMail have an unpatchable email spam filter bypass by using an account's public PGP key? Every account has a public PGP key that can be used to encrypt emails. This prevents the service provider from reading the content, straight forward. But, this also means that
25
4
46
This involves $300M in stolen funds from a Trezor wallet victim, compromised through social engineering attacks. $100M in BTC $200M in LTC H/T to @zeroshadow_io, @tanuki, and @Bitcoin_Vietnam. They were able to trace, flag, and attribute the attack, so far $1M.
Whale 0xF73a swapped another 404 $BTC($38.62M) for 11,533 $ETH. Over the past 3 days, he has exchanged a total of 686 $BTC($65.59M) for 19,631 $ETH. https://t.co/akXQ6qOPVd
15
22
174
Solidity v0.8.31 is out! ✨ This latest version makes Osaka the default target for the compiler, extends storage layout specifiers, brings new deprecation warnings, Linux ARM builds, and more! Highlights in the thread! ↓🧵
31
81
462
Navigating relationships between contracts has always been way too hard and slow (dozens of tabs and chats). Not anymore, with the Herd contract visualizer - take any contract/transaction page and click "visualize" to see all the function and variable relationships.
74
97
659
I never really thought about it, but 3DNS isn’t its own registrar, it *partners* with Namesilo for registrations All the multisig and tokenization is just fancy account controls for what is a normal domain reseller. All the “security controls” can be bypassed since Namesilo
According to our partners at 3DNS and NameSilo, who are still actively investigating, multisig control was circumvented. DNSSEC was removed from both domains and a compromised insider at NameSilo was able to redirect the domains to malicious pages.
0
0
3
15/ Fin. Feel free to check out this threads accompanying blog post for more detail on this vector! https://t.co/RvadYcRhP2
blog.fa.nta.sy
I was recently talking to a handful of online friends about UGC (user generated content) creation within the Unity ecosystem. One of them jokingly mentioned how someone they knew was “ratted” by...
0
0
4
14/ There isn't a ton the end user can do beyond not importing Unity packages that contain C# scripts However, this may not be reasonable for all game devs. To help combat this, I've built a CLI tool to help detect C# files with InitializeOnLoad classes/functions
github.com
Quickly detect if a .unitypackage file contains C# scripts and any [InitializeOnLoad] functions. - vile/unityproject-csharp-detector
1
0
5
13/ Putting it all together, we have a fully functional delivery method for malware via Unity packages: - Autoexecuting C# script to dynamically load a DLL - DLL that fetches a remote payload and starts it - Manually manipulated Unity package to hide the DLL
1
0
3
12/ To top it off, users can't actually see the contents of C# scripts before importing them. So the C# file we created to load the DLL is a complete mystery to the end user during the import screen.
1
0
2
11/ While I haven't touched on the internal structure of a Unity package, it is essentially a glorified zip file This means that we can extract it, find where our DLL file lives, and simply plop down a preview.png file, then rezip the archive Unity doesn't see any issue with
1
0
2
10/ Well, now we have another issue, it's even sketchier to have a DLL file in your Unity package. Well, what if we just spoofed it as a different file? Since we're loading it dynamically, the file extension doesn't matter and we can change it to something like .PNG However,
1
0
2
9/ Since we are essentially able to create our own C# program within this class, we can also dynamically load DLL files This means that we can put all the sketchy code that downloads files and spawns Powershell into a DLL, compile to for Unity, and then stick it in our package
1
0
2
8/ Thats... not great However, it's pretty sketchy having a Unity C# script spawn Powershell. If someone read the code in this script, they would probably get sketched out Surely we can't obfuscate this? Right?
1
0
2
7/ What does this exactly look like? Unity making a web request to grab a remote payload and spawn Powershell...
1
0
2
6/ There are two critical components of InitializeOnLoad: - Runs at editor startup/reload AND when a package is imported - No restrictions on what C# code can be run within this class This means that Unity packages can be used to hide malicious autoexecuting scripts with all of
1
0
2
5/ There is one VERY abusable attribute of the editor that any C# can hook into: InitializeOnLoad InitializeOnLoad is usually meant for advanced SDKs and projects looking to automate tasks that may need to be run many times throughout the dev lifecycle
1
0
2
4/ Games made with Unity are primarily written in C#. This allows for great flexibility for code meant to run your game However, Unity also lets you hook into its Editor (where you actually create games) to run C# for automation or SDK purposes (think VSCode plugins)
1
0
2
3/ Normally, packages are downloaded through Unity's official Asset Store. However, you can circumvent the official store by simply seeking out .unitypackage files These could come from a fellow dev looking for help with a 3D model or from an online forum
1
0
2
2/ For some quick context, Unity is a general purpose and crossplatform game engine available to everyone, from big studios to indie devs The potential audience of people using Unity packages is niche, but still runs deep
1
0
2