Slides from my V00d00 talk -> Operation FastCash - Hidden Cobra's AIX PowerPC malware dissected #Malware #DFIR #Hacking #APT38 #Lazarus #ATM

The repo contains challenges for the labs in the course AI Red Teaming in Practice taught at BH 2024 teaching adversarial ML and Responsible AI failures, enabling a holistic approach to identifying potential issues before an AI system is deployed. 😎.

Safe Wallet & Mandiant report on #Bybit hack. Good read!.

RT @zachxbt: Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft addre….

RT @PixOnChain: This is Lazarus. They just stole $1.46 billion from Bybit. And they didn’t break the code — they broke the people. Here’s u….

RT @ESETresearch: #ESETresearch has released DelphiHelper, a plugin for #IDAPro that aids in analyzing Delphi binaries. Check it out on ESE….

Slides, code and #YARA rules from the workshop I recently teached internally covering various aspects including C and Python API usage, tips & tricks when developing rules and 5 challenges and its solutions. Thanks @wxs for reviewing the slides. #DFIR.

Linpmem - physical memory acquisition tool for Linux Good job by Viviane Zwanger. #Forensics #DFIR

Ever tried to reverse #NIM #Malware ? More fun, less pain with the new #IDAPro plugin from my buddy Holger Unterbrink.

=> „BugChecker is a SoftICE-like kernel and user mode debugger, supporting Windows versions from XP to 11, both x86 and x64)“ #SoftIce #Debugging #Oldschool

(7/7) Bonus => Decrypting+Dumping the 2nd stage binary. Set Breakpoint on the VirtualAlloc function as shown in the screenshot, click "Continue", at Breakpoint select "Array" + right click-> Save. Now proceed to the dumped 2nd stage of this malware ;)

(6/7) Continue until Breakpoint reached. Then step via F11 and reach the desired malicious dll method.

(5/7) Search Assemblies (CTRL+Shift+K ) => UnsafeInvokeInternal (double click to jump to this function. Set breakpoint on "return RuntimeMethodHandle.InvokeMethod(. "

(4/7) Select "Debug->Start Debugging", enter arguments as shown in screenshot and select "Entry Point" at "Break at"

(3/7) Namespace "Congratulations" - Class "tunnel" - Method of interest "atlanta"

(2/7) First find a suitable .net dll loader, e.g. SharpDllLoader or RunDotNetDll (find them on Github) and load the malicious .net dll into DNSPY to find the desired method to inspect and its arguments to reach it.

(1/7) How to debug a malicious .net dll using #DNSPY.Recently I got asked if it is possible to debug a malicious .net dll using DNSPY. Afaik there is no integrated debugger function for it, so here is my indirect approach. As an example I use the dll shown in the screenshot below

#Nighthawk C2 framework #YARA rule.#DFIR.

#IDAPro v8.0 is out with lots of new features, e.g. IDA Teams, a new decompiler for ARC, better firmware analysis and comes with nicely enhanced #Golang support. Bye bye Python2.

Slides from my @a41con talk are available now, at least a slightly stripped community version. This was by far the most interesting #ATM #Blackboxing investigation for me. #YARA rule -> #malware #DFIR

RT @aionescu: I am ecstatic to announce that Winsider Seminars & Solutions, Inc. (the training company that @yarden_shafir and I co-own) ha….