Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
New Gist: Age Verification is an Epic fail
On Bluesky's introduction of age verification, selling us to the Fortnite guys, and how the arrogance of Ireland's regulator has seen it deliver the very outcomes it once called "bonkers".
www.thegist.ie/the-gist-age...
This entire thread is head shot nerd sniping, Greg. I'll brb. Need more time to reply. Keep UNCs. Keep APTs or named actors. There's valid uses but I have strong feelings for how they're used & how people merge groups and/or attribute into a group to say it's them rather than admit it's similar.
We're guilty of it too. It happens. Keeping up to date with the code families &automating the plugin extraction is a full time job. The automation is important but lowering the bar & time required to do the RE to identity plugins & capability is great. Nino's work helped crush that analysis time.
It's always bothered me when I read a report saying "It was <pluggable code family PLUGDOOR>" but not always listing the minimum set of plugins (features) a sample was shipped with. Even if it supports loading further modules, clients should be informed of the minimum a threat actor had to hand.
Thanks. I've spent a lot of time working on pluggable code families like this & SOGU (PlugX). Ultimately the obfuscation defeated me. Nino did such an amazing job. I spent last year working a lot on making sure we can easily identify or at least extract and analyse plugins shipped with pplug.
@github.com With regards actions could you please review this issue regarding #FreeBSD support. Maybe now that @netflix.com is reporting an impact to them you'll take it seriously. github.com/actions/runn...
My reverse engineering workflows survey is still ongoing! In less than 3 minutes, you can fill it in and help out: docs.google.com/forms/d/e/1F...
Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
#100DaysofYara Day 5
My first ELF binary:
github.com/augustvansic...
I also learned how to use x64dbg to attach to a process and follow the kernel32.dll WriteProcessMemory stack call to find where the EDR DLL gets a handle on the process.
x: @RustyNoob619
#100DaysofYARA Day 5
Added a couple of new YARA rules for TTPs 🐧
First is to detect embedded Windows PE payloads in a file as Base 64 encoding
Second is to spot modification of memory protect flags which is typically used for code injection/unpacking
github.com/RustyNoob-61...
crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.
🦔 📹 Video: Learn how to write code based signatures
➡️ using privateloader as example
➡️ what to detect
➡️ where to set wildcards
➡️ how to test your rule on unpac me
www.youtube.com/watch?v=oxC9...
#MalwareAnalysisForHedgehogs #privateloader
New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value.
forensicitguy.github.io/exploring-ve...
#malware
#100DaysofYARA we're brute forcing Steve's prompt with regular expressions :P
github.com/100DaysofYAR...
#100DaysOfYara Day 3
Thought this was an meterpreter implant but I compared it to an implant I made; much more functionality for the ITW sample. Rule = unique win32 api calls, IP’s, imports.
#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name
#100DaysofYARA day 2 - one cluster in my portfolio, TA427 really likes to use password-protected ZIP files with an MSC file as the only embedded file (used to use .VBS files)
lets look for ZIPs that match those features!
github.com/100DaysofYAR...
Configured my neovim conform.nvim to run "yr fmt" on save. Looking forward to "yr lint" and hoping someday for a yara-x LSP.
I'm on the same page though. That's why I have tried a few options and always come back to an rcs. I've even worked on deduplication methods but it's not worth it. I have what works for me but experimenting is worth while and fun.
Here she is during Christmas after a hard night drinking imperial stout & reviewing yara rules.
Gitea self-hosted at home right now. I guess my playing with a new service was more a yara-x Golang bindings project than anything else. Probably won't be useful to anyone else. I write plenty of rules at homes & my dog reviews them all. She says they're all quality.
Also not sure what platform I'll post on. Shitter, BSky, Mastodon or if I'll just PR on GitHub. I was also working on a new service at home for storing my rules. I tried synapse for rule management but in the end I prefer something standalone / decoupled from everything else.
Gonna take a hangover day & start #100DaysOfYara late. Couldn't keep up last year & I'll see how it goes this year. I don't have the creativity of @greg-l.bsky.social Might do some scripting & play more with yara-x like @stvemillertime.bsky.social I have a half written gRPC service for file scanning
Ok day 1 of #100DaysofYara:
I assigned some strings based on the less common lines from the Lockbit 4 loader that would likely be common in malicious code and not typically in normal admin, as well as a hex string for the PE itself
#100DaysofYARA day 1 - the Amos stealer is regularly evolving and updating its obfuscation techniques
You know what isn't changing?
the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal
github.com/100DaysofYAR...
