tlansec :verified:

Threats n stuff.

tlansec :verified: boosted:
2025-05-16

#ESETresearch publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. welivesecurity.com/en/eset-res
In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.. For MDaemon, Sednit exploited the zero-day XSS vulnerability CVE-2024-11182.
Most victims were governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
Our blogpost provides an analysis of the JavaScript payloads, which we named SpyPress. They are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. IoCs available in our GitHub repo: github.com/eset/malware-ioc/tr 5/5

tlansec :verified: boosted:
2025-05-16

We are very excited to announce that Volatility 3 has reached parity with Volatility 2! With this achievement, Volatility 2 is now deprecated. See the full details in our blog post: volatilityfoundation.org/annou

Volatility 3 Feature Parity Release
tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2025-04-01

In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: volexity.com/blog/2025/04/01/g
 
#dfir #reversing #malwareanalysis

Paul Rascagneres & Killian Raimbaud on stage at INCYBER Forum - they are on the right side of the stage near a podium. Behind them, center stage, is a projection screen of the title slide for their talk, which says "Volexity: GoResolver, Control-flow Graph Similarity Applied to Golang Binary Obfuscation". There is an illustration on the right side of the slide showing Go gophers in varying colors with varying accessories, and a round lens with a border that says Volexity GoResolver. Two Go gophers inside the lens are revealed as being identical.A Volexity logo, a banner that reads "Threat Intelligence", and the title "GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically". There is an illustration on the right side of the slide showing Go gophers in varying colors with varying accessories, and a round lens with a border that says Volexity GoResolver. Two Go gophers inside the lens are revealed as being identical.
tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2024-02-02

In this blog post, Michael Hale Ligh & Andrew Case (@attrc) break down how @volexity used #memoryforensics to discover two #0days being chained together to achieve unauthenticated remote code execution in Ivanti Connect Secure VPN devices. More details here: volexity.com/blog/2024/02/01/h

#dfir #threatintel

tlansec :verified: boosted:
Paul Rascagneresr00tbsd@infosec.exchange
2024-01-16

Last week, we shared details concerning a threat actor (UTA0178) exploiting #Ivanti Connect Secure 0-days. Initially few devices were compromised. Since Thursday the exploitation goes global. We identified over 1700 compromised appliances in the world.

All the sectors are concerned: small and big organizations. Private and public sectors. If you haven't already done, apply the mitigation provided by the vendor. Run the integrity checker tool to check if you have any mismatches... More details: volexity.com/blog/2024/01/15/i

#threatintel #threatintelligence

tlansec :verified: boosted:
Paul Rascagneresr00tbsd@infosec.exchange
2024-01-12

End of last year we worked on an incident response where a TA exploited 2 0-days to compromised Ivanti Connect Secure (previously Pulse Connect Secure).

The first vulnerability (CVE-2023-46805) was abused to bypass the authentication. The second vulnerability (CVE-2024-21887) was used to execute commands on the device.

The TA remount the filesystem to enable the write permissions. Then, the attackers modified an existing JavaScript and deployed two webshells.

They modified lastauthserverused.js, a script that is legitimately used in the logon page. The modification exfiltrates the username and the password. The two webshells use the HTTP request parameters to execute code.

Takeovers: monitor your network (outbound connections via curl was perfected on multiple occasion), check your logs (store your logs outside of the appliance via syslog), use the in-build integrity checker tool.
More details & IOCs in our blog post: volexity.com/blog/2024/01/10/a

#Threatintel #Threatintelligence #Ivanti

tlansec :verified: boosted:
2023-10-11
tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2023-10-05

Don't miss @tlansec's talk at 12:00 BST tomorrow, Oct 5, at #VB2023 in London! He will share @volexity's research and observations of a North Korean #apt using unique, persistent #socialengineering techniques to target victims. More here: virusbulletin.com/conference/v #threatintel #dfir

tlansec :verified:tlansec@infosec.exchange
2023-09-25

ICYMI, on Friday our team @volexity put out a report on APT activity targeting mobile devices (Android and likely iOS). The attackers distributed the malware by creating purpose-built websites, online communities and fake personas to assist in distribution.

volexity.com/blog/2023/09/22/e

tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2023-09-25

@volexity's #theatintel team works with some of the most targeted groups in the world. Today, at the LABScon conference, we are sharing details of a long-running campaign by EvilBamboo. We have also just published details on our blog: volexity.com/blog/2023/09/22/e.

Our analysis has uncovered evidence of the attacker building online communities on various social media & messaging platforms, creating fake personas on social media sites, and using other #socialengineering techniques in order to distribute #Android malware, including #BADBAZAAR. Additionally, there is strong evidence of #iOS device targeting and likely exploitation using IRONSQUIRREL.

#dfir #security

tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2023-09-15

Donut, an open-source project, is a set of tools to generate position-independent code to obfuscate, load & execute embedded/remote payloads. Today, @volexity released "donut-decryptor" to help analyze payloads created with Donut: github.com/volexity/donut-decr

The Volexity donut-decryptor tool, created by Sr. Malware Reverse Engineer @oldetymer, consists of a Python module + a command-line utility for enabling simple usage. Both the tool and cipher implementation are available for download.

#dfir #threatintel

tlansec :verified:tlansec@infosec.exchange
2023-09-05

If you were a user of the
@volexity onenoteextractor project, please note that we've moved it into its own dedicated repository here now:

github.com/volexity/one-extrac

tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2023-07-13

#Microsoft has published an advisory with mitigation guidance related to an actively exploited remote code execution vulnerability in Microsoft Office now covered by CVE-2023-36884. @volexity's #threatintel team identified this zero-day, related infrastructure, and malware and is credited in the report: msrc.microsoft.com/update-guid

Volexity recommends following Microsoft's mitigation advice ASAP until a patch is made available.

#dfir

tlansec :verified: boosted:
Paul Rascagneresr00tbsd@infosec.exchange
2023-07-12

If you missed it yesterday, Microsoft released an advisory concerning the CVE-2023-36884: msrc.microsoft.com/update-guid. This RCE is currently used by a TA and there is no patch. You should apply the mitigation described in the advisory.

With @tlansec we suspected a 0d and we notified MS few days ago. The infection chain was insane... Instead of a endless explanation you can check this graphic.

The final stage was a malware we named PEAPOD. It shares similarities with RomCom RAT such as COM object hijacking, the string obfuscation logic, the C2 channel protocols (ICMP/socket/HTTP). But the malware core and the final stage are different. PEAPOD works with two libraries: 1 stored on disk (you should monitor what happens inside %PUBLIC%) and 1 stored in the registry. They are loaded in memory and communicate together via a named pipe.

tlansec :verified: boosted:
Irving Popovetskyirvingpop@hachyderm.io
2023-05-05

The perfect confirmation dialog does not exist…

A confirmation dialog for enabling vim mode
tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2023-05-04

The @volexity #threatintel team continues to see various #threatactors using Microsoft OneNote (.one) files to distribute #malware, sometimes password-protecting them to avoid analysis. We have updated our one-extract tool to support password-encrypted notebooks: github.com/volexity/threat-int.

#dfir

tlansec :verified: boosted:
2023-05-04

On Wednesday, May 10th (next week), Tom Lancaster and I will be in Reston presenting some of our latest research at Volexity’s next Cyber Session. The event is free to attend, and will be in a very relaxed atmosphere. Full details here:

meetup.com/volexity-cyber-sess

#DFIR #infosec

tlansec :verified: boosted:
2023-04-20

The @volatility in-person Malware & Memory Forensics Training is filling up! All course material is based on the instructors’ experience detecting + responding to some of the most sophisticated threat groups in the world. More details here: volatility-labs.blogspot.com/2

#memoryforensics #dfir

tlansec :verified: boosted:
Kevin Collierkevincollier
2023-04-17

We're learning some important opsec lessons from Teixeira. For instance, if you want to clandestinely show your internet friends pics of Top Secret files, don't do it on your own Discord server that you paid for with your credit card that has your name and home billing address.

tlansec :verified: boosted:
Volexity :verified:volexity@infosec.exchange
2023-03-30

The @volexity #threatintel team takes a look at the #3CX supply chain compromise: the malware delivered, the infrastructure used & the initial set up of the attack. Here's what we know so far: volexity.com/blog/2023/03/30/3
#dfir

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst