Search found 224 matches

by R136a1
Sun Apr 03, 2016 2:14 pm
Forum: Malware
Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)
Replies: 66
Views: 253828

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Two days ago, I have started to analyse an unusual Turla dropper which adds an extra layer to the already known dropper and which pretends to be compiled in 2013 according to its time stamp. However, some of its final payloads have a newer compilation time stamp from 2014, leading to the assumption ...
by R136a1
Fri Apr 01, 2016 9:20 pm
Forum: Malware
Topic: [April fool's day] Win32/Rick.d
Replies: 4
Views: 4559

Re: Win32/Rick.d

A bit late and well... at least someone tried it this year ;)
by R136a1
Fri Mar 25, 2016 1:42 pm
Forum: Malware
Topic: Petya malware
Replies: 16
Views: 41909

Re: Petya malware

Its' getting better every day... http://s18.postimg.org/jfgdf7m1z/dropbox.png http://s18.postimg.org/5vzj9i82x/uac.png http://s18.postimg.org/4sfexjnft/picard.png And of course, german security experts appear on the surface with brilliant comments: http://s12.postimg.org/puylg8ba5/heisec.png Source:...
by R136a1
Wed Mar 16, 2016 9:14 am
Forum: Malware
Topic: H1N1 loader (aka Win32/Zlader)
Replies: 22
Views: 56471

Re: H1N1 loader (aka Win32/Zlader)

I have realized that new H1N1 loader isn't the first malware which used the trick with WMI console to elevate privileges. Radamant ransomware used it since the end of December (2015), more of it here.
by R136a1
Wed Mar 16, 2016 9:12 am
Forum: Malware
Topic: Ransom.Radamant
Replies: 10
Views: 16689

Re: Ransom.Radamant

Here is a Radamant sample with compilation timestamp from December 2015 which uses the mentioned trick with WMI console to elevate privileges, so before H1N1 loader v2. The sample comes with a lot of symbols left-behind where you can observe that the author implemented his own idea of UACMe . Inside...
by R136a1
Tue Mar 15, 2016 4:19 pm
Forum: Malware
Topic: H1N1 loader (aka Win32/Zlader)
Replies: 22
Views: 56471

Re: H1N1 loader (aka Win32/Zlader)

Two months ago, the author of H1N1 loader released a new version of his tool (H1N1v2) which he claims was completely rewritten. Some of the new features include a rewrote UAC bypass method and a new social engineering technique to elevate privileges if the malware runs at low integrity level. These ...
by R136a1
Fri Feb 19, 2016 12:49 pm
Forum: Malware
Topic: Tools from the ZeroAccess author
Replies: 7
Views: 22278

Re: Tools from the ZeroAccess author

As outlined by @Soronsen, here are two more profiles from this person:

https://www.elance.com/s/emalaste/resume/
http://stackoverflow.com/users/4024739/lotus

Copies attached
by R136a1
Fri Feb 19, 2016 11:13 am
Forum: Malware
Topic: Tools from the ZeroAccess author
Replies: 7
Views: 22278

Re: Tools from the ZeroAccess author

Hi folks, thanks to the suggestion from EP_X0FF to search for the driver of the dll list tool (see above), I have found some new interesting information. Unfortunately, I have not found the the driver, but instead a new tool and some information about the ZeroAccess author itself. :) BONUS-TV Player...
by R136a1
Fri Feb 12, 2016 11:02 am
Forum: Malware
Topic: Tools from the ZeroAccess author
Replies: 7
Views: 22278

Tools from the ZeroAccess author

In this article, I will discuss various tools that I have found during the past few months and which I believe are from the same author as the ZeroAccess malware. It is also possible that the source code of the bot was sold after the “takedown” in 2013 and someone is now trying to make profit from i...
by R136a1
Wed Jan 27, 2016 2:48 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 564174

Re: ZeroAccess (alias MaxPlus, Sirefef)

Yes, that is the sample I was talking about.