Notes

People you don’t recognise in dreams are placeholders for your emotions.

Today I’ll wrote about the result of self-researching “classic” persistence trick: startup folder registry keys.

Adding an entry to the ‘run keys’ in the registry will cause the app referenced to be executed when a user logs in. These apps will be executed under the context of the user and will have the account’s associated permissions level. Windows malware persistence techniques and tricks

A new Wordpress vulnerability in the BackupBuddy plugin, actively used for a week now.

$ cat hosts | httpx -title -path "/wp-admin/admin-post.php?page=pb_backupbuddy_destinations&local-destination-id=/etc/passwd&local-download=/etc/passwd" -match-string "root:x:0:0"

This is a lightweight implementation of the Fractal Gateway RPoVPN. It combines Docker, Nginx and WireGuard in a novel way to enable self-hosted connectivity to your self-hosted applications.

Reverse Proxy-over-VPN (RPoVPN) is a common strategy for self-hosting publicly accessible services from home while elimating the need for complex local network configuration changes such as:

• Opening ports on your local Internet router or firewall
• Using a dynamic DNS provider due to a lack of a static IP
• Self-hosting via an ISP that deploys CGNAT (Starlink, T-mobile Home Internet)

Self-hosted Fractal Gateway

Sony Vaio P, 2009

SharkBot is found at the end of October 2021 by the Cleafy Threat Intelligence Team. The malware comes with classic features such as stealing SMS, stealing contacts, abusing accessibility service, overlay attack ,and intercept received SMS. And comes with new techniques such as ATS which enables the malware to transfer money by auto-filling fields in legitimate banking apps and imitate money transfers. And Auto Direct reply technique this enables the malware to spread more. When a message comes to the user and the user reply to the message through the notification not through entering the messaging app this called Direct reply. The malware can intercept the received messages notification and auto direct reply with a malicious link to download a malicious app. But in newer versions of SharkBot, Auto direct reply is not implemented.

In this article, we will analyze two sample because we will explain Auto direct reply which is not implemented in newer versions of the malware. And we will analyze new version of SharkBot sample which has ATS technique and other techniques. Technical analysis of SharkBot Android malware

It’s better to reign in hell than serve in heaven.

This tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve purpose for a Proof-of-Concept presenting emerging risk of container file formats with embedded malware, as well as helper for professional Red Team Operators to sharpen their Initial Access maneuvers.

Currently Threat Actors are known to smuggle their malware archived in various container file formats, to name a few: 7zip, zip, iso, img. PackMyPayload

In September 2021, SOVA, a new Android Banking Trojan, was announced in a known underground forum. It had multiple capabilities and was basically almost in the go-to market phase. Until March 2022, multiple versions of SOVA were found and some of these features were already implemented, such as: 2FA interception, cookie stealing and injections for new targets and countries (e.g. multiple Philippine banks). In July 2022, we discovered a new version of SOVA (v4) which presents new capabilities and seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Starting from May 2022, Threat Actors (TAs) behind SOVA have started to deliver a new version of their malware, hiding within fake Android applications that show up with the logo of a few famous ones, like Chrome, Amazon, NFT platform or others. Technical analysis of SOVA android malware

After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper active in the Google Play and dropping a new version of Sharkbot.

This new dropper doesn’t rely Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware. Instead, this new version ask the victim to install the malware as a fake update for the antivirus to stay protected against threats.

We have found two SharkbotDopper apps active in Google Play Store, with 10K and 50K installs each of them.Sharkbot is back in Google Play

The mainstream Internet is one giant reactive corpo-politico-media propaganda conditioning machine. What really brought this out was how people swapped out their BLM signs for Ukraine flags right on cue. In this way they walked bleeding heart liberals right into supporting the military industrial complex and becoming war-hawks without even realising it.

It’s hard to fathom how plugged in some people are, and how uncritically they absorb whatever is promoted within their social networks. The social need to signify in-group status is so overwhelming with so many people that this can easily be surreptitiously manipulated without them even noticing. Group psychology is manipulated at the mass scale. Facebook has researched social contagion and how sentiments propagate over networks, the level of social engineering that is possible is unimaginable.

Maybe life is eternal and so are the consequences for your actions.

Drone Hacking Tool is a GUI tool that works with a USB Wifi adapter and HackRF One for hacking drones.

Drones, as a high mobility item that can be carried around easily and launched, are becoming cheaper and more popular among the public, they can be seen almost anywhere nowadays.

However, the drone built-in flying cameras could use for illegal usage like candid photos on private property. This shows drones clearly present risks to public safety and personal privacy.

Therefore, we are working on using wireless connection methods (Wi-Fi, GPS) to hack it and take over. In this project, our goal is to capture drones to stop users with malicious intent for proof of concept and a sense of accomplishment. Drone Hacking Tool

Elevator allows to bypass the UAC and spawn an elevated process with full administrator privileges. This is done by abusing the behaviour of the RPC server that implements the UAC feature, as demonstrated by James Forshaw in his article Calling Local Windows RPC Servers from .NET. The tool does not require to drop an extra DLL or write to the Windows Registry (as is often the case with other UAC bypass techniques), and it has been successfully tested on Windows Server 2016, Windows Server 2019 and Windows 10 (it probably works on other versions of Windows).

The tool is composed of a C++ stub that connects the tool itself with the RPC server exposed by the service APPINFO, and the Rust project that contains the main logic that allows to abuse the bug and bypass the UAC. The C++ stub has been obtained from compiling the IDL file that RPC View created from the RPC interface with ID 201ef99a-7fa0-444c-9399-19ba84f12a1a. Elevator - UAC Bypass by abusing RPC and debug objects

Of course there is truth in the world, but it has nothing to do with the political spectrum. Politics has nothing to do with truth, it’s about winning. Whatever truths are involved in politics and its contrived spectrum, they are weaponised to be misleading, presented in bad faith or diluted into half truths all to undermine the enemy’s position and strengthen one’s own.

d0nut.::Files https://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion/files/ (use Tor Browser)

Last year in corCTF 2021, D3v17 and I wrote two kernel challenges demonstrating the power of msg_msg: Fire of Salvation and Wall of Perdition. These turned out to be a really powerful technique which have been repeatedly utilized in real world exploits.

For this year’s edition, we followed a similar trend and designed challenges that require techniques seen before in real world exploits (and not CTFs). I wrote Cache of Castaways, which requires a cross cache attack against cred structs in its isolated slabs. The attack utilized a simplistic and leakless data-only approach applicable in systems with low noise. D3v17 wrote CoRJail, which requires a docker escape and a novel approach of abusing poll_list objects for an arbitrary free primitive through its slow path setup. Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage

I think some people are just destined to die young. For their lives to be a tragedy.

It’s a shame how anti-intellectual society has become, but don’t let yourself believe you are really that much more intelligent than everyone else.

CLI tool written in Rust to check Yara rules against a folder of APK files. You have to pass the folder (or APK file) to check your Yara rules (param -p) and the .yar file of your Yara ruleset (param -r). apk-yara-checker