Show thread๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒNov 7, 2023
The exact same protocol, but without RC4 encryption, was also reverse engineered by Vitali Kremez (RIP ๐Ÿ’œ) in his โ€Letโ€™s Learn: Trickbot Socks5 Backconnect Module In Detailโ€ blog post from 2017.
#TrickBot #TeamSpy #Socks5Systemz
https://vk-intel.org/2017/11/21/lets-learn-trickbot-socks5-backconnect-module-in-detail/
Letโ€™s Learn: Trickbot Socks5 Backconnect Module In Detail

Goal: Reverse the Trickbot Socks5 backconnect module including its communication protocol and source code-level insights. Source: Decoded Trickbot Socks5 backconnect module(33ad13c11e87405e277f002eโ€ฆ

Reverse Engineering, Malware Deep Insight
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒNov 6, 2023

The C2 protocol in BitSightโ€™s Unveiling Socks5Systemz seems to be identical to whatโ€™s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!

They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.

#Socks5Systemz #TeamSpy

Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey | Bitsight

Recently, our Threat Research team discovered a new malware sample, distributed by the PrivateLoader and Amadey loaders. Learn more.

Bitsight
Show threadRairii~[RoL]โ€ฎโšกโ€ญApr 9, 2018

The malware is #TeamSpy, described here: https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer

#infosec #malware #reversing

Here's the config:

A deeper look into malware abusing TeamViewer

Analyzing TeamSpy, malware that gives hackers complete remote control of PCs.