Drew

@[email protected]
83 Followers
194 Following
306 Posts
malware detection, hunting and gathering / threat research
Webhttps://www.bugfire.io
DrewAug 6, 2024
Jan Wildeboer 😷Aug 6, 2024

#Oops. The #Crowdstrike crash was caused by having a function with 21 input parameters but the integration code only checked 20. This worked for a while until the fatal update used the 21st parameter for the first time and all went wrong.

"Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash." Page 2 of https://www.crowdstrike.com/wp-content/uploads/2024/08/Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf

DrewJul 3, 2024
Selena LarsonJul 2, 2024

The latest episode of Only Malware in the Building from @thecyberwire is live! In it we discuss Operation Endgame and the law enforcement strategy of trolling the criminals. Tune in wherever you get your podcasts!

https://thecyberwire.com/podcasts/only-malware-in-the-building/2/notes

Operation Endgame: The ultimate troll patrol.

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, we talk about "Operation Endgame."

The CyberWire
DrewJun 27, 2024
Selena LarsonJun 26, 2024
New episode of DISCARDED featuring @Myrtus! We dive into Operation Endgame, the malware impacted, and what it means for the cybercrime landscape. Tune in wherever you get your podcasts!
Apple: https://podcasts.apple.com/us/podcast/discarded-tales-from-the-threat-research-trenches/id1612506550?i=1000660211918
Spotify: https://open.spotify.com/episode/3AuQ0UZ8DvTyCWjkeC6WDT?si=2fccb8c32bd6434d
Spreaker: https://www.spreaker.com/episode/checkmate-breaking-down-operation-endgame--60504565
‎DISCARDED: Tales From the Threat Research Trenches: Checkmate: Breaking Down Operation Endgame on Apple Podcasts

‎Show DISCARDED: Tales From the Threat Research Trenches, Ep Checkmate: Breaking Down Operation Endgame - Jun 25, 2024

Apple Podcasts
DrewJun 22, 2024
Ken BalintJun 21, 2024
Published my first blog post today detailing a LummaStealer infection chain - take a look at https://www.0x1c.zip/0001-lummastealer/
[0001] AmberAmethystDaisy -> QuartzBegonia -> LummaStealer

Disclaimer: I have personally noticed a significant difficulty in finding names for many loaders, even if they have been reported on due to the overwhelming focus on the final payload within infection chains. With this in mind, I utilize a custom loader taxonomy system, with the name of the loader

-0x1c
DrewJun 10, 2024
Karsten HahnJun 9, 2024

New video: Why antivirus software detects cracks as malware or PUP 🦔📹

#MalwareAnalysisForHedgehogs #cracks #antivirus
https://www.youtube.com/watch?v=KA7R9rt5r40

The real reason antivirus software detects cracks

YouTube
DrewJun 8, 2024
Kevin BeaumontJun 8, 2024

A company paid a ransomware group.. then had their info leaked by the same ransomware group anyway. Not isolated at all, eg UnitedHealthcare paid $20m and then got extorted again by the same person.

Stop paying ransomware groups. You are directly funding serious organised crime. https://www.bleepingcomputer.com/news/security/pandabuy-pays-ransom-to-hacker-only-to-get-extorted-again/

PandaBuy pays ransom to hacker only to get extorted again

Chinese shopping platform Pandabuy told BleepingComputer it previously paid a a ransom demand to prevent stolen data from being leaked, only for the same threat actor to extort the company again this week.

BleepingComputer
DrewJun 4, 2024
Show threadSelena LarsonJun 4, 2024

For the late crowd: check out my new podcast with my friends at @thecyberwire

Only Malware in the Building!

https://thecyberwire.com/podcasts/only-malware-in-the-building/1/notes

The curious case of the missing IcedID.

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, we talk about "The curious case of the missing IcedID."

The CyberWire
DrewJun 4, 2024

@bittner @selenalarson Loved the new ‘Only Malware in the Building’ podcast I listened to today! Great concept and a nice way to learn more about these threats. Can’t wait for the next one!

https://podcasts.apple.com/us/podcast/hacking-humans/id1391915810?i=1000657788081

‎Hacking Humans: The curious case of the missing IcedID. [Only Malware in the Building] on Apple Podcasts

‎Show Hacking Humans, Ep The curious case of the missing IcedID. [Only Malware in the Building] - Jun 4, 2024

Apple Podcasts
DrewMay 30, 2024
Selena LarsonMay 30, 2024
👀 https://operation-endgame.com/
Operation Endgame

Operation endgame

DrewMay 30, 2024
abuse.ch May 30, 2024

We are proud to announce that we assisted the joint international law enforcement operation #OperationEndgame, targeting the notorious botnets #IcedID, #Smokeloader, #SystemBC and #Pikabot 🔥

abuse.ch has provided key infrastructure to LEA and internal partners to disrupt these botnet operations 🛑

More information on the operation is available here:
👉 https://operation-endgame.com/

Operation Endgame

Operation endgame