Another notable Octowave Loader sample with installer MSI showing low VT hits, and malicious DLL's being completely undetected. Sideloads into the legitimate Audacity.

Installs itself as 'Directory Converter' in the user LocalAppData 'Programs' directory.

Likely from a fake Cloudflare challenge. Has 4 malicious DLLs, a Progress.pak supporting file, and shellcode inside of Presentations\Application.wav

Deploys LummaC2 into memory which is now using both Telegram channel and Steam Community names for C2 fallback.

MSI: https://www.virustotal.com/gui/file/6251d8f0af660e1e92506d6cea15fd9a7d332a669a6e1b3cf47914b45267b16d

DLL1:
https://www.virustotal.com/gui/file/dd94a417398e749ec63395af31b4749421fc37ec4259da8cd068d3c9fc5198fe/details

DLL2:
https://www.virustotal.com/gui/file/ccfa5f475659d3ee9503cc4d80ecccd34c7f012a17a74bd5a4a43c6223db5adb

DLL3:
https://www.virustotal.com/gui/file/3d72ea9d39991e7300aa0fa50ec2877443afbbd507881cdebfda0f5ed1517926/details

DLL4:
https://www.virustotal.com/gui/file/d0ff2e4092426ef8d17c65ec031fec3db797f1e7a48f011767ca1cffb3d05135/details

Termite had access to Genea for 2 weeks through their Citrix environment before exfiltrating 900gb+ of patient records to Digital Ocean.

This is an org that helps couples have a family.

🤬😡

https://www.genea.com.au/pages/important-update-about-a-cyber-incident-MCI2XUN2KJWRFXNMZI2ZZ3QVD2JA

https://www.genea.com.au/sfsites/c/cms/delivery/media/MCKWLU4RITZJHMRDCSLSIY7NJKCE?channelId=0apOd00000001Dp

How do you submit a pull request to a malware author?🤔

Celestial Stealer is checking for my name or online handle and it won't execute if it's found, but my RE machine is using the name Barry so this check will fail.

Who do I reach out to about this?😅

https://www.trellix.com/blogs/research/anatomy-of-celestial-stealer-malware-as-a-service-revealed/

🎉Just released: Threat Actors are using GitHub to distribute malware🔥. In one case `cracked` TurboTax software is being frequently updated with new versions of malware and the repositories are still active.

Let's reverse this and have some fun.💥
https://youtu.be/bw6atjKs8Oo

Just Released 🎉: A malicious LNK file leads to a compromised WordPress site hosting a HTA file. Upon deobfuscating this reveals a malicious Exe which is going to be run.

Hope you learn something about LNK forensics and enjoy some CyberChef tips!

https://youtu.be/XxHFr2xvPFc

Just released 🎉: Malware analysis of IDAT (Hijack) Loader, its injection from IDAT (PNG file) streams, and how it uses Process Doppelganging.

This covers both dynamic and static analysis techniques which can be used to unravel the final payload.

Enjoy!

https://youtu.be/UA6MqCPTQAA?feature=shared

🧠 Want to know how to reverse Electron-based malware? Not sure what the SpcSpOpusInfo structure is? If so then my latest video is for you!

🎉 New release: Join me in performing malware analysis of an Electron-based stealer which targets Discord accounts and payment information which I've given the name `Duvet Stealer`.

https://youtu.be/8dbHNOs3x10

Just released 🎉: I dive into a fake winrm VBS script which goes through a few stages to ultimately load malicious code hidden using steganography and a 'Death Note' picture.

https://youtu.be/11IFAIhCKrA

Enjoy!

Ever wanted to get started with Yara 💭? Consider checking out my latest video where I go over some basics of Yara, YaraCI, and how byte strings can be used to hunt stuff like Havoc Demons based on how they dynamically resolve APIs 🏹 👿.

https://youtu.be/4Qo8aKi9aKw

I didn't know what Dark Tortilla was until I made this, but I'm glad the video got a delicious looking picture to go with it.

This week I take a look at a sample which had been obfuscated using the Dark Tortilla Crypter.

Enjoy!

https://youtu.be/2QjAmDWVnj8