Mastodawn

Following on the Microsoft and DoJ takedown of Lumma infrastructure, and this week’s news from Sophos discussing a single user hosting over 100 malware github repos, I wanted to spend some time looking into the specific vectors leveraged by some of these repositories. Recently, some of these attacks have included taking screenshots upon execution, which can give us a look into specifically what a user ran that triggered the RAT (Remote Access Trojan) and harvested data from their machine.

https://dak.lol/stealer-malware-attack.vectors/

Stealer malware attack vectors – Lumma Stealer

Following on the Microsoft and DoJ takedown of Lumma infrastructure, and this week’s news from Sophos discussing a single user hosting over 100 malware github repos, I wanted to spend some time looking into the specific vectors leveraged by some of these repositories. Recently, some of these attacks have included taking screenshots upon execution, which can give us a look into specifically what a user ran that triggered the RAT (Remote Access Trojan) and harvested data from their machine.

DAK.LOL

DAK May 22

Since Lumma just got shut down c/o Microsoft, the DoJ, Interpol etc, I guess I should get off my butt and post this:

https://dak.lol/the-anatomy-of-a-stealer-package/

A discussion of what is _actually_ contained in drops of Stealer data; it's more than just credential pairs. Sometimes yucky more.

#infosec #lumma #stealers

The anatomy of a stealer package – Lumma Stealer

With the shutdown of Lumma Stealer’s infrastructure announced this week by Microsoft’s Digital Crimes Unit (DCU), the US DoJ, and others, it seemed timely to write about the reality of what is actually packaged up when a Lumma (or Redline) stealer runs on a machine and drops the package across the C2 (Command & Control) infrastructure.

DAK.LOL

DAK May 22

Since Lumma just got shut down c/o Microsoft, the DoJ, Interpol etc, I guess I should get off my butt and post this:

https://dak.lol/the-anatomy-of-a-stealer-package/

A discussion of what is _actually_ contained in drops of Stealer data; it's more than just credential pairs. Sometimes yucky more.

#infosec #lumma #stealers

The anatomy of a stealer package – Lumma Stealer

With the shutdown of Lumma Stealer’s infrastructure announced this week by Microsoft’s Digital Crimes Unit (DCU), the US DoJ, and others, it seemed timely to write about the reality of what is actually packaged up when a Lumma (or Redline) stealer runs on a machine and drops the package across the C2 (Command & Control) infrastructure.

DAK.LOL

DAK May 14

Some thoughts on the practice of using "time to crack" charts for infosec marketing as penance for me taking generating them for marketing campaigns in the past.

https://dak.lol/time-to-crack-algorithms/

#infosec #cybersecurity

The misleading messaging of time to crack tables

TL;DR: It’s the time of year where security vendors post blog posts with charts of how long it takes to bruteforce a given password. As usual this raised a lot of questions from less security-minded people I know regarding the realism of the numbers, and how realistic the exercise now. As pennace for having generated this data in times past for similar marketing pushes, I will discuss why this is acutally a poor way to teach less-technical users about password complexity; and how users should be creating and using credentials.

DAK.LOL

DAK May 7, 2024

born to ride bikes, forced to pentest 🚲

DAK Apr 25, 2024

Saethelred the Unsteady Apr 23, 2024

My thoughts and prayers go out to #voyager1, which after journeying for half a century to reach interstellar space is still expected to answer fucking work emails

DAK Apr 23, 2024

Nowhere Girl Apr 22, 2024

NASA recovered a space probe's 47-year-old computer with about as much memory as my old Commodore 64 over a distance of 15 billion miles so it can (hopefully) continue to do science work, and it reminds me of how much ingenuity used to go into computers back when the assumption was you couldn't consume the water and electricity of a small nation just to power Ask Jeeves.

DAK Apr 23, 2024

Royce Williams Apr 23, 2024

My password-cracking colleague @cyclone has recently completed some substantial work on cracking Phantom wallets.

Tools:

https://github.com/cyclone-github/phantom_pwn

Writeup:

https://github.com/cyclone-github/writeups/blob/main/Pwning%20Phantom%20Wallets.pdf

GitHub - cyclone-github/phantom_pwn: Tools to extract and decrypt Phantom wallets

Tools to extract and decrypt Phantom wallets. Contribute to cyclone-github/phantom_pwn development by creating an account on GitHub.

GitHub

DAK Apr 20, 2024

Dag-Erling Smørgrav Apr 20, 2024

are you for fucking real, GitHub?

DAK Apr 15, 2024

Simon Tatham Apr 15, 2024

We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

Stealer malware attack vectors – Lumma Stealer

The anatomy of a stealer package – Lumma Stealer

The anatomy of a stealer package – Lumma Stealer

The misleading messaging of time to crack tables

GitHub - cyclone-github/phantom_pwn: Tools to extract and decrypt Phantom wallets

PuTTY vulnerability vuln-p521-bias