dingusxmcgee

@dingusxmcgee@infosec.exchange
40 Followers
126 Following
309 Posts
Husband, Dad and Incident Responder.
Incident Response and Threat Detection at $company
Very Amateur Malware Analysis Blog:
https://blog.dingusxmcgee.com
Show threaddingusxmcgeeJun 8

I updated this blog with some more details, including the discussion around adware versus malware and a brief look at lookupktichen, which seems to be a precursor to RecipeLister.

Some interesting discussion in X and in the InvokeRE discord about adware versus malware etc and I definitely agree I “mislabeled” it in my initial desire to categorize.

Always good to chat and learn from others :). Thanks to @struppigel for the excellent discussion!

dingusxmcgeeJun 6

quick new blog today on RecipeLister! This one seems to be making the rounds the past couple of days, and I had a little bit more detail to add, so hope you enjoy 😊

https://blog.dingusxmcgee.com/blog/2025/06/06/Recipe-For-Adware.html

Recipe For Adware​

On June 2 2025, @xorist posted a screenshot of some javascript code from a ‘recipe app’ in the InvokeRE community discord. What followed was a rabbit hole of confusion, mysterious functionality, dashed dreams, more confusion, and ultimately culminated in Yahoo Search.

Malware Analysis with Dingus
dingusxmcgeeMay 16
Karsten HahnMay 16

Blog: Printer company provided infected printer software for half a year.

➡️ XRed backdoor
➡️ SnipVex virus

Initially reported by Youtuber of "Serial Hobbyism"

https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads

Procolored: Printer company serves malware für six months, claims "false positive" warnings

What do a coin stealer, an abandoned backdoor and a file infector have in common? They all resided in the download section on the website of a printer company - stowed away in installer files for drivers and utilities. We took a closer look.

dingusxmcgeeMay 1
Karsten HahnApr 30
🦔 📹New Video: Analysis of Virut - Part I
➡️ self-modifying code
➡️ Ghidra markup decryption stub
➡️ API resolving
➡️ unpacking
#MalwareAnalysisForHedgehogs
https://www.youtube.com/watch?v=250Bxe0qlQY
Malware Analysis - Virut, a polymorphic file infector

YouTube
dingusxmcgeeApr 19
WashiApr 18

After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering.

As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings).

👉https://blog.washi.dev/posts/recovering-nativeaot-metadata/

Recovering Metadata from .NET Native AOT Binaries

Ever seen a binary that looks like a .NET binary based on its strings, but .NET decompilers are not able to open them?

Washi
dingusxmcgeeApr 8
Karsten HahnApr 8

I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.

E.g. IL code patterns, method signature definitions, GUIDs, compressed length

#GDATATechblog #100DaysOfYara
https://www.gdatasoftware.com/blog/2025/04/38145-yara-signatures-net-malware

100 Days of YARA: How to write .NET code signatures

If you write YARA signatures for .NET assemblies only relying on strings, you are seriously missing out. Learn what you can do to level up your YARA rules.

dingusxmcgeeApr 2
Karsten HahnApr 2

Podcast with @jstrosch and @psifertex about:
binary ninja, CTFs, AI, the future of cyber security

https://open.spotify.com/episode/6tMYu7g7P9LuMoehALiCsL

EP07 Jordan Wiens - Inside the Mind of a Binary Ninja: CTFs, AI and the Future of Cyber Security

Behind the Binary by Google Cloud Security · Episode

Spotify
dingusxmcgeeMar 30
Jesko HüttenhainMar 30
On a more serious note: I recently added many lines of code to #BinaryRefinery for a fairly niche purpose: Unpacking (malicious) InnoSetup archives that hide their password within the setup #PascalScript. Check it out if that is something you have to deal with. My approach to this was to write an emulator for this arcane language, and I wrote a little blog post about my process!
https://blag.nullteilerfrei.de/2025/03/30/complete-first-correct-later-writing-a-pascal-script-emulator/
Complete First; Correct Later: Writing a Pascal Script Emulator – nullteilerfrei

dingusxmcgeeMar 26

Trying something different today. Been looking into offensive tooling as a way to stay up to date and informed in Incident Response. Its not malware, but I still had fun, thanks for reading if you do :)

https://blog.dingusxmcgee.com/blog/2025/03/26/Using-Rubeus-And-Certify-To-Unpac-The-Hash.html

Using Rubeus And Certify To Unpac The Hash​

Trying something new, little bit of Rubeus, little bit of Certify, little bit of curiosity…Come check it out with me!

Malware Analysis with Dingus
dingusxmcgeeMar 24
WietzeMar 24

By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.

My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.

Here’s what I found and why it matters 👉 https://wietze.github.io/blog/bypassing-detections-with-command-line-obfuscation

Bypassing Detections with Command-Line Obfuscation

Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits executables’ parsing “flaws”, can bypass such detections. It also introduces ArgFuscator, a new tool that documents obfuscation opportunities and generates obfuscated command lines.

×
WietzeMar 24

By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.

My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.

Here’s what I found and why it matters 👉 https://wietze.github.io/blog/bypassing-detections-with-command-line-obfuscation

Show threadArielMar 24
@wietze good grief lol
Show threadMichał "rysiek" Woźniak · 🇺🇦Mar 24

@wietze

image description:

Screenshot showing a Windows desktop with a web browser open on argfuscator.net and a terminal where original command fails to execute due to lack of privileges, but an obfuscated version works fine.

Show threadMatt OrganMar 24
@wietze after learning a few years back about how unexpectedly successful bypassing EDR was simply by recompiling for x64, I'm not surprised in hindsight hearing these techniques but still very cool.
Nice work 😎
Show threadDominik GrabiecMar 24
@wietze
Looks like they don't follow Microsoft's own algorithm for processing of command line parameters.
Show threadOriel Jutty Mar 24

@wietze After looking at the "Linux and macOS" section", my main takeaway is that apparently a lot of defensive software was written by muppets.   

For example, take option reordering, option separator insertion, and option separator deletion. All of these are about classic unix option syntax as implemented by getopt():

  • Options can be reordered (foo -a -b -c is equivalent to foo -c -b -a).
  • Multiple options in a row (all starting with -) can be bundled together (foo -a -b -c is equivalent to foo -abc).
  • Options that take an argument do so either from the rest of the command-line parameter or (if that is an empty string) the next parameter (foo -s bar is equivalent to foo -sbar).

Why would you not take that into account in your detection tools?

Similarly, character deletion springs from the idea that long option names can be abbreviated as long as they're unique. GNU's getopt_long automatically provides this feature (as do other libraries). Again, this is not a rare or obscure feature.

Any "detection" bypassed by these tricks focuses too much on superficial syntax and not what the command-line arguments actually mean. But in cases where attackers abuse trusted tools ("lolbins", etc), we know exactly what those tools are and how they work. (After all, they're standard system tools and that's why we trust them!) So on the defenders' side, why would we not model the tools' command-line interface precisely and instead rely on crude substring matching?

Getopt Long Options (The GNU C Library)

Getopt Long Options (The GNU C Library)

Show threadWietzeMar 24
@barubary Your analysis is spot on. EDR vendors have used the same "command-line arguments are one big string, YOLO!" model for ages and it simply doesn't work well for exactly these reasons. I hope vendors take notice and do more to interpret/parse/preprocess command-line arguments going forward.
Show threadChristophe Mar 24
@wietze This is so cool! Love ArgFuscator, would be cool to allow for an OS filter to generate commands working for Linux/Windows/Mac
Show threadWietzeMar 24
@christophetd it's in the works! 👌
Show threadKotesMar 24
@wietze Very interesting and exciting text. Thank you.
Windows is such a fragile system that no matter how many letters you replace with strange shapes, it still reads them.
Show threadLes antibiotiques causent l’autisme, vaccinez-vousMar 24
@wietze Cover featuring a glossy Windows 11 command prompt in a blue-ish background #Alt4You
Show threadBert DriehuisMar 24
@wietze It's not just the response part of EDR that's a challenge. Most log data lakes are Lucene based, and apparently it can't do case independent search. Some tools (e.g. graylog) recommend to map all Windows log to lowercase at log ingestion time for this reason. It's been a while since I looked into it, but at the time all popular solutions failed here.