Mastodawn

Great analysis of the malware distributed with the esling-config-prettier NPM package compromise on Friday: https://c-b.io/2025-07-20+-+Install+Linters%2C+Get+Malware+-+DevSecOps+Speedrun+Edition

By c-b.io on Bluesky / cyb3rjerry on Twitter :D

#malwareanalysis #reverseengineering #infosec #npm #npmsecurity #malware #reversing

2025-07-20 - Install Linters, Get Malware - DevSecOps Speedrun Edition - Humpty's RE Blog

Recommend song to listen to while reading: If you find something off with what I say, please let me know. I'll gladly amend my content and credit you for the fix. Some thanks in alphabetical order

Humpty's RE Blog

dingusxmcgee Jul 10

Stephan Berger Jul 10

During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit

This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot. Many EDR and detection systems typically monitor for commands such as 'vssadmin list shadows', and may trigger alerts based on their use.

However, by leveraging the "Previous Versions" feature in Windows (see screenshot), attackers can select a snapshot, view its properties, and enter the '@ GMT' path directly in Explorer. This allows them to browse the snapshot's contents without needing to use the command line.

Because this technique doesn't rely on typical shadow copy commands, it may evade detection by your EDR or SIEM solution. You might want to test it in your environment to identify and close this potential detection gap 🦸‍♂️🦸‍♀️

dingusxmcgee Jul 8

Stephan Berger Jul 8

Ever heard of shellbags? Like in the example here:
My Computer -> ? -> Users -> <compromised_used> -> ADRecon-Report-20250225235831

Shellbags are a subset of data found within UsrClass.dat and sometimes in the NTUSER.DAT hive. They are used by Windows to remember folder view settings for Explorer. Each time a user opens a folder, Windows stores metadata about how that folder was viewed, including its path, icon size, window position, and view mode (such as details or thumbnails). This applies to both local and external directories, including removable drives or network shares.

From a forensic standpoint, Shellbags are highly valuable. They can reveal folders that were accessed or created by the user, even if those folders or drives no longer exist.

Like in the example above, from a recent Incident Response case. We did not find evidence of execution from ADRecon; however, the shellbags clearly showed that the attacker browsed this folder; at the same time, the timestamp from the report file was generated, providing evidence that the tool had run, despite the absence of other evidence.

An artefact you don't want to miss in your investigation. 🕵

dingusxmcgee Jul 5

Karsten Hahn Jul 5

🦔 📹 Virut Part III: File infection analysis and bait file creation

#MalwareAnalysisForHedgehogs #Virut
https://www.youtube.com/watch?v=FcXPSpBh4ps

Malware Analysis - Virut's file infection, part 3

YouTube

dingusxmcgee Jun 30

Karsten Hahn Jun 30

Blog: "Supper is served"
Excellent analysis article of the backdoor Supper

https://c-b.io/2025-06-29+-+Supper+is+served

2025-06-29 - Supper is served - Humpty's RE Blog

dingusxmcgee Jun 23

Karsten Hahn Jun 23

A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware
#GDATATechblog
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware

Threat Actors abuse signed ConnectWise application as malware builder

Since March 2025, there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them.

Show thread

dingusxmcgee Jun 8

I updated this blog with some more details, including the discussion around adware versus malware and a brief look at lookupktichen, which seems to be a precursor to RecipeLister.

Some interesting discussion in X and in the InvokeRE discord about adware versus malware etc and I definitely agree I “mislabeled” it in my initial desire to categorize.

Always good to chat and learn from others :). Thanks to @struppigel for the excellent discussion!

dingusxmcgee Jun 6

quick new blog today on RecipeLister! This one seems to be making the rounds the past couple of days, and I had a little bit more detail to add, so hope you enjoy 😊

https://blog.dingusxmcgee.com/blog/2025/06/06/Recipe-For-Adware.html

Recipe For Adware

On June 2 2025, @xorist posted a screenshot of some javascript code from a ‘recipe app’ in the InvokeRE community discord. What followed was a rabbit hole of confusion, mysterious functionality, dashed dreams, more confusion, and ultimately culminated in Yahoo Search.

Malware Analysis with Dingus

dingusxmcgee May 16

Karsten Hahn May 16

Blog: Printer company provided infected printer software for half a year.

➡️ XRed backdoor
➡️ SnipVex virus

Initially reported by Youtuber of "Serial Hobbyism"

https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads

Procolored: Printer company serves malware für six months, claims "false positive" warnings

What do a coin stealer, an abandoned backdoor and a file infector have in common? They all resided in the download section on the website of a printer company - stowed away in installer files for drivers and utilities. We took a closer look.

dingusxmcgee May 1

Karsten Hahn Apr 30

🦔 📹New Video: Analysis of Virut - Part I
➡️ self-modifying code
➡️ Ghidra markup decryption stub
➡️ API resolving
➡️ unpacking
#MalwareAnalysisForHedgehogs
https://www.youtube.com/watch?v=250Bxe0qlQY

Malware Analysis - Virut, a polymorphic file infector