ex_raritas

@[email protected]
167 Followers
13 Following
27 Posts
ex_raritasJan 23

Brand new report from yours truly:

Living Off the Web: How Trust Infrastructure Became a Malware Delivery Interface

🔗https://censys.com/blog/living-off-the-web-how-trust-infrastructure-became-a-malware-delivery-interface

#LivingOfftheWeb

ex_raritasSep 22, 2023
Exciting news! 📣 Join me at ATT&CK CON 4.0 on October 24-25, 2023, in McLean, VA or online. I'll be presenting alongside my colleague Michael Raggi from Mandiant/Google Cloud. We're unveiling a groundbreaking technique, never seen before, exploiting the .lnk shortcut format. Don't miss out! Register here: [Registration Link](https://na.eventscloud.com/website/58627/) #ATTACKCON #malwareresearch
ATT&CKcon 4.0

MITRE ATT&CKcon | October 24 - 25, 2023

MITRE ATT&CKcon 4.0
ex_raritasAug 22, 2023
Found a mushroom with graffiti on it a few weeks ago. I love my city.
ex_raritasAug 6, 2023
We will see if mastadon has any reach here.
ex_raritasFeb 28, 2023

Part 2 of my report on TA569 is out.

Co-authored by Kyle and another one of my peers who wishes to not be tagged.

Why this report is important:

Attribution of other prolific injects to ta569 NOT resulting in SocGholish.

A look at what is new with Socgholish.

Plus more…

https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond

Pictures of my cats for tax.

TA569: SocGholish and Beyond | Proofpoint US

Proofpoint
ex_raritasJan 2, 2023
Found a new type of malware right before I took vacation. Psyched to write it up when I get back.
ex_raritasDec 28, 2022
ex_raritasDec 28, 2022

Hot take:

Too much emphasis is put on what flavor locker is being used in ransomware operations. Lockers aren’t particularly interesting imo. Maybe to someone studying speed or efficiency but in general they aren’t really that special.

1. Find folders and files, create index, populate tocrypt.
(Staging and exfil happens here)
2. Create threads to handle the following:
a.) read byte stream
b.) crypt
c.) write file
d.) delete original file
e.) if tocrypt eq done: write note buffer to folder.

ex_raritasDec 28, 2022

Hot take:

Too much emphasis is put on what flavor locker is being used in ransomware operations. Lockers aren’t particularly interesting imo. Maybe to someone studying speed or efficiency but in general they aren’t really that special.

1. Find folders and files, create index, populate tocrypt.
(Staging and exfil happens here)
2. Create threads to handle the following:
a.) read byte stream
b.) crypt
c.) write file
d.) delete original file
e.) if tocrypt eq done: write note buffer to folder.

ex_raritasNov 22, 2022

I’m presenting my work on TA569 tomorrow in a webinar.

It is about 77 slides in an hour so it’s a ton of content.

If you want to know all about SocGholish and see a bunch of memes please come watch.

I’m even going to be covering the supply chain attack. :)

https://www.proofpoint.com/us/resources/webinars/threat-research-flash-brief-socgholish-poisons-supply-chain-major-media-websites

Threat Research Flash Brief: SocGholish Poisons Supply Chain for Major Media Websites | Proofpoint US

Watch on-demand Recorded live on November 22, 2022 SocGholish is a website malware variant attributed to TA569 and continues to thrive in the current cyber threat…

Proofpoint
ex_raritasNov 18, 2022