avallach

@xorhex@infosec.exchange
430 Followers
1,083 Following
1.7K Posts
🇺🇦 Malware Researcher 🇺🇦
Posts are my own and do not reflect my employer.
mlgethttp://github.com/xorhex/mlget
bloghttps://blog.xorhex.com
twittodonhttps://twittodon.com/share.php?t=xorhex&m=xorhex@infosec.exchange
avallachJun 30
VirusShare ☣Jun 30
It took quite a bit of work, but VirusShare seems to be mostly back to normal. <knocks on wood> I am still moving things around and squashing the occasional issue, so please let us know if you spot any problems.
avallachJun 30
Andy GreenbergJun 30

In 3 days, a slick new UK edition of Sandworm comes out with a new cover and new foreword that aims to capture in a few pages the events of the 5+ years since the book first published: www.amazon.co.uk/Operation-Sa...

The publisher has tweaked the title to "Operation Sandworm" for UK reasons I don't entirely understand, but it's the same book, and hopefully will now reach a new audience.

https://www.amazon.co.uk/Operation-Sandworm-Hunt-Kremlins-Invisible/dp/1800963130

avallachJun 28
Taggart Jun 28

For those who are interested, I recently did a live session demoing Helix, my new go-to text editor, for members of @thetaggartinstitute community. Enjoy!

https://youtu.be/QullbX0JKq8

Live Session: Helix Intro

YouTube
avallachJun 27
Tim BlazytkoJun 27

The slides from our @recon talk, "Breaking Mixed Boolean-Arithmetic Obfuscation in Real-World Applications" (CC @nicolodev are now online!

Slides: https://synthesis.to/presentations/recon25_mba_obfuscation.pdf

Plugin: https://github.com/mrphrazer/obfuscation_analysis

avallachJun 26
larsbornJun 26
@SebastianWalla, Steffen Haas, @tillmannwerner, and myself will present a .NET instrumentation framework tomorrow at @recon 2025 in Montreal. Here's a humble brag sneak peek demo-ing how easy it is to write a function tracer!
avallachJun 23
Jimmy WylieJun 23

Matt Pahl and I are doing a webinar on defining ICS Malware, its distinction from IT threats, and how we search for it using different OT detection strategies. It's a follow-up to the ICS Malware definition work. Hope to see you there!

Registration link:
https://hub.dragos.com/webinar/what-is-ics-malware-how-we-detect-it

Webinar: What is ICS Malware & How We Detect It? 

Define what ICS-specific threats are, how they differ from IT threats, and what detection is required to uncover threats targeting industrial control systems. Register now →

avallachJun 21
Tillmann WernerJun 21
We (Steffen Haas, Sebastian Walla, Lars Wallenborn, and Yours Truly) built a dynamic binary instrumentation framework for .NET that gives malware analysts the power of transparent assembly patching at runtime, invisible to the target. With just a few lines of C#, reverse engineers can write their own custom analyzers that instantiate an instrumenter for the heavy lifting, allowing them to focus on the task at hand. We are excited to present our work at @recon next week: https://cfp.recon.cx/recon-2025/talk/PDBLYM/
Breaking Obfuscated .NET Malware with Profiler-Based Dynamic Binary Instrumentation Recon 2025

As malware authors increasingly adopt .NET for its ease of development and stability, they rely on sophisticated obfuscation techniques to thwart analysis. Traditional static deobfuscation approaches often fail against modern protections that incorporate runtime integrity checks. This presentation introduces a framework that leverages .NET profilers to perform dynamic binary instrumentation at the MSIL level. We demonstrate how this approach can bypass dynamic checks in obfuscation schemes, extract encrypted strings, and trace execution flows—all without modifying the original binary. Through real-world case studies and live demonstrations, we show how this technique provides reverse engineers with a powerful new tool to analyze obfuscated .NET malware.

avallachJun 20
Jimmy WylieJun 20

Busy Week!

Grateful to SANS ICS for hosting my talk on ICS Malware. It was a great experience.

We released our whitepaper on the subject ( https://www.dragos.com/resources/whitepaper/ics-malware-definition/ ).

We also got word that my talk with Sam Hanson on assessing ICS threats was accepted at Defcon ICS village. Hope to see you there!

avallachJun 20
Alexander H.Jun 20

https://github.com/alexander-hanel/pwinfected

For anyone else tired of having to start a VM to download a file.

GitHub - alexander-hanel/pwinfected: 7zip Password Protect File in Memory

7zip Password Protect File in Memory. Contribute to alexander-hanel/pwinfected development by creating an account on GitHub.

GitHub
avallachJun 11

#mlget has been updated - your 1 stop shop for finding malware across different services!

Grab an updated copy at https://github.com/xorhex/mlget/releases/tag/v3.4.2

Happy to add additional services if folks know of more!

Some services I no longer have access to for testing - see the Alt text for more info.