October 22, 2024

🎉 More AppleScript Malware 🎉 via Web3 Game Rune/Rise Online

A new account shot me a DM in Twitter with some malware, so I figured "why not?". Of course the standard procedure applies:Do you want a job as an admin / moderator? Pays $500 a week!Sends a malicious link.Part of the requirement is creating an account through the software after you download it.Aaaaand of course it's just straight up malware that steals everything. EZPZ.Let's jump into it.InfoURLhttps[://]runeonline[.]gamesURLScan.iohttps://urlscan.io/result/cf8cb6ac-7428-4a21-b182-292e6fcd4a...

#malware#macos#web3#crypto

October 8, 2024

Don't Tie AuthZ to a Referer Header...

Recently I saw a vulnerability that was very new to me. I've seen authN and authZ tied to some super random things in the past; ad tracking IDs, the literal username in a header, etc, but this one takes the cake for being weird to spot. It also highlights why the headers and their values need to be interrogated for both requests and responses. Starting the test there was a previous instance of an IDOR related to accessing uploaded files. The original vulnerability was pretty bad as it allowed...

#authz#referer#mflac#file_upload#headers

September 2, 2024

Achieving an ATO via IDOR, then Reviewing the Fix

Welcome! Recently I've been pretty busy settling into a new role performing web application penetration testing and I thought I'd go over a...

#web application#penetration testing#pentesting#wapen#ato#idor

August 9, 2024

Using Golang to Launch AppleScript Through ARM64 Binaries

The past two macOS samples I've looked at (Poseidon and Atomic Stealer) have heavily utilized AppleScript for their functionality. While looking at t...

#macos#apple#go#golang#applescript

August 6, 2024

Sailing the High Seas with the Poseidon Info Stealer

I've been exploring the world of macOS malware analysis, and as a newbie I wanted some more samples to practice on. This prompted me to head over to ...

#malware#poseidon#analysis

July 27, 2024

Backing Up a Scam: Making Sure Malicious Websites & Binaries can still be Studied

Ephemeral Sites & InfrastructureEphemeral: lasting a very short time; short-lived; transitory:The nature of malicious sites and infrastructure leads ...

#malware#scam#methodology#web3

July 26, 2024

Party Royale / Party World Web3 Scam & Malware Analysis

Recently I've been reached out to two different parties on Twitter via DMs. Both advertising jobs, ranging from marketers, to ambassadors, to blockch...

#security#web3#malware#scam#discord#twitter#social media#phishing#social engineering

July 24, 2024

Inferno Drainer Malicious JavaScript Analysis from the Squarespace Domain Hijacking

OverviewOn July 12th 2024 a security advisory was published by SEAL regarding the recent Squarespace domain hijacking security incidents. The advisor...

#squarespace#advisory#security#incident#seal

July 13, 2024

🥃 Distilled #2: Writing an ERC, Auditooor Grindset, and More

So You Want to Write an ERCBy: jtriley.eth - Article LinkFirst off, a good question is: What is an ERC?An Ethereum Request for Comment (ERC) is a for...

#twitter#audit#security#education#distilled#web3

July 7, 2024

Common Discord Incident Response Actions

@Jon_HQ wrote a great guide on performing incident response for a Discord server and I'm attempting to compile this information in one big handy guid...

#discord#incident response#social media#community management