Posts by knitcode@infosec.exchange
(DIR) Post #AY3Pw5xbud1JwOmh9c by knitcode@infosec.exchange
2023-07-25T13:12:04Z
0 likes, 1 repeats
A few months ago I posted about a DNS malware C2 we had discovered— Decoy Dog — that was based on Pupy, had been undetected for over a year, and had some inexplicable behavior. We hoped the community would easily find the infected devices based on the info we provided. No suck luck. Since then we have used DNS to learn and an astonishing amount about the operations. Once we realized Decoy Dog was more advanced than Pupy, and we saw how the actors responded to our original relesases, we went back to the binaries. Today we released an indepth technical analysis of Decoy Dog, a Pupy research data set, and a new Yara rule. This is the exec summary. Link to the full technical paper and other tidbits in the comments. #dns #theatintel #malware #decoydog #rat #c2 #infoblox #datascience #threatresearch https://blogs.infoblox.com/cyber-threat-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/
(DIR) Post #AY3Pw7LOlfduESvCs4 by knitcode@infosec.exchange
2023-07-25T13:12:54Z
0 likes, 0 repeats
Full technical paper here. You'll want a beverage or two. lol. https://www.infoblox.com/resources/whitepaper/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns
(DIR) Post #AY3Pw8bO5i1i8LPUQq by knitcode@infosec.exchange
2023-07-25T13:14:26Z
0 likes, 0 repeats
One reason i love DNS so much for intel is that you have to infer what is going on… in malware, it’s hard to figure out, but it is all there
(DIR) Post #AY3Pw8cS1ksSBduL5c by knitcode@infosec.exchange
2023-07-25T13:14:03Z
0 likes, 0 repeats
I’m less worried about who is using it now than who is using it next. We are monitoring 21 controllers.
(DIR) Post #AY3Pw8iTfLhKUKj9U0 by knitcode@infosec.exchange
2023-07-25T13:13:29Z
0 likes, 0 repeats
Looks like two developers. We’re putting money that the second stole it from the first. Malware folks could look at the code and weigh in.
(DIR) Post #AY3Pw8kxW7gOc1t8Lo by knitcode@infosec.exchange
2023-07-25T13:13:15Z
0 likes, 0 repeats
if someone wants to finish reverse engineering the samples and share it with the comunity, that’d be great ;) In particular, I think we understand how the “emergency domain” DGAs work, but i’d love to verify that.
(DIR) Post #AdarGtfoSyNyqs3k00 by knitcode@infosec.exchange
2024-01-07T05:59:15Z
0 likes, 0 repeats
@simon clarifying my vote .. I haven't avoided LLMs because I don't like them, they just aren't well suited to my field (DNS threat Intel).. we do use language models and anything that solves our problems....if I used them, I still wouldn't use the term AI... Probably the mathematician in me.
(DIR) Post #Asnd7vWMxw8OYdXtWy by knitcode@infosec.exchange
2025-04-06T00:06:44Z
0 likes, 1 repeats
Seattle delivered! Our Seattle Center park was packed to the brim and rolling out the sides. There was just a sea of people so no hope in hearing any speakers, but lots of great signs. I saw a great photo from Talkeetna, Alaska...even there they were out in force. . #seattle #handsoff #protest
(DIR) Post #Asnrv2qFw0qwoJAAJU by knitcode@infosec.exchange
2025-04-06T04:20:54Z
0 likes, 1 repeats
This is about 2% of the population of Talkeetna, Alaska. Pretty amazing.. number may seem small but my understanding is that 1% is a strong showing for mobilization.. #handsoff #protest
(DIR) Post #AspRo6Q41g57O2rQWW by knitcode@infosec.exchange
2025-04-06T17:26:19Z
0 likes, 1 repeats
Yesterday the Washington Post app ran a story about the #handsoff #protests at the top of the app. Today it is hard to find any coverage. This is now buried in the "The District" section of the app and only found by searching for me.This is a gift article. I recommend people visit the article, share the link with others... And show the WashPo that massive voter turnout deserves more than a few hours in the spotlight.In the meantime they keep the same junk articles on the top stories for days Let's see if their Top Stories algorithm actually works.. boost and click through.https://wapo.st/4lk2Hu9
(DIR) Post #Av8bRJvDXjwd3UUXPU by knitcode@infosec.exchange
2025-06-14T16:37:38Z
0 likes, 1 repeats
The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering. VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both! There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more. We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere. #threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/
(DIR) Post #Av8bRPJrTXd1nN3n16 by knitcode@infosec.exchange
2025-06-14T17:05:27Z
0 likes, 0 repeats
Comments on Brian's article said that these companies are Ukrainian, not Russian. We haven't studied the individuals behind the more recently discovered companies, but VexTrio folks are not Ukrainian. They are Russian-Belarussian and Italian for the most part. This doesn't mean they are pro-Putin. indeed, from what we've seen on social media they seem to be against Putin's invasion. They also target Russian citizens a lot -- Russia and the US are the top targets (they pay out the most in the affiliate network and have the most traffic). We know all the true identities of the main players of VexTrio going back to 2004... no Ukrainians. But Push House, RichAds, PushBro, Monetizer may be different. They definitely all speak Russian.
(DIR) Post #Av8bRPOTCPJa1fDTCS by knitcode@infosec.exchange
2025-06-14T16:41:02Z
0 likes, 0 repeats
Trying to make a tough read snackable. (1/N)About 40% of all compromised websites that led to a TDS in 2024, according to Sucuri/GoDaddy, went to VexTrio. Then they all flipped to HelpTDS in late-2024. Let's suppose the website malware actors are just random publishing affiliates of VexTrio -- this timeline is very interesting. Why do the malware actors prepare to move off Los Pollos (VexTrio) links before Los Pollos announces that it is pausing push monetization? :thinkingShady adtech is full of options for the shady publisher. Why do all the different malware actors move to the Help TDS? :reallythinkingIn a free market economy, how does a company like Los Pollos gain the lion's share of black traffic from compromised sites? :reallyreallythinkingthis timeline doesn't include all the actors that shifted from VexTrio to Help TDS.
(DIR) Post #AvVeVQAtdw4hThNCmO by knitcode@infosec.exchange
2025-06-26T01:15:48Z
0 likes, 1 repeats
@KrissyKat Sasha Colby is fabulous..a great role model and performer..kudos to teen vogue for not cowering to the insecure state sponsored hate campaign.