Loading...
You are here:  Home  >  Notes From Underground

Notes From Underground

December 28, 2025

React2Shell

or

Sometimes That Scanner Will Actually Do Something

 

This is my React story. Within the cacophony of screaming, you will easily be able to find adequate explanations as to what the vulnerability is, that is not the purpose of these notes. The two central points we are conveying is that this was a vulnerability that allows an application to be weaponized to allow for remote code execution, the second is to show simply what happens when you leave the door open to the house at night when the lights are on. This is a story from beginning to end. A separate analysis of the ntpclient which is a proxy as well as the Go Lang binary follows the walkthrough. As always I have left the verbose technical notes intact so the reader can get a full picture.

November 29, 2025

Akira Binary Reverse Analysis 

or

How the Deviant Child Grew Up

This took some time, what is important here are the indicators that we can develop from this and to show how ransomware evolves. No use of Windows CryptoAPI for its core key management but instead using a statically linked library. For those who don’t care for assembly (and I understand why) read it like a story and it will make sense. Apologies for the formatting and not shading the assembly correctly.

This is a reverse-engineering analysis of an Akira ransomware sample from a case. Starting from the top-level orchestration function (FUN_14004d4c0), it walks through how the sample builds its runtime context: generating timestamped log filenames, parsing command-line options, initializing its custom cryptographic stack, and constructing multi-threaded worker pools that traverse local drives and configured paths.

Subsequent sections break down the encryption run in phases, with attention to how the binary interprets arguments such as --encryption_path, --share_file, and --encryption_percent, as well as the optional -localonly and -dellog switches that control discovery and event-log wiping behavior. The analysis also reconstructs the crypto initialization pipeline around FUN_1400846b0 and FUN_14008a730, showing where embedded key/config blobs are parsed and validated before file encryption proceeds. 

The purpose — to understand and to build good indicators to account for when the EDR fails us.

October 13, 2025

Brazil-Focused Multi-Stage Campaign: VBS → PowerShell → WhatsApp Web Automation

or

Gossip in the Time of Mardi Gras

WhatsApp is not secure, no matter what mass media will tell you, lie to you, or make you believe the ZIP file sent to you is benign and meant because you are loved. One click later—or a semblance of love later—and we’re staring at a 13 MB VBScript pirouetting through email (IMAP), fallback domains, and a gated PowerShell payload that ultimately drives WhatsApp Web automation at scale. This is not how you should travel.

May 23, 2021

Ransomware Demystified

or

You are not serious about cybersecurity and you got what was coming to you.

or

How to fool people and keep your job

 

This is not an overly technical article. I believe that would be inappropriate as I want the reader to understand the current predicament in its most holistic way.

The past few months have been hectic and filled with an interesting parade of anomalies so it has been difficult to budget time appropriately so that my digital travels can be documented properly. For this I lament. It is due to this process of lamenting that I have been compelled to comment on what is in my opinion the continuous egregious portrayal of cybersecurity in the course of current events. I speak to you of course of ransomware and most recently the incidents involving the Baltimore and Washington DC Police Department as well as Colonial Pipeline.

January 11, 2021

SolarWinds DLL Short Overview 

Excerpts from the DLL are decoded, IP addresses for C2 are listed. Decoded with de4dot and dnSpy.

August 16, 2020

The Deception of Privacy in Telemedicine by Some Apps

 or

 HIPPA Be Damned

 

Telemedicine is quite popular with this pandemic. We have even participated in setting up in setting up a couple of clinics. One of our core principals is the fact that we are huge on privacy. Now pretty much the majority of web uses some level of ad tracking for general website visits, and this is accepted. However, when it comes to patient data, at what point does one cross that line.

August 12, 2020

How Your Phone Betrays You

or

How You Have Betrayed Your Phone – This Relationship is Dysfunctional

Overview -

For this discussion, we are changing the focus from the office to something a bit more intimate, your phone, specifically your Android phone. You may have a Samsung, perhaps a Google Pixel, a OnePlus, possibly even a Huawei (though at the stage things are going politically you may not) – Nokia, Motorola, and LG (wonderful alternatives). The manufacturer maybe different, but the operating system is still Android. There are various versions of the Android operating system, and each phone maybe different depending on your provider. Fragmentation has always been a problem because of the bizarre and obtuse agreements between manufacturers, mobile providers, and Google (though things have been slightly better as of late).

 

July 15, 2020

 

Phishing in the month of July while forgetting your bank login

or

How To Fool a Legal Professional and Laugh your Way Home

 

Humans are horrible at mitigating risk. As complex creatures, we are the sums of all our parts which include experience and emotion, this can produce unwelcomed consequences depending on the path you walk. Complacency causes people to ignore the obvious, worse the culture of instant gratification or "do these twenty things at once" simply does not help the matter. There exists a common misunderstanding of what cybersecurity is and this is compounded with the fact that people simply do not like to admit they have a problem, whether it be alcoholism or a common drug addiction, rarely will you see a business say, "this is messed up and we need to fix this." They will simply not admit it, quickly change usernames and passwords, hope it goes away and possibly call the Feds on you if you show them where their breach is. No profession is more guilty of this cardinal sin than attorneys.

March 26, 2020

Tupperware Vulnerabilities

As reported on SC Magazine, the Tupperware site was breached with malicious code that activated a fraudulent payment form during the checkout. Suffice to say this could be described as skimming. We sent word to Tupperware but received no response. Now that the news is public we are posting our findings. Click here to read it.

We also sent them a Level 3 Footprint of their presence which had the Russian domain that was doing the skimming. It was ignored as well. Click here to see it.  As always be leery of the sites you give your information to because they will not be quick to help you when your identity or financial information is stolen.

It is amazing how cybersecurity at the corporate level is an after-thought and they continue practicing the same lax procedures regurgitating the same tired rhetoric that simply does not work, who suffers - the customer

March 15, 2020

Covid-19 Cyber Infection

or

The Illness Dwells Inside you

We loathe to pander to sensationalism by riding on popular topics that everyone is discussing. This may make us less than popular in the realms of SEO or acting like a tabloid organization but as a company we attempt to always go where those of us are afraid to or publicize that which many people do not hear about.  The amount of traffic that is nefarious that goes on in cybersecurity is voluminous, but it does take a bit for it to come to the surface. However, this one I could not resist simply because of the absurdity of it. However, currently when panic buying is going on and bathroom tissue is a premium, who am I to judge. Regardless of such, we should never download things without complete certainty of where they are coming from, even if it looks like a pretty map that is the wrapping for something, we are familiar with. Humble folk I give you – the Corona Virus – Covid-19 map.

December 19, 2019

The Evolution of the Phishing Email

or

Corporate Espionage Evolved

Over the years the phishing email has evolved. It has been a silent upward progression dating back from the old Nigerian money scams, a lover that you never heard of sending word that he / she is sick in some remote country and needs your money to help her to a harassment letter sent from what looks like a client to an employee at a law firm. Times change and so must the entity who seeks your data. Not all phishing is the same.

October 24, 2019

Rabid Trojan of the Week

Over time we have also borne witness as malware writers become craftier and embed code which allows them to determine virtualization. The reason for this is that most analyst who attempt to reverse engineer or analyze malware will do so on a virtual machine. Hence it would only make sense that the malware author would implement some level of countermeasure. Some of the ways this is achieved are as follows:

October 2, 2019

The Emissary Panda

or

How To Fool Your Database Admin While They Are Unaware of Your Shenanigans

Do not allow picture of the cute savage animal to give you a false level of complacency. Behind that panda is a group of individuals who are not cute and more importantly have been active for a very long time. I introduce you to Emissary Panda. This is a Chinese group that has been around for at least a decade. In the past we have known them as APT 27, but they go by other names. Groups such as Emissary Panda are not constricted to nation state activities. They go where the data is needed and there are many that follow them. The toolset used by these groups can be found and modified if one knows where to look. Care needs to be taken. This panda has a pet RAT that got loose.

August 22, 2019

This Week’s Asinine Idiosyncrasy Demystified

or

Texas Ransomware and the Big Lie

As you may or may not be aware of, this week it has been reported that twenty-two Texas towns were hit with a Ransomware attack.  For those who are not aware of this, click here to go to the NPR site where the story is discussed. There is an issue that we at Cybercrypto have with how the news is reporting these attacks. We find it to be deceptive and we wish to at a minimum reiterate something we need people to know.

Click here to continue.

August 15, 2019

Lokibot – Gutter Thief in the Night

As you may already know from my rantings, here at Cybercrypto we have respect for good malware, and if you have not read my rantings then let me reiterate, any person that has a basic understanding of scripting can put together insidious ransomware that collapses your system therefore showing the world “LOOK AT ME!! I GOT YOU TO CLICK ON SOMETHING THAT HAS CAUSED YOU TO CEASE OPERATION AND I WILL CHARGE YOU MONEY” It takes strategy and a certain level of finesse to write something that sits on a computer sending all its data out unbeknownst to the user. Subterfuge is an art.

It is in that spirit that we are looking at Lokibot. This type of malware is an information stealer that will take credentials as well as other sensitive data from the infected host to a command and control server. Most of the time the infection vector occurs through spam. For the most part (and there are several exceptions), when the infection vector is email (which is usually characterized by phishing), the item must be clicked on and activated, so keep that in mind, the user must run the malware so it can be activated.

June 25, 2019

Let's Have An Honest Discussion About Ransomware 

Part Two

We have discussed the indicators that are present in ransomware and how to look for some of them. However even though there are similar traits in the bad behavior most people exhibit, sometimes an individual will have the propensity to surprise you. Occasionally you will find something that defies the rules. Such is the case with malware. I will always remind you, malware is written by a person, so it reflects who that person is and all their creativity and dysfunction., so what if the bad behavior does not exhibit the same type of traits that would be considered the norm. What do you do?

June 16, 2019

Let’s Have An Honest Discussion About Ransomware

Part One

Can you admire a disease? The most common answer would be "of course not". Malware is a disease that affects the computer, a cyber disease can be viewed differently than an organic disease. A strain of virus may attack the body of a living entity slowly crippling it until that entity expires. As malware is software, we look at the disease from a different perspective, some malware is beautiful – its method is fluid, the encryption is masterful and like most things you can tell the writer put a lot of work into it. What do we consider "masterful" malware? It's simple, if the disease sits in the computer and exhibits no visible symptoms then that is not only beautiful but strategic. Your data is valuable, when a bad entity establishes persistence on your network if he/she is effective they do not want to be found. The offending process that is doing the work of the disease should have a low footprint and not consume resources. Which now brings us to ransomware.

April 23, 2019

Malware and Behavior Analysis - Series Three

A Worm in My Garden

The words malware, virus, and worm are always used to describe some form of cyber malfeasance. Before we go into the analysis of the worm discussed in this article, let us bring some clarity to the lexicon.

April 2, 2019

Malware and Behavior Analysis - Series Two

The Rat Likes to Gossip

Why do people attempt to infect a network? Why do people attempt to move data? Your information can be monetized. As most people are not aware of the insidious nature of those who lurk underground, they do no give much thought to their data and what can be done with it. If you lurk in the sub-layers of the internet or you are tasked with retrieving information from a target you need a mechanism to deliver this information. Ransomware is a savage method to which there is no art and it will bring you nothing. A Trojan is the order of the day.

 

 

November 9, 2018

Malware and Behavior Analysis - Series One

When an event occurs most people / companies usually catch the effects of the event at the tail end. The point of discovery now becomes forensics because the damage is done. Our corpse that was riddled with disease is mutilated, violated, and ready to be incinerated. Not only does this apply to malware where most only discover the effects when the damage is done, but it also applies to behavioral analysis, a person is only aware of data theft when the consequences of the deed have become apparent to the organization.