@gynvael@infosec.exchange cover
@gynvael@infosec.exchange avatar

gynvael

@gynvael@infosec.exchange

security researcher/programmer ⁂ previously security team @ Google ⁂ Dragon Sector CTF founder/player ⁂ technical livestreamer ⁂ slide maker ⁂ he/him

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

gynvael , to random
@gynvael@infosec.exchange avatar

Some notes from analyzing the bash part obfuscation of the xz/liblzma part – link leads to the part I found most interesting – it was added in 5.6.1:
https://gynvael.coldwind.pl/?lang=en&id=782#stage2-ext

TL;DR: in 5.6.1 there's some code added that looks for specific signatures in files in tests/files, and if found, it grabs some data from these files, deciphers them, and executes them. NO FILES WITH THESE SIGNATURES EXIST YET, so it's like a way to extend the backdooring scripts in the future by just adding new binary test files. Guess things weren't supposed to end here.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •