Knock Knock! Who's There? - An NSA VM

Back in 2017 (feels like ages ago) I decided to take a peek into the ShadowBrokers leaks and reverse some of the tools. I started on dewdrop simply because it had a macOS version. I made local presentations at 0xOpoSec and BSidesLisbon but those slides were never published for obvious reasons (aka live implants all over the Internet). Significant time has passed and everyone went crazy last week with the beautiful NSO exploit VM published by Project Zero, so why not ride the wave and present a simple NSA BPF VM. It is still an interesting work and you have to admire the great engineering that goes behind this code. It’s not everyday that you can take a peek at code developed by a well funded state actor. This post is only going to focus on the BPF part of the implant so you will have to fill in the blanks about everything else. ...

December 17, 2021 · 27 min · 5571 words

The Finfisher Tales, Chapter 1: The dropper

Amnesty International finally dropped the bomb and released a report about FinSpy spyware made by FinFisher Gmbh. The most interesting thing was the revelation of Mac and Linux versions, something that was missing from previous reports on this commercial malware (Kaspersky, Wikileaks). ...

September 26, 2020 · 32 min · 6618 words

Is macOS under the biggest malware attack ever?

No. I just clickbaited you but don’t leave yet, keep reading for something fun! ...

September 17, 2020 · 12 min · 2459 words

FruitFly's dropper script and its missing tricks

Note to original post: This post was originally written back in May 2019 but was removed because of “pressure” from my employer at the time, Apple. It was written over the weekend on my own equipment and was all about information I had way before I joined Apple. Personally I don’t think there is any special drama here other than unreleased technical details about a malware that is dead and its author busted long time ago. When paranoia and envy are dominant then everything can be a potential media drama in people’s mind. It’s all bullshit. My position didn’t change and given that there is an upcoming presentation about this malware by Thomas Reed at Objective By The Sea it’s time to re-release this. While sorting out my Mac malware collection I found out that I had an unreleased (no known public references) FruitFly/Quimitchin dropper script lost in my archives. FruitFly made big headlines two years ago and its author has been arrested. It was first reported by MalwareBytes and then a new variant was analysed by Patrick Wardle. Besides being under the radar for more than a decade, it was kind of exotic malware because most of its code was written in Perl. Last time I did something serious in Perl was twenty years ago or so! ...

March 4, 2020 · 10 min · 2036 words

The Italian morons are back! What are they up to this time?

Nothing 😃. HackingTeam was deeply hacked in July 2015 and most of their data was spilled into public hands, including source code for all their sofware and also some 0day exploits. This was an epic hack that shown us their crap internal security but more important than that, their was of doing things and internal and external discussions, since using PGP was too much of an annoyance for these guys (Human biases are a royal pain in the ass, I know!...

February 29, 2016 · 12 min · 2378 words