Thanks, glad you enjoyed! 🙏

Wow thanks Phil, awesome comment. Glad you enjoyed.

Thanks for the comment and support, it means a lot. Glad you enjoyed the content! ✌️

That's awesome to hear, thank you for taking the time to comment. 🙏

Awesome, appreciate the support and look forward to hearing more about your research.

Thanks jeremy, that's really cool to hear and glad you enjoy the content.

Hope you enjoyed it!

Issue is fixed for next time, don’t worry but thanks for reaching out and appreciate the support

It’s a good point. There are lots of opportunities to detect this, but I guess it’s easy when you know how. Tampering with an EDR config in registry or on disk would ordinarily make it alert like crazy; it’s worth testing I guess.

I think if the activity wasn't related to a company such as SolarWinds it would have been found sooner as it would have looked more 'unusual'. Not saying that a SolarWinds product disabling security tools is 'usual' but many teams may turn a blind eye as they see this as a trusted process, or some may even whitelist activity from solarwinds due to the noisy events from a 'trusted process'.

Awesome, thank you!

Thanks!

thank you :)

Many thanks!

Glad you liked it!

Agree dude, very elegant malware. This is fast becoming one of my favourites.

As I understand it, they compromised the build server itself. If that's the case, this malware code doesn't even need to be checked into source control. They can add it into the mix of files on disk after checkout of the code but before the build of the binaries. That way the employees of the company do not even see the malware class in the source repository.

@@MasterOfMisc Even then it shouldn't be possible, without negligence that is. What gets built should be just as important as what's being built. However, Details are scarce on how they actually infiltrated the supply chain. They had it signed and everything. How were they so negligent, it's not like supply chain attacks are a new thing.

@@somethingsinlife5600 Oh yeah, i'm with you 100%. There is a lot of negligence on their part. A lot of negligence considering the fact the company even had a "customers page" with a list of all the government agencies and other high profile companies that they supplied the product too!! That page has now disappeared from the web but that list alone would have been like attracting a bull to a red flag. A great advert to would-be hackers shouting "Look over here.. We are a valuable target" - So yeah, given their position there was a failure to guarantee the build binaries matched expected CRC checks or whatever BEFORE the DLLs were signed. Anyway, its all mute at this point. Who knows what damage has been caused. The only reason why we know about this hack is because of FireEye installing the software on their systems and detecting the breach... Which means the hackers have had plenty of time in all those government agencies setting up shop and installing other persistent back doors. The whole thing is a mess to say the least!

Check the description, link to my Github in there.

Thanks for the comment, the size of the file will be different for sure; and therefore so will the cryptographic hash. Which leads to the question as to what part of the software update lifecycle was compromised, as this DLL was signed with their certificate. We may never know the full story here tbh.

if you right click on the function name itself and click Analyse you'll see the window.

nice spot - updated!

For sure, it's a long story why it was 720p, but better than nothing.

@@cybercdh Agreed, long story and great video. If possible please re-upload 1080p, not sure if is my old eyes but I'm not able to read. Seams you are using Retina display like me and text become to small for 720p. Thanks for great content

Glad you liked it!

Thanks 🙏

It uses these strings within the dns request to avsvmcloud[.]com - another technique it uses to try and blend in to the norm

@@cybercdh Your videos on this have been great. Thanks!

Glad you enjoyed it

Hey I'm new to this field, can you please explain what you mean by preventing people from looking at strings through memory inspections? I'd like to understand more, thank you!

@@sharon2416 Short version - not too technical: When a program is run, it gets allocated virtual space to the heap, which is just basically an area that allows you to dynamically allocate and deallocate objects to. A string is allocated to the heap and viewable to all. For .NET specifically, strings can be seen through dnspy because c# is compiled to .net's version of bytecode. And a reverse engineerer can see all these strings and this allows them to be able to crack your program pretty easily. Using this function, you can hide strings because they show up as weird looking numbers in dnspy. So the person who looks at it will be confused on what it actually does, until he takes his time to study it. This allows you to put booby traps into your program which can indicate to your program that someone is trying to tamper with it, then you can take action (kill the program, ban the license etc). Even if you did manage to hide the strings in dnspy with heavy obfuscation, you can view the heap and it will reveal the string since one way or another, the string will have to be allocated to the heap. It pretty much just gives people who want to tamper with your program, a much harder time to figure out what's going on. Slowing them down. If you want to know more about how RAM and memory allocations works with programs, you can google "stack and heaps - programming c#" ( c or whatever language u desire) and there should be an in depth explanation there.

​@@Ownage4lif31 Wow, heyy it is really informative, thank you so much !! I'll check it out in depth too, Cheers!

That requires knowing there's a problem, and also having a clean copy. If you don't know for certain that your DLL is OK, then all you can say is that at least one of the DLL's is wrong. You don't know whether either is clean.

​@@baruchben-david4196 diff the changes between current version and updated version like version control does it, to see changes in code. most malware is attached to the end of the code, and wired up to run it, bufferoverflow like. most failures are intruduces by chynges to source code.

Glad it helped!

Thank you; appreciate the comment

Thank you! Cheers!

Glad you liked it!

Considering bigger picture #2 highly probable

Or ... they are in possession of a code signing certificate

@@temitopehardhekheyhe7359 if they do this means they hacked everything...

Pretty sure some employee at SolarWinds done this..

i dont think thats intelligence thats yet been released. im looking forward to finding out but im not holding my breath we'll ever know the complete picture.

Interesting take, lots more to come from this whole situation for sure

Sounds like a cool thesis. There's some links in the description to this video that may help. Enjoy and good luck.

@@cybercdh Thank you so much

Grabbed the sample from a public sandbox, looked at the headers etc in pestudio then opened in dnspy.

@@cybercdh For noobs like me, can you please give a step-by-step process for doing this (or anything like this) please! I just got dnSpy, and I can't get it to work well for me. I'm a cybersecurity student. 😍

ha! noted.

lol.

Thanks for the suggestion.

Thank you 🙏

Thank you :-)

Thank you! Will do!

The reference I made was based on threat Intel from various vendors such as FireEye who published the original research. Generally they’ll look at crossovers between coding concepts, code snippets, style etc between other known state attributed campaigns.

Yes, see the links in the description.

Many thanks 🙏

I’m definitely not clever; I just have a curious mind.

🙏

It's typically "infected": a little reminder and acknowledgement you're about to handle malicious files

nice! thanks :)

Thanks

It's 720p, I wont bore you with why...look out for more content coming soon also.

ty

It was a build infra compromise.

Genuinely a long and boring story. Vids are usually 1080p / 4K but had a mare with tech lately.

blending in ...

I appreciate knowing the reason for the thumbs down; it helps content creators learn and develop. 👍 for your 👎

I could read every line of code just fine.

@@joshsprinkles4689 I could make it out but was a little blurry

I left a thumb up cause you gave me weeks of learning and entertainment. Wonderful content, helpful links, very well made and enjoyable pace. Thanks, I’m subscribing!

@@ytnthr1 Thank you, and appreciate you taking the time to comment 🙏