Yorick Koster

@yorickkoster

Offensive security research & tools

Netherlands
securify.nl/en/
Joined June 2013
31 Photos and videos Photos and videos

Tweets

You blocked @yorickkoster

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @yorickkoster

  1. Retweeted
    9 hours ago

    ThreatFabric writes about ERMAC, a new Android banking trojan based on Cerberus and operated by BlackRock actor(s).

    6 retweets 10 likes
    Undo
  2. Retweeted
    9 hours ago

    ERMAC, a new malware that is already being widely distributed as part of an ongoing campaign, steals users' financial information and login passwords from 378 banking and wallet apps. Read details:

    4 replies 106 retweets 113 likes
    Undo
  3. Retweeted
    Sep 24

    Some MTI context on (new bot based on Cerberus) as reported by , its operated by the threat actor behind , considering his strong track record targeting 378 banking and wallet apps we expect to see more in the coming days.

    2 replies 12 retweets 14 likes
    Show this thread
    Show this thread
    Undo
  4. Retweeted
    Sep 24

    "Big name" company say something -> mainstream news jumps on it. Meanwhile the reality: that "new" malware is not new & some "not big name" people (us) tweeted about this campaign multiple times before, but ofc for mainstream "small people" not exists... 😫

    4 replies 9 retweets 22 likes
    Show this thread
    Show this thread
    Undo
  5. Retweeted
    Sep 23

    Repeat after me.. the bug belongs to the researcher! If the researcher chooses to print the exploit in ASCII hex and hang it from a bridge after finding it.. that’s up to them.

    In my LinkedIn post comments right now. Incredible.
    4 replies 14 retweets 76 likes
    Show this thread
    Show this thread
    Undo
  6. Retweeted
    Sep 23

    Using chimera technique to abuse -2021-40444. File path with ?.wsf as suffix and manipulated RAR archive:

    3 retweets 9 likes
    Undo
  7. Retweeted
    Sep 18

    Generating a hook with to intercept traffic from Android flutter based apps. r2pipe script performs basic search and pattern matching to find ssl_crypto_x509_session_verify_cert_chain(). Inspired by 's blogposts.

    4 replies 46 retweets 142 likes
    Show this thread
    Show this thread
    Undo
  8. Retweeted
    Sep 17

    Microsoft will no longer require users to enter a password to access their accounts. Instead, they'll have to use an app, a verification code or facial recognition. Check it out ⬇️

    65 replies 1,003 retweets 3,014 likes
    Undo
  9. Retweeted
    Sep 15

    Android banking trojan src and builder panel leak is a fact, we are already see an increase in new samples.

    5 retweets 5 likes
    Undo
  10. Retweeted
    Sep 15

    The Community Kit has been growing and now has 60+ projects. The research behind these projects is fantastic. Thanks to everyone who has shared their work. Consider following me and for updates.

    29 retweets 65 likes
    Undo
  11. Retweeted
    Sep 13

    As mentioned, the use of a .JS: (and other) URI can result it pretty trivial code execution of a local script: IE seems to prompt before using URIs. However, Word using the ITW exploit works fine. Perhaps this is why it's so complicated?

    5 replies 7 retweets 32 likes
    Show this thread
    Show this thread
    Undo
  12. Retweeted
    Sep 13

    As we promised on Friday, here is an update to our blog on , describing all the new features implemented, like 2FA grabber and automated session stealer.

    1 reply 8 retweets 13 likes
    Undo
  13. Retweeted
    Sep 10

    After testing another CVE-2021-40444 sample that works with html+cab payload on a remote web server, I can now confirm that "mhtml:" and "x-usc:" are not needed in the remote OLE URL for the exploit to work. But the double URL http:...!http:... seems required.

    Bad news about CVE-2021-40444 detection: after some tests, I can confirm that the remote object URL can be a simple URL, no need for mhtml, x-usc or even the double URL. So no way to detect CVE-2021-40444 just by looking at the URL, you need to get the remote object to find out.
    Show this thread
    4 replies 46 retweets 91 likes
    Undo
  14. Retweeted
    Sep 10

    CVE-2021-40444 PoCs are being shared on private forums. We will now share the PoC we received. However, additions have been made to what we are releasing. It contains 3 HTML script variants. https://vx-underground[.]org/tmp/CVE-2021-40444.rar

    11 replies 277 retweets 747 likes
    Undo
  15. Retweeted
    Sep 8

    Not sure if Microsoft fixed this (my VM is unpatched). But it works in explorer preview mode via RTF:

    9 replies 56 retweets 186 likes
    Show this thread
    Show this thread
    Undo
  16. Retweeted
    Sep 10

    btw, it's not just CVE-2021-40444 that this trick is useful for. For example, it works for other RTF-based vectors too, e.g.

    67 retweets 213 likes
    Undo
  17. Retweeted
    Sep 10

    Several banking, wallets, and shopping apps are the target of a newly discovered trojan that could enable attackers to siphon sensitive data from infected devices, including credentials and open the door for on-device fraud.

    9 replies 99 retweets 164 likes
    Undo
  18. Retweeted
    Sep 10

    The new campaign comes with new features: - 2FA stealer - Country checks to defend CIS devices - Telegram API support to receive information - Emulator checks - Manufacturer specific modules - App download support Stay tuned, we will update our blog to tell you more!

    4 retweets 12 likes
    Show this thread
    Show this thread
    Undo
  19. Retweeted
    Sep 10

    A new banking trojan S.O.V.A with great ambitions discovered: cookie stealing becoming a new trend. Check out our new blog :

    3 replies 25 retweets 27 likes
    Show this thread
    Show this thread
    Undo
  20. Retweeted
    Sep 10

    () 4.9 is out with new overlay targets for Android banking apps in USA 🇺🇸, UK 🇬🇧, Ireland 🇮🇪 + Crypto wallets!

    6 retweets 10 likes
    Undo

@yorickkoster hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·