0x90 0x90

A while back, I bought a HID Prox Pro II on eBay for some long-forgotten experiment — likely this . Outside of being well documented and cheaply available , @shakataganai wrote a fantastic article about how to connect it to an Arduino, which makes it ideal for some testing. HID Prox Pro II While exploring the device, I was disappointed that the actual components of the device (except the antenna) were sealed under some type of resin coating. Despite the components being inaccessible, I noticed there was a lot of available space inside…Big enough to fit an entire Proxmark3 . So — theoretically, it may be possible to install a device inside this empty space that could capture tag data whenever someone swipes. Interior of HID reader Proxmark3 sitting inside Feedback from folks on Twitter noted the potential for interference between the two devices — which makes sense, if the HID card reader is emitting a signal to power a card, a second device in close proximity could cause a p

Lazarus obfuscation in Feb 2019 Starting off, I’d like to give a shot-out to Brian Bartholomew (Twitter: @Mao_Ware) for his general awesomeness and for his post on 30 January from which this research starts. Using this as a base for the following Yara rule, I found a similar sample (SHA256: 625f63364312cec78a4c91abedba868d551d79185ff73e388f561017b13347f0 ) also packed with UPX. rule LazarusDocJan2019_01 { meta: author = “Silas Cutler” description = “Detection for Lazarus Payload from Jan 2019” ref = “ https://twitter.com/DrunkBinary/status/1090625122883510274 " version = “0.1” strings: $ = “\”Main Invoked.\”” $ = “\”Main Returned.\”” $ = “%sd.%se%sc %s > %s 2>&1” condition: all of them } As with the sample Bart identified, the control server is not obfuscated in the binary: Control server in WinM ain function Sandboxing of the sample, confirms the malware beacons to this URL: GET /intro/info/info.