1. Exquisite Tweets from @shootingsawk, @ItsReallyNick, @MalwarePorg

    cbasszerofiveCollected by cbasszerofive

  2. #TRITON's Library.zip contains over 200 files. Let's talk about one of them: crc.pyc

    From the YARA rule, you can tell we found the string "Kotov Alaxander" to be interesting ♚ and unique.

    It's also heavily adapted from a June 2011 blog post: cavinc.blogspot.com/2011/06/crc16-…

    Reply Retweet Like

    ItsReallyNick

    Nick Carr

    MODBUS stands out for ICS peeps. For the OG's, XMODEM!

    The 2011 code is for a Mettler Toledo scale driver using Python to calculate the CRC16 block. Apparently written by Computer Engineering and Automation grad from Tomsk State University of Control Systems and Radioelectronics

    Reply Retweet Like

    ItsReallyNick

    Nick Carr

    #TRITON crc.pyc is modified significantly from 2011 post and stood out enough to include in our public detection.

    So: #threatintel or red herring? 😉

    Kudos to these two for noticing the string:
    1⃣ @Skvern0: twitter.com/Skvern0/status…
    2⃣ @shootingsawk: twitter.com/shootingsawk/s…

    smiler @shootingsawk
    WTF ? : "$py_crc_03 = "Kotov Alaxander" nocase ascii wide". cavinc.blogspot.fr/2011/06/crc16-…

    Reply Retweet Like

    ItsReallyNick

    Nick Carr

    NOTE: You know your YARA term is unique when 17 of 18 total search results are for the rule itself.

    BEFORE: 1 result (several months ago)
    AFTER: 18 results 👨🏽‍💻 (just now)

    Reply Retweet Like

    ItsReallyNick

    Nick Carr