Leonid Bezvershenko (@bzvr

Leonid Bezvershenko

117 posts

Leonid Bezvershenko

@bzvr_

Senior Security Researcher @ Kaspersky, GReAT | Drovosec CTF team | Tweets are my own

Moscow, Russia

Joined September 2021

Pinned
Leonid Bezvershenko
@bzvr_
Jun 1, 2023
Today we share details about Operation Triangulation, a campaign targeting iOS devices of Kaspersky employees. It was an unprecedented investigation, and we've done a lot to study this campaign with great scrutiny. Report and IoCs here: securelist.com/operation-tria…. @kucher1n @2igosha
100K
Leonid Bezvershenko
@bzvr_
Aug 11, 2022
We have just discovered two malicious PyPi packages masquerading as HTTP libraries: ‘ultrarequests’ and ‘pyquest’. The description of these packages is taken from the ‘requests’ package. The malicious code is in the class ‘HTTPError’ (‘exceptions[.]py’ file) [1/3]
Leonid Bezvershenko
@bzvr_
Oct 4, 2022
Beware of links from popular YouTube videos, as they may contain #malware. We found such a video (64K views, 180K subscribers) that has a link to a Tor Browser installer in the description. That installer comes with a previously unknown spyware that we dubbed #OnionPoison. [1/4]
Leonid Bezvershenko
@bzvr_
Mar 21, 2023
Magic is here! We have discovered a previously unknown #APT that has been attacking organizations in the area affected by the conflict between Russia and Ukraine. Observed victims were compromised with previously unknown implants that we dubbed #PowerMagic and #CommonMagic. [1/4]
49K
Leonid Bezvershenko
@bzvr_
Nov 15, 2023
Ever wanted to take another look at #OperationTriangulation malware? Then check out VirusTotal - we have uploaded malicious modules used in this campaign. virustotal.com/gui/file/ff2f2… virustotal.com/gui/file/7e779… virustotal.com/gui/file/c2393… virustotal.com/gui/file/ff2f2…
77K
Leonid Bezvershenko
@bzvr_
Jun 21, 2023
Have you wanted to take your own look at the #iOSTriangulation spyware? Well, we uploaded the #TriangleDB implant to VirusTotal: virustotal.com/gui/file/fd9e9…
35K
Leonid Bezvershenko
@bzvr_
Jun 29, 2023
Today I earned a bachelor's degree with highest honors from the Faculty of Computational Mathematics and Cybernetics at Lomonosov Moscow State University!
8K
Leonid Bezvershenko
@bzvr_
Jun 19, 2023
Unmunging hex strings is what I've been doing recently... #IOSTriangulation
14K
Leonid Bezvershenko
@bzvr_
Mar 21, 2023
Replying to @bzvr_
As for now, we continue our investigation to find additional information about discovered implants and the threat actor behind it. More details on Securelist: securelist.com/bad-magic-apt/… [4/4]
6.5K
Leonid Bezvershenko
@bzvr_
Oct 4, 2022
Replying to @bzvr_
It's interesting that the server sends the second stage implant only if the victim's IP is from #China, so the campaign targets only Chinese-speaking users. Features of the spyware include collecting system information, stealing browser history and executing shell commands. [3/4]
Leonid Bezvershenko
@bzvr_
Oct 4, 2022
Replying to @bzvr_
The malicious Tor installation has been configured to be less private (it stores browsing history, login data, etc.), and its freebl3.dll library is infected with malware. When the browser is launched, this library contacts the C2 server to receive a second stage implant. [2/4]
Leonid Bezvershenko
@bzvr_
Oct 4, 2022
Replying to @bzvr_
For technical details and IoCs, please refer to our article @Securelist:
Malicious Tor Browser spreads through YouTube
From securelist.com
Leonid Bezvershenko
@bzvr_
Aug 11, 2022
Replying to @bzvr_
The final stage is a W4SP stealer that gathers cookies, Discord tokens, crypto wallets as well as files that may contain credentials. We have already reported these two packages to the PyPi security team. More details upcoming on securelist.com. [3/3]
Leonid Bezvershenko
@bzvr_
Aug 11, 2022
Replying to @bzvr_
This code downloads an obfuscated next stage script from the zerotwo-best-waifu[.]online website. The stage in turn downloads another obfuscated script, drops it on disk and configures persistence. [2/3]