Hello, welcome to the Friday, April 22nd, 22nd, 22nd, 2022 edition of the Sansonet Stormsendor's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Marietester, Florida.

Xavier today has a post showing how Python may be used maliciously even on Windows. Of course, we have

talked about similar issues before. However, Python, I think we most of the time talk about it

as a defensive tool and scripting language that we are using to find bad things in this case.

Well, the bad guys like it too.

This particular Python script was created for Windows.

It does achieve persistence by scheduling a task, and then it also hides its window,

so a user doesn't notice that the task is running in the background.

And then it's actually a very simple and not very complex script.

All it does is it waits for a cryptocurrency address to show up in the clipboard, and then it replaces that address with one of its own.

It's not just going after the big cryptocurrencies like Bitcoin and the like, but there has about a

dozen different cryptocurrencies that it's looking for. It has patterns in order to recognize

the right addresses and then as soon as it sees it, it will just replace it. Luckily, it doesn't

seem to be working too well. I looked at the Bitcoin addresses and didn't see any deposits for the four Bitcoin addresses

that it's using.

So maybe it was just a test, but certainly appears to be working and has a very low virus

total recognition rate of only three or so of the virus scanners identifying it as malicious.

And back in December when we were all worried about log for J Amazon came up with a hot patch for

AWS and what essentially was supposed to do is it was supposed to disable

JNDI and mitigate the log for J-Warnability for any Java applications that people were running inside

containers. In order to do that, of course, it had to run with elevated privileges.

...