Hello, welcome to the Friday, April 9th, 2021 edition of the Sands and at Storms,

Sonners, Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Wouldn't it be nice to look over an attacker's shoulder as they are developing a matter

to be used against you. Xavier sort of ran into

a case where he found on a virus total. It looked like a proof-of-concept piece of software. It

definitely wasn't quite done yet, but shows some of the interesting tricks that the attacker is planning to play here.

So first of all, this looks overall like Ransomware, however it does really just sip the files in the current version.

It does use a command control channel over Tor and is entirely written in PowerShell.

Of course, the simplicity of the code also means that a detection by anti-malver engine at this point

is really non-existent in some ways.

It reminds me a little bit of sort of that living off the land approach.

Also, the Tor client is not included in the malware.

That would be something that would need to be installed separately.

And the use of 7-zip, while not as fancy and strong as what some other ransomware is doing, it may be intended to sort of fly

under the radar of tools that look for the excessive use of encryption libraries by using

a common tool, again, that living of the land approach. And talking about evading various

signatures, Trustwaves Spider-Lab came across some

interesting phishing email that sort of takes the idea of just delivering a bunch of HTML to the

next level by splitting up that HTML into different blocks and hosting it on YourJavascript.com.

Your JavaScript.com is not a malicious site. It's a site to host JavaScript code for free.

And, well, like any free file hosting service, this service now also has been abused to host fishing pages.

But what's sort of different here is that the fishing page isn't sort of host in its entirety.

...