Hello, welcome to the Friday, August 12, 2022 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from, as usual, Jacksonville, Florida.

Xavier today wrote up a diary analyzing a recent Info-Steeler he came across. The InfoSteeler took advantage of a couple

common and not malicious tools to bypass detection. First of all, it used a good old Bits admin

binary to download a tool called N-sudo. Bits admin, of course, very famous. It's used to download a tool called N-Sudo.

Bits admin, of course, very famous.

It's used to download Windows patches, but it can also be used just like Curl or W-Get

on Unix systems to download arbitrary files via HTTP.

Now, EnSudo, not so commonly installed on Windows system,

but as the name implies, it's kind of the Windows version of pseudo. Now, works different. It

sort of allows it to run commands at different privileges, either from a little GUI tool or on the command line.

And that's sort of how the tool was used here by the malicious code.

Now, the script that the user here first initially ran after downloading EnSudo checks

if it's actually able to run without alerting the user,

because UAC may otherwise pop up warnings.

If there is no warning, then the script will be used to adjust various system settings

before downloading the actual InfoSteeler malware.

The InfoSteeler will exfiltrate a screenshot of the system, the system's location.

So of kind of the standard things that InfoSteeler's exfiltrate browser configuration,

also sort of of an interest may give us a hint as to who did hacker.

It also appears to be interested in gaming applications like Steam and Minecraft.

And as I said many times before, I usually do not cover preaches here on this podcast unless we learn something from it.

...