Hello, welcome to the Friday, August 30th, 2019 edition of the Sansonet Stormsendos Stormcast.

My name is Johannes Orich, and I am recording from New York City, New York.

Typically, on Windows environments, you don't find compilers by default, unlike on many Unix environments so malware as a result

often arrives pre-compiled as an executable. Xavier found a couple of exceptions

of this behavior and they rely on JSC.exe. Thate. That's a jScript compiler that is part of the dot net framework.

And while most Windows systems do have dot net framework installed, with that they have jsc.org

installed. They also then typically have MSBuild.exe installed, which actually allows

you to automatically build applications similar to the make command in Unix. And while it doesn't

happen often, Xavi ran across a couple samples that took advantage of these tools.

Most likely the purpose here is to, again, obfuscate the attack, to evade antivirus

scanners because they usually only look for the executables, they don't look for the source

code.

In this case, actually, the code was delivered, Base 64 encoded,

probably to make it easier to transfer, but also possibly to further obfuscate it.

Now, As Xavier points out, jsc.exe and MSbill.exe, yes, they are on pretty much all corporate

machines because they all have the dot-net framework

installed, but they're not usually used.

So these are two indicators that you can use to detect possible malicious behavior if these

two executables are run on a system in your network.

Now, if you are into home automation, there are typically kind of two ways how you can control

your home automation system while you are away from home.

And that's often one of the attractive features here.

...