Hello, welcome to the Friday, January 22nd, 2021 edition of the Sandcent Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Diary today from Xavier talking about a power shell script that he ran into that will load the R. Evil Ransomware,

but it does so using a PowerShell script feature called Run Spaces, which isn't often seen

in Malware and apparently here used to evade some of the detection techniques.

And also this particular script had a very low

virus total score. Run spaces are well sort of containers, I guess you could call them,

that isolate different power shell threats from each other. They all run in the same power shell process, which makes a little bit more efficient

than having multiple power shell processes running instead.

In this case, it also helps with obfuscating the code.

One of the run spaces is then decrypting additional code using a key that is passed to it as a variable.

This diary also comes with a warning from Xavier.

Xavier analyzed this piece of malware in his lab, which is isolated from the rest of the network.

And this turned out to be quite useful in this case, because as he was analyzing the malware

as typical when doing runtime analysis, he set a couple of breakpoints to figure out how

the malware operates, but well, forgot one.

And actually, his lab machine ended up encrypted by the ransomware.

Not a big deal for a lab machine, of course.

Well, now you have to recover it, but I have seen this go wrong quite often before where

analysts weren't careful enough and losing real work or even leaking

data by running malicious code on a regular work machine.

And researchers at Onypsis found posted on GitHub a functional exploit that takes advantage of a vulnerability in SAP's

...