Hello and welcome to the Friday, January 6, 2020,

edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Brad Duncan is added again, and this time with some malware that arrived,

or the lead to the malware, arrived in an email written in

Portuguese and targeting Brazil.

What was a little bit unusual was the use of auto IT.

Auto IT is a simple, basic, like scripting language that allows you to automate Windows tasks,

including interacting with the GUI.

It works all the way back to Windows XP and creates these standalone executables,

which of course are very attractive to attackers in order to automate tasks like

downloading additional malware and executing it.

The trick with Auto IT is that of course it's a legitimate tool, so it's usually not detected by

anti-malver, but it's use in Malver like the one Brad observed, sometimes leads to it annoyingly being detected by Ante Malver.

What's the real problem here is not Auto-Itt, it's the scripts written with it, but of course, anti-malver doesn't always make that distinction.

Needless to say, with difficulties detecting it

and the underlying tool being not malicious, this is a rather attractive way for attackers

to create simple little malware executables. For more details, including packet captures, samples, and all the

indicators of compromise that you would ever want, well, check out Brad's diary. Well, usually I don't

talk much about breaches, but today we have actually a couple that are sort of actionable so that's why I want to mention

them the first one and probably the more severe one here is that the breach at Circle

CI now Circle CI the CI stands for continuous integration a company that helps

...