Hello and welcome to the Friday, March 1st, 2020, 4 edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

Today we have a treat for everybody into Malvernalysis. And it's a diary by John John Mutos, one of our Sands.E.D.U.

bachelor's degree interns. The diary covers a recent instance of Darkgate. Darkgate, as John

describes, persistence as service Malware. The goal of DarkGate is to assist other malware to install on various systems.

So you can rent DarkGate if you need to install malware on systems.

In this particular case, it all started fairly harmless with a PDF.

The PDF itself was not malicious.

It just contained a link that then via double-click, interestingly,

so essentially as an ad, directed the victim to the actual malware that was then downloaded.

Now, there's too much detail here to cover it all in this podcast, but just a couple of highlights

here.

Part of the installer, for example, is a valid Apple binary iTunes helper.e.

Digually signed and everything and will pass all the sort of sanity checks, but it's delivered with two DLLs.

And these DLs are then where you find the malicious code that will cause additional Malver

to be installed.

So lots of interesting details here about this Malver and the very detailed analysis by John.

Like I said, if you are at all into Malvern analysis, you'll probably enjoy how he sort of walks you through the process here to identify the different parts of this Malver.

And the Cybersecurity and Infrastructure Security Agency CISA did a population update on some of

the exploits that they're seeing against Ivante Connect secure and the policy secure

gateways. I've mentioned the vulnerabilities a few times already, and yes, they have been exploited for a while.

There are a couple interesting tidbits I want to point out in this particular advisory,

and that's based on some of the compromise that have been seen in the wild.

...