Hello, welcome to the Friday, March 5th, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And the time recording from Jacksonville, Florida.

In Diaries today, we have Xavier showing the reverse analysis of a visual basic script that then loads PowerShell, uses

some C-sharp, and in the end, process hollowing in order to end up with complete remote

access.

The initial script is really just a downloader that then downloads the PowerShell script and this PowerShell script, then

downloads a DLL, which in the end will use a C-sharp compiler on the victim's systems

in order to create additional components of the payload.

And the intent of all of these steps is likely to evade detection, of course.

And this script will also specifically detect if it's running in sandbox, i.e., by checking if a particular DLL is present.

And Cisco released a number of updates again to a day.

The one update that's labeled as high is based on a war on a billy that was fixed in

Snort back late last year.

I think September or so, Snort 2-917 had a denial of service

issue with its Ethernet frame decoder. Now, of course, Snort is now owned by Cisco

and integrated in a number of different Cisco products. So these products are the ones that need to be fixed now. And this

includes the 1000 and 4,000 series integrated service routers, Catalyst 8,000 V, 8,200 and 8,300, as well as

cloud services router 1000V and the Integrated Services Virtual Router.

And if attack using this vulnerability and attacker would be able to exhaust disk space

on affected devices.

And VMware patch what it's calling an important vulnerability in VMware View Planner. If exploited, this

vulnerability could lead to code execution. As it says in the advisory, an unauthorized attacker

...