Hello, welcome to the Friday, November 19th, 2021 edition of the Sandcent and at Storm Center's Stormcast. My name is Johannes Ulrich.

And I'm recording from Fort Walton Beach, Florida.

Savoyer today took a quick look at a piece of JavaScript that he came across that was used in order to deliver an ancient Tesla

Trojan.

Ancient Tesla, a pretty common info stealer.

And the way it's usually deployed is by sending some JavaScript to the user and asking

them to run the JavaScript locally.

So you would receive, for example, a SIPP attachment with the JavaScript and then when you save the file and sip it, double click.

You're basically executing the JavaScript locally, which of course does provide access to additional functionality, like in this case the ability

to download and execute additional malware.

The JavaScript was obfuscated as so often with these types of JavaScript, but Xavier

walks you through a quick analysis of the JavaScript that is pretty straightforward because some of the

URLs, for example, that were used to download the next stage were still readable, even though

the obfuscation took place.

And the register has a story discussing findings of security researcher Idon, Marilyn.

Now, Idan did find that GitHub is hosting multiple cookies SQLite databases.

Cookies SQLite is, as the name implies, SQLite database that is used by Firefox in order to store session cookies.

This file is stored usually in a profiles folder, but apparently often uploaded to GitHub by unwitting users.

And this is a problem well because if I have your session cookie, I am you as far as a website is

concerned. So leaking these session cookies can be almost as dangerous as leaking your

username and password. GitHub rejected a bug report here as out of scope.

After all, it's not really GitHub's fault that users are uploading this type of data.

...