Hello, welcome to the Friday, November 20th, 2020 edition of the Sandcent, Center at Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Saville today walked you through a PowerShell script that drops the formbook Trojan.

Now, what's sort of interesting about this is that, yes, of course, it's obfuscated and its

virus total score was a solid zero.

So no antivirus engine did detect this particular PowerShell script.

A couple of interesting tidbits here.

First of all, the code also checks if it's running

in a virtual machine and will refuse to run the PowerShell script and actually create some

DLLs that are being loaded. And the DLL is obfuscated with a tool called Cephyrus Protector.

A tool we kind of would like to know more about.

So if you're familiar with this tool, please let us know.

And I've mentioned before a couple times how Google's services are often being used for fishing

and how it can be quite difficult to take down some of these fishing sites.

Security Company armor blocks now has a nice blog post highlighting some recent fishing attacks

that take advantage of different Google services.

Google forms, of course, has long been used to collect credentials, even though most of these form pages have a fairly obvious warning not to enter any credentials.

Firebase storage has often been used to just store

the basic HTML for static websites.

And then of course, Google Sites has successfully

been used in order to, for example, create login pages,

like an example from Armor Blocks and Office 365 login page.

...