Hello and welcome to the Friday, September 23rd, 2022 edition of the Sansonet Storm Center's

Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Xavier wrote about a trick that he saw being used to install Remco's rather common remote access tool.

The attack starts with a simple bat file.

To obfuscate a file a little bit, the attacker added a byte order mark,

FFFE, as the first two bytes, which causes the file to be displayed as UTF-16 in editors and the like.

The problem with this is if it's UTF-16, then two bytes are considered one character.

So typically what you're seeing is some Chinese and other characters, essentially gibberish. But if you're just executing the

file, the byte order mark is ignored. And well, the file is just interpreted as ASCII or a UTF8. And that way,

the script then runs just fine. Now, when it runs, it just converts a base 64 string using Surtutil into a second batch file.

And that's where things get a little bit more tricky.

The second batch file downloads a couple additional PowerShell files just using crawl.

exe.

But then it adds a registry key and executes FOD helper.

Now FOD short for feature on demand is a mechanism in Windows that will install features as they are required.

Typically things like language packs and such.

They are not installed by default

because they take quite a bit of disk space. So in case you're running into a spot where you need a certain

language pack, the FOD helper can be used to automatically install it for you, which also means

that FOD helper runs with elevated privileges.

And what it does is it looks at that registry key to check what it needs to install.

...