Hello and welcome to the Monday, February 12, 2024 edition of the Sansonet Storms, Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Xavier this weekend found a real neat, obfuscated PowerShell script. When you look at it, you really only see parentheses,

brackets, dollar symbols. Remember vaguely seeing something like this with JavaScript,

but here it's a PowerShell, and the file itself is being distributed as part of an MSIX package.

MSISX packages are a Windows packaging format and it comes with a config file that

will tell you basically what scripts to run to install the particular package. Well, this

obfuscated script was part of it and well if it's obfuscated like this, it pretty much has to be malicious.

Xavier walks you through the interesting,

the obfuscation here for this particular PowerShell script,

and then how to arrive at the actual loader,

the URL the second stage is being pulled from.

Interesting obfuscation method and even more interesting tricks here on how to de-obuscate

some PowerShell script like this.

A couple of readers pointed out that I didn't yet include a blog post by Wollncheck about too many honeypots or how do you really

say here in their headline, there are too many damn honeypots. Of course, this is a topic

that's of interest to us here running honeypots. And what this is really about is that

researchers posting lists of vulnerable

servers, and they take as an example here, Confluence servers, that these researchers have to be

more careful when they're making claims as to how many of these Confluence servers are

actual confluence servers and not honeypots. And the author here,

Jacob Binds, isn't necessarily even talking about like someone setting up a full featured

confluence server. But the honeypots that are being excluded here are honeypots that are

...