Hello and welcome to the Monday, January 22nd, 2024 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Got some really interesting malware from Xavier on Friday.

This particular malware runs on Mac OS. It's written in Python,

and it's designed to emulate and replace two crypto coin applications, the Exodus crypto wallet,

and Bitcoin Core. Once a user downloads and executes the Python script, it will first collect

some information about the host. It will set up a connection to a command control server

that then may send additional Python commands to execute. All of this is done pretty simple,

pretty straightforward. It's just Bay 64 encoded,

so really no attempt here to do anything more sophisticated when it comes to sort of obfuscation

or encryption. It then also downloads replacements for the Exodus app and the Bitcoin Core app. Not really clear at this

point what these particular replacements will do. They also include the electron framework,

and that's of course used by a lot of desktop applications these days to make it easy to develop them a little bit sort of OS

agnostic. It does require that the victim has the X code installed because it does actually

compile a script, an OSA script that's being installed as a part of the malicious package.

Like I said, the script doesn't really do anything special kind of in order to obfuscate itself.

It still has a very low virus total score.

When Xavier looked at it, it was just three out of 59. That has since improved a little bit to 17.

The first upload to virus total was on the 18th. So that was Thursday. And then there was a lot of

news about accounts at Microsoft being compromised.

And I just want to talk briefly about some of the lessons learned here.

...