Hello, welcome to the Monday, July 2nd, 2018 edition of the Santa

Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Ramco came across an interesting bit of Malware last week that he wrote up on Friday.

The Malver targets Mac OS users, which of course is interesting

in itself in particular, since in this case it doesn't appear to be one of the typical fake

flash players that we see so often for OS10 and Mac OS.

The Malver itself appears to be spreading on Slack and Discord channels that do deal with

crypto and essentially people are trying to impersonate popular users in these channels

or administrators in order to advertise their malware.

What's also a little bit odd about this malware is that

first of all it's very large. It's 34 megabyte that needs to be downloaded. Also,

virus total has no hits, at least at the time when Remko looked at this particular piece of malware.

Now there is a reason why this malware

is so large. It's actually written in JavaScript and then it uses a tool called package that

will take Node.js and the JavaScript and will combine that to an executable. So you have to carry around all that Node.js overhead.

Sadly, we don't necessarily know what they were trying to accomplish here. The Mather is then

trying to connect to a server to download additional instructions. But as far as Remco

could tell, that server is no longer active.

And since it connected it directly by IP address, it's not looking up a host name.

So unlikely that this will just come back again.

But overall, the interesting way to write Mal and distribute it, so if you run anything

like this, then please forward us a sample.

...