Hello and welcome to the Monday, June 12, 2020,

edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

For all the reverse engineers among you, we do have a write-up by Xavier about a PowerShell Backdoor.

This one was not detected by antivirus, and one of the things that made a little bit more clandestine was the fact that it was using the file name that's commonly used for PowerShell profile files.

PowerShell profiles are being executed whenever you start PowerShell, so it's kind of an

auto-run-like thing that you run to set up your environment, for example, correctly, and

it uses a set of reserved file names like in this case Microsoft.

PowerShell underscore profile.

.p.s.

The script itself connects to a command control server.

It does retrieve cryptographic material then from the command control server and lately connects to receive additional commands.

And of course, as usual, Xavier has additional details about how to deal with this type of PowerShell script and what it exactly did.

One item to note, as Xavier wrote up,

the diary, the particular command control server,

was actually still active.

And if you're interested in seeing what to expect,

if you are running one of our honeypots,

Guy has a summary of what his honeypot detected last month. So a quick review

of all the different logs, some of the top tens that he saw and log volume, just to give you

an idea, kind of all of the attacks that an average IP address tends to be exposed to.

And then we do have a second vulnerability in Moved. Remember, Movedit, the company behind it,

Progress released a patch for Moved end of May. It was immediately wildly being exploited in particular by the Klopp

...