Hello, welcome to the Monday, June 27, 22 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Stockholm, Germany.

You had a couple of interesting diaries over the weekend.

Let me start with Xavier that analyze an interesting Python script that actually uses

Python GUI libraries in order to interact with the user. I personally suspect that this may be done

to make reverse analysis more difficult by adding that user interaction. The script will display a brief notice to ask the user to click that notice.

Now once the user clicks per web browser is being opened and the predetermined web page is loaded.

Likely malicious in this particular sample, that page was not available. Could be a

fishing page, could be some additional malware. The idea here may be that by adding that

user interaction, any automated script analyzing this particular malware, like running in a sandbox or such,

may not be able to interact with it so the malware doesn't run and the analysis fails.

I've got sort of a second interesting diary with PowerShell scripts again,

where the malicious PowerShell script is actually passed to PowerShe

via the clipboard uses the clip.e.exe binary that comes with Windows in order to copy standard

out to the clipboard, and then this clipboard essentially being executed using

PowerShell. Reasoning behind, this trick is likely to avoid writing anything to a file, so

that way you're able to again evade some analysis. Now, a lot of anti-malware tools are looking at memory, but think about it from an instant

response point of view.

You will not be able to recover that data that was briefly written to memory if you discover

this compromised system.

And then some other interesting tricks here to interact with web applications,

in particular in order to bypass some two-factor or a multi-factor authentication scheme.

...