Hello and welcome to the Monday, March 13th, 2020,

3 edition of the Sandsenet Storms, Stormcast. My name is Johannes Ulrich,

and today I'm recording from Jacksonville, Florida.

We've got a couple of, you know, the Storm Center diaries to catch up with

that were published over the weekend.

Let's start with a Ghee posted about as an rat sample.

So a simple remote access trojan.

It arrived as a bill payment invoice, I believe in Spanish, maybe Portuguese.

And while he published the indicators of compromise, like host names, IP addresses, and such that this particular Malaver connects to.

Alex Xavier came across Mirai payload generator. So this is how you basically would add a new host to the Mirai botnet.

Mirai has been going around for quite a while.

Xavier points out a diary from back in 2016 when we first discussed it.

Remember, it was sort of the first one that sort of really very aggressively scanned for Telnet and S-H servers.

Since then, the number of Mirai versions has really exploded with new exploits and new little tricks.

Well, this Mirai payload generator kind of shows you some of the flexibility that this botnet has right now.

And finally, probably the most interesting diary from this weekend is one by Xavier,

where he looks at a browser hijacking a script that basically does obfuscation, not just by obfuscating the code itself,

but also by using various different technologies. It starts out with good old visual basic

script, but then also uses a PowerShell. It uses some C-sharp code that's sort of being compiled

here as the script runs.

So all of these different technologies likely are contributing to a fairly bad recognition rate

by Anteimalver for this particular example.

...