Hello, welcome to the Monday, March 14th, 2020 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Xavier on Friday came across a Malware sample that's a bit unique for its use of web sockets.

Usually Malware likes to use just plain old HTTP requests and various networks as well

as host-based security products, of course, know very well how to deal with this sort of

regular HTTP. Web socket, maybe a little bit of a blind spot here

for some of these tools in particular.

This sample actually doesn't even bother with TLS.

Only two out of the 54 anti-malrower engines

used by virus total are recognizing this particular sample.

WebSockets, well, it implements a simple two-way protocol, which is great for command control channels.

That's sort of how it's often used in modern web applications, but also kind of to stream data,

which, of course, for exfiltration may work

quite well. While you're playing with WebSockets, double check if your host-based data leakage

or data exfiltration solutions are detecting them properly. Have seen some blind spots there

in the past where they do

detect if a browser submits normal HTTP requests, but they don't necessarily detect

the data in web sockets.

And talk about command control channels, Avast found a version of Raccoon Steeler using Telegram as a command control channel.

Telegram is getting somewhat popular for command control due to its relatively easy to use API,

Raccoon Steeler. As the name implies, is an information stealer. It steals usernames and passwords, as well as

cookies and other authentication tokens. The data is actually not exfiltrated via telegram. However,

...