Hello and welcome to the Monday, September 26, 2020 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich and the I'm recording from Jacksonville, Florida.

I've got a couple of interesting diaries this weekend that I would like to start out with.

The first one by Xavier is looking for examples

of malware exploiting the fact that Microsoft Teams is storing its authentication tokens in clear

text. I mentioned this vulnerability. I believe on Friday it was actually. So a last podcast last

week.

And Xavi ran a Virus Total query to find malware that attempts to access the respective files.

And after rejecting some false positives, he actually found a sample that matched the query

and indeed attempted to exfiltrate those tokens.

Interestingly, the sample was uploaded late last week and had a creation date, which of course

may be fake, exactly one month earlier. At this point, the file is recognized as malicious

by most anti-malalver products and identified

as a member of the Floxif Malware family. This Malver family, according to Malware Pites, is known

for modifying files and then attaching its own backdoor to these files.

So this may be a bit a new thing for Floxif,

but Xavier noted how this sample looks for cookies and other tokens in numerous other locations.

So it is not something that was specifically created to take advantage of the Microsoft Teams issue,

but they just added yet another spot to look for tokens.

I never ran to a Malware sample, but the sample, the Malver downloaded, appears to no longer available because while well, the domain was taken down.

D.D. has a quick recipe to try and find it. As long as you still know the IP address

associated with the domain, well, it's a simple curl request to connect to the IP address,

...