Hello, welcome to the Monday, September 10th, 2018 edition of the Sandton and Storm Center's

Stormcast. My name is Johannes Ulrich. And the time recording from Amsterdam, Netherlands.

And just when you think there isn't really much new to talk about when it comes to crypto coin mining,

Xavier came across some interesting matter

that ran crypto coin mining in a browser in headless mode. Headless mode refers to running a

browser without GUI. Now typically that's done in order to provide access to the browser

from scripts.

In this case, the script, of course, is malicious and is then used to load JavaScript

into Chrome, which here is run without its GUI, so the user doesn't even know that Chrome

is running at all.

A second interesting trick, but by far from new, that the malware is using,

is to actually use Rec Server 32 in order to launch the malicious code.

This way it does bypass most whitelisting techniques. And of course the difference between using a tool like, for example, W. Get curl or Bits admin

instead of running the full browser in headless mode is that the browser does parse JavaScript

while these other command line tools usually just retrieve the code but don't run it.

And also running JavaScript in a browser is less likely to trigger any anti-malver or

whitelisting systems.

Now for the coin hive code itself, of course, yes, that particular code has been added to many anti-malware tools.

And talking about anti-malware, or in this case, better anti-adware, on Friday, Twitter user

privacy is first noted that anti-adware application adware doctor, which is sold in the Apple App Store,

has been exfiltrating browser histories and apparently has been doing so for quite a while.

Now, the Apple App Store does impose some restrictions for MacOS and OS 10 applications by most notably

...