Hello, welcome to the Thursday, December 13th, 2018 edition of the San Bernard Storm Center's Stormcast. My name is Johannes Ulrich and the damn recording from Washington, D.C.

As I mentioned before, we always love it when readers sent us interesting Malware in. The latest case, Vince sent us a word document that looked malicious

had all the hallmarks of being malicious and Vince actually started analyzing it and he

tried to follow a procedure that DDA had outlined in a prior diary but it didn't quite work

so did he took a look at this particular document,

and well, the problem here was that the value of the variable that you have to actually search for

was obfuscated itself. And de-obfuscating this isn't really all that trivial. So Didier

shows in his latest diary a little shortcut

where you're really just looking for long strings in the document and that led Didi

then to the malware. Now the PowerShell script in this document was obfuscated itself again

using a fairly well by now I guess standard obfuscated itself again using fairly well by now I guess

standard obfuscation technique that the DA calls DOS fuscation for its use of

DOS commands the power shell script turned out to be a downloader it did attempt to

download malware from five different URLs that then turned out to be

an Emotet variant. An ESET published an interesting report with a collection of various

open SSH backdoors that they found in the wild. OpenSH back doors are a common way for an attacker to get persistence and also to do some lateral

movements.

So what happens here is that the attacker first gets root access on a system, then uses

the axis to install a Trojan version of the OpenSH server.

Typically what happens here is that credentials that are being passed to the server are being

logged and ex-filterated.

They of course also can provide static credentials that can then be used to log in even after the user has deleted

...