Hello, welcome to the Thursday, December 14th, 2020, 3 edition of the Sandton and the Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

Today we have a diary by Xavier looking into an interesting Python script that Xavier came across.

One thing that distinguishes this particular Python script from other Malver

is that it actually shows up on the screen with a GUI,

doesn't just run in the background, and attempts to remain unnoticed.

The Malver does call itself ProMine Checker.

ProMine is the name of developer tool and debugging tool,

so maybe it attempts to claim to be related to that.

It accepts some files and then offers a check button,

which doesn't really do anything, no matter whether you add files and then offers a check button, which doesn't really do anything, no matter whether

you add files and don't add files, whenever you click the check button, well, all you see

is an error message.

So a user may be inclined to believe that the software just isn't working right and

uninstalling it.

Well, that's already too late.

As soon as you run the software, it will actually collect credentials in the background and

then exfiltrate it.

Also kind of typical behavior for what we often see in Malware that targets developers.

It looks for password files, Discord credentials,

Roblox credentials, sort of typical things that you may find

on developer workstations, and then it exfiltrates them via a webbook.

...