Hello, welcome to the Thursday, June 23rd, 2020 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich, and the time I'm recording from Jacksonville, Florida.

But remember, I'll be traveling tomorrow, so there will be no Friday edition of this podcast.

PowerShell, everybody's favorite tool and Xavier ran into an interesting piece of malware

written in PowerShell that is going after cryptocoins.

Cryptocoins, even though their value has declined quite a bit, well, if you can get them for free, they're still worth something, so attackers are still going after them.

This particular PowerShell script also has a very low virus total score. Only one out of the 53 engines' virus total uses, did detect the script as malicious.

The particular script is first of all enumerating crypto coin-related browser extensions and

then exfiltrating them to the attacker together with any crypto coin looking information that it finds in the clipboard.

So knowing what extensions are running, meaning what exchanges and such the user is probably

participating in and then knowing any crypto coin addresses and possibly usenames and passwords

being copy-pasted, the attacker may be able to get access

to the account of the victim here. Now, talking about PowerShell, of course, lots of Malar these

days is written in PowerShell, but PowerShell is also an important defensive tool and typically

cannot easily and probably shouldn't

just be disabled.

In order to help you better secure PowerShell, we now have a new cybersecurity information

sheet, as they call it, that was created by the NSA, the cybersecurity infrastructure

security agency or SISA, as well as the government

communication security bureau in New Zealand and the national cybersecurity center in the

UK. So three countries, four agencies came together and created a guide helping you to secure PowerShell.

The guide includes tips how to use PowerShell securely.

...