Hello, welcome to the Thursday, March 10th, 2020 edition of the Sands and the Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from London, England.

Thanks to our reader, Ron, for sending us an interesting badge file that actually implements

a complete info stealer.

Xavier wrote it up and well it shows yet again that Malvert doesn't have to be terribly

complicated. It does target Windows but still uses the curl utility which has been added to Windows in Windows 10.

And curl, of course, makes it pretty easy to download files, like in this case, an additional

tool to do screenshots, and then upload the results back to various websites.

In this case, it looks like the attacker prefers to just use the Discord API, which of course is even more difficult to detect, because Discord is

a very commonly used tool, so requests to that API may not necessarily raise any suspicion.

In addition to taking screenshots, as I mentioned, the tool will also collect details

from various browsers in order to exfiltrate credentials and the like to the attacker.

And just as a reminder, we always like interesting malware,

so if you have something, just pass it on.

Cloudflare published a blog post

with details regarding a new type of DDoS attack

that takes advantage of exposed MyCollab

and My Voice Business Edition collaboration systems,

which are produced by MyTel.

The root cause here is a vulnerability in the TP 240 voice over IP processing interface cards,

and it is, well, one of those very classical type of UDP

amplification attacks, but in this case with an unheard-of amplification factor of 1 to 4 billion.

...