Hello and welcome to the Thursday, November 16th, 2020,

edition of the Sansonet Stormontas Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier today wrote up a sample that he found via virus total,

and he did so after reading the ghost pulse report. That's Malver

that has been going around lately and one of the interesting aspects of it is that it uses

MSI packages so dot MSI X files in order to spread itself.

These are really SIP archives, so good DDA's tools like SIPDump.PY are ideal to really figure out what's going on here.

And inside this particular file that Xavier found, there is a PowerShell script that in this case acts as an installer.

In the end, the victim will end up with the Red Line Info Steeler.

The other interesting part here is that the actual Info Steeler executable is downloaded as a fake image, so it's called

it this case dd-sert.jepak, but yes, it's just a plain executable that's then just being

executed on the victim's system. So watch out for dot ms.x files, probably nothing that you should ever really see in email,

and even having them downloaded to a workstation from a website should probably trigger

some alarms, even if it is a legitimate installer.

You probably still want to know that your users are installing software.

And we have some interesting new attacks against ChatGPT. The issue here is that recently ChadGPD added a feature that they call Code Analyzer,

and this feature does allow you to upload some code to chat GPT.

And chat GPT will basically tell you what it does, but it will also execute the code.

The code is executed in a dedicated virtual machine.

So each user is getting a different virtual machine to prevent codes from polluting each other. But the trick here is that you

may, for example, use that code to extract data from a webpage. If an attacker now has control

...