Hello, welcome to the Thursday, October 10th, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Chicago, Illinois.

Brad in his diary today is talking about the VIDAR information stealer, and in this case case he is looking specifically at the data that

this information stealer does exfilterate.

Now of particular interest is a post request that is sending a SIP file to the command

and control server.

Now this post request is not just sending the SIP file.

It's actually a multi-part mime encoded post. It's sending a couple of additional piece information,

like for example, a hardware ID, the exact operating system, architecture and the like. So if you are using just the plain

Wyrshark export objects feature and export the HTTP object, what you end up

with is not just the SIP file, you're ending up with the entire multi-part mime request.

So what you'll have to do here is you will have to remove the respective header, everything

up to the PK header of the particular zip file, and that leaves you then with just

the zip file.

As usual, Brad has a step-by-step walkthrough of this particular process, so it shouldn't

really be that hard to replicate it for you.

And of course, you also get links to the actual P-CAPs, so you can experiment with this. The zip file, well, no huge surprises here, things like screenshots, passwords and other information

are being exfiltrated by this information stealer.

And if you got details regarding two of the vulnerabilities that Microsoft patched this week

as part of the Big Patch Tuesday.

The two vulnerabilities CVE 2019, 1166 and 1338 are somewhat similar in that they do affect the message integrity check or

make in NTLM authentication.

...