Hello, welcome to the Tuesday, April 28, 2020 edition of the Sandinand Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Leave it up to the bad guys to abuse yet another security feature in order to hide malware.

Xavier looked at some malware that used the PowerShell

PS credential class in order to store malicious code. Now, usually a PS credential is used

in order to store usernames, passwords, and any other credentials being used for authentication.

So this way you have a nice central repository of this information that you can then use in

your scripts.

But in this case, the bad guy pretty much had some simply obfuscated script stored as a password

essentially that could then be extracted and de-ovescated and executed.

Anti-malware detection rates for this kind of malware, of course, is not exactly great for this particular sample.

Virus total showed a score of six out of 59 anti-malware products, recognizing

the file as malicious. Now, Xavier's advice here at the management automation PS credential

and convert to secure string to the list of suspicious strings that you look for when you're looking

for malicious PowerShell scripts.

And today, Zoom finally released its famous version 5 that it promised last week, so a day

late or so, but still it was released.

But Zoom isn't the only sort of collaboration and video

platform that attackers have their eyes on. Turns out there was an interesting, even though not

all that terribly critical, vulnerability in Microsoft Teams. The problem here was that when Microsoft

teams would access images, it would send an authentication

token along with that request that would have all the information that you need to take

...