Hello and welcome to the Tuesday, August 30th, 2020 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich and today I am recording from Jacksonville, Florida.

The DA today published an update to an earlier diary analyzing UTF7 encoded shellcode.

Did he is zooming in on a problem he had with this earlier script that he talked about

in that it didn't quite correctly decoded UTF7.

This script did not, for example, decode the protocol part of URLs quite correctly,

while not a huge problem if you then, for example, take the output of the script and

throw it into some analysis pipe where you download additional malware based on these

URLs.

And of course, it's kind of inconvenient if you first have to clean them up.

Well, DDA found a workaround.

Turns out that the Windows multiplied white to char function works a little bit different

than what his UTF decoder in Python did.

So instead, the DDA now utilized the Win 32 API function, essentially the same function

that's being used here by the malware, and that solved the problem.

But of course, you have to be a little bit careful with this. First

of all, it only runs on Windows and then not quite with this particular API function,

but calling Wyn-32 API functions directly and feeding sort of malicious code to it. Well, be careful

that you don't end up with code execution as a side effect.

One story that has been popping up, I've covered it a little bit over the last couple of weeks,

and I think I haven't covered very well, is the Twilio breach early August that affected companies relying on Twilio

to send one-time passwords for two-factor authentication. I did a little bit talk about the

...