Hello, welcome to the Tuesday, February 9, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Got a brief diary today from DDA showing how to tie in his famous Python scripts with T-Shark.

T-Shark, one of my favorite tools out there, in particular the dash capital T-fields option

that DDA is using in this diary to extract payloads and then feed him to his script.

If you haven't blate much with T-Shark, in particular not with the dash capital T-fields

option, well, a great opportunity here for you to learn something new.

And yesterday I talked about how good Google Chrome extensions can go bad as the owner changes.

Well, something similar may have happened to a barcode scanner that had been quite popular

in Google's Play Store. Over 10 million users apparently downloaded the application and it worked fine for

years, but apparently something changed early December last year and all for a sudden the application

turned malicious. Malwarebytes took a closer look at the application and turns out that on December 4th,

an update was released that included heavily obfuscated malicious code that then injected

additional ads into pages.

In this case, it doesn't look at least like the developer changed. Still, the same developer

was listed and the application was still signed using that developer's credentials. But for some

reason, the intent of the application has changed. It has been removed from the Google Play Store, but may not have been removed from your device yet.

And yes, attackers always have interesting ways to obfuscate their malicious code.

The latest example is an HTML file that is being used for fishing that apparently is

encoded using Morse code.

Now, this isn't like you all for a sudden here, your computer beep or such.

It's literally that the JavaScript is encoded as dots and dashes and then being

...