Hello and welcome to the Tuesday, January 16th, 2024 edition of the Sands and at Storms

unters Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

No podcast on Monday, sorry, I think I misspoke here on Friday due to observance of Martin Luther King Day,

but we did have an interesting diary over the weekend, one file, two payloads by Xavier.

Now, one of the interesting features of this Malver was how it actually creates the string PowerShell.

Of course, a lot of Malware uses PowerShells,

so there are a lot of signatures looking for the PowerShell string in particular. If it's encoded in

various ways, well, this particular Malver didn't really encode the PowerShell string. Instead, it dynamically assembled it.

And one interesting, kind of a little bit overly complicated, I think, thing it did is

it looked for services that contained a string Microsoft.

And then it pulled the S out of Microsoft to assemble the string PowerShell.

Basically, the S-in-shell came from the service name that it pulled out of the service list.

Interesting idea.

Doubted actually really necessarily to be that complicated, but, well, it worked for that malware, apparently.

It also

then later had sort of an interesting second stage download that did, depending on the offset,

you looked at for the particular file, contain different parts of the second and then, I guess,

sort of third stage of the malware. At offset zero, there was the executable payload, and then, I guess, sort of third stage of the Malver.

At offset zero, there was the executable payload, and then later about 280 kilobytes in,

there was the second stage PowerShell script.

This, again, is often done sort of for obfuscation.

Quite frankly, you have sort of at the beginning then, actually some sort of harmless file an image or something like this and then at the end appended the actual malicious payload.

...