Hello, welcome to the Tuesday, July 26, 2020 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

In Diaries today, we got one by Xavier analyzing another PowerShell script.

This time, one that implements some fileless features in PowerShell.

Fileless Malver, as the name implies, distinguishes itself by leaving no files on the system,

and with that, of course, minimizing detection.

Some fileless Malware stays entirely in memory, but then, of of course you have the problem. What happens to the system is rebooted. The malware that Xavier found uses another

common trick. It writes itself to the registry. So technically not a distinct file,

even though, of course, if you're a purist, the malware does end up on

the disk. First, the script hides its windows from the user. Then it exfiltrates information

just identifying the victim's computer. That, of course, could be used to target particular

users. The strings are encrypted via AS, so that way network detection plays less of a role here.

And finally, the URL to retrieve the script is then written to a registry key in order

to obtain persistence.

Now at this point, things become a little bit less fileless here because there is then a simple link file that allows the execution of the code from the registry key.

PowerShell scripts like this are sort of one of those tricky issues because they are very lightweight,

they're very flexible, so the same PowerShell script maybe used for some commodity and more

less harmless exploit, as well as to install some more targeted malware. This is why you shouldn't really take them too lightly if you find them on a system.

But well, who cares about desktops and laptops, Windows these days?

It's all about mobile devices, Android and iOS.

And of course, we need to secure them as well.

...