Hello, welcome to the Tuesday, November 27th, 2018 edition of the Sands and its Storms Center's

Stormcast. My name is Johannes Ulrich. And then I'm recording from Jacksonville, Florida.

Russ today in his diary is taking a look at Viper Monkey. Viper Monkey is an emulator for visual

basic for applications. So what it does is

it's Python actually, but it can be used to interpret and with that also to de-obuscate some malicious

visual basic code. And of course, we do see a lot of this coming across in various malicious

documents so if you are into reverse engineering malware if you want to get a

quick primer in how viper monkey works this is a diary for you to read and it looks

like NPM the note packet manager system dodged yet another bullet with malware being pushed via NPM packages.

Problem with NPM is that if you're using this ecosystem in order to develop JavaScript code,

which well pretty much anybody does these days in particular if you're

developing server-side JavaScript with Node.js, then you not only include code from various

libraries whenever you create new code, but this code is also automatically updated as new versions

are released. Now, this is one of the advantages of this

ecosystem that it's really easy and sort of seamless how everything works, but of course you

lose control over what code you actually include. In this particular case, and that has happened

before particular packages, developers changed. So a new developer

came in to the project and took it over. That of course happens quite regularly with these

open source projects. However, in this case, it appears that this new developer may have been

malicious and due to changes to dependencies

made by this developer, all of a sudden you ended up with encrypted code in this package

that then once decrypted, it did turn out to be code that steals crypto keys for

...