Hello, welcome to the Tuesday, October 6, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

TheE today is writing about how to deal with a fairly, well, annoying, maybe not sophisticated,

obfuscation technique, and that's hiding a string inside a larger

repeating string. So the first string is just repeated over and over and then in between these

repeated strings you have sort of one letter at a time, the actual obfuscated payload.

In this particular case, of course, some PowerShell script.

Once you recognize what's happening, well, it's not all that difficult to deal with this obfuscation technique.

And of course, Dillet, as usual, has a Python script to take care of this

for you, Dauphuscate repetitions.py.y. And this script, well, as so many scripts, do does take

the annoying part away from you. It does find the repeating string and removes it in order for you then to just

read back the decoded payload. And Kasperski wrote up an interesting piece of malware that

they came across. That's actually a modified UEFI firmer image.

UEFI, the model replacement for what used to be done by bias is, of course, one of those

places where if you can hide your malware in UEFI, it's very difficult to remove it and even to discover it.

Now, in this particular case, the modified UFI image did write a malicious file to the Windows

startup folder whenever the system was rebooted.

So Antimalver may, for example, later find that malicious file, remove it well on the next

reboot because the UAFI, of course, did not get cleaned up.

You will end up with that same malicious file again in your startup folder.

Kasperski believes that this particular sample was based on similar Malbara, a UFI

...