Hello and welcome to the Tuesday, September 26, 2023 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

I don't talk a lot about sort of some more targeted attacks, but there is a report by Sentinel Labs.

I figured it is worth talking about because it discusses some malware that has been used

to target some telcos in Europe, North Africa and the Middle East.

And it uses a couple of interesting techniques.

Often these techniques then later trickle down into a sort of

more commodity malware. One interesting idea here is that they're using Lua just in time. This is

a just in time compiler for the Lua scripting language. The actual maver is written in Lua, which of course makes it more modular, easier to maintain

than something that's outright compiled.

And by deploying it with the Lua virtual machine, it also does evade some standard detection

techniques.

The group deploying this malware is also taking advantage yet again of past the hash and

NTLM authentication.

Talking to other Sandsen structures and such that do pen tests, this is sort of one of their

most common finding.

It's often exploited for lateral movement, also by ransomware gangs.

So even if you don't feel targeted by this malware, yet another good reminder to sort of, you know, harden this part of your infrastructure.

Finally, for a command and control channel, what sort of stuck out to me here is that this

Malver uses Quick.

I haven't really seen Quick being used much.

Also, they're using HTTP 2, I believe, here.

...