Hello, welcome to the Tuesday, September 3rd, 2019 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Brussels, Belgium.

Xavier came across another malware sample that actually downloads and installs a complete copy of Node.js on Windows systems it infects.

Notejs, of course, has become a real popular development platform for all of its libraries

and capabilities. It's offering in this case it's not really clear why the attacker is going through the trouble

to download it all. Xavier only took a cursory look at the malware, but it mostly appears

to implement a command and control channel. So this may not be a finished product yet, but more

kind of a prototype trial balloon of further malware

to come. Note.js, of course, is not malware by itself. It's not flagged as such by your antivirus,

and that may be an attempt to sort of sneak past antivirus and then just load miscellaneous

JavaScript snippets that of course are again also usually not detected or not even analyzed.

In particular, in this case, the actual attack JavaScript that's then implementing this command control channel

is actually arriving as a base 64 encoded comment.

And if you're running your own mail server in a Unix environment, it's very likely that you're using the DovCod server for IMAP.

Well, a remote code execution vulnerability in DovCat was just patched five days ago.

Certainly time to look out for updates for your Unix distribution.

The advisory does list a little sort of proof of concept exploit for this vulnerability, but

also states that actual remote code execution is quite tricky to accomplish in this particular

case.

In addition to remote code execution, this vulnerability may also be used

to read memory from DuffCod. DuffCod add-on Pitchin Hole is also affected, but not clear if there's

...