Hello, welcome to the Tuesday, September 6, 2020 edition of the Sandsenet Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

On Friday, D.D.E. took a look at one of the James Webb Telescope images that I mentioned last week, did he

used his JPEG dump Python script to help analyze them. It identified three different

JPEC data structures in files that embedded malware in addition to the image.

Now, remember, when I talked about this,

this is not a case where the image will execute code as you view it.

So the image itself is not really the exploit here.

It's really just used as a carrier to obfuscate,

if you want to call it this way,

or to bypass some other detection techniques,

and the malicious code is then being extracted by malware that the system is already infected with.

The JPEG dump script does allow extracting this additional data.

It's formatted as a certificate. Again, it isn't a certificate. The certificate is here just use it as an innocuous container for base 64 encoded data that's then being decoded into the PE executable. And Microsoft's Defender Antivirus apparently had some false positive issues over the weekend.

The Register and others summarized complaints from users who observed Microsoft Defender

flagging various applications built around the Chromium Browser Engine or the

Electron JavaScript framework as malicious.

Both of these technologies are used similarly in the sense that they do allow you to build

some of these native applications that really are built around

web applications. So it makes a web application kind of look like a native application.

And if you remember last week I talked about like a malicious translate application that

sort of use the chromium engine for example, and maybe issues like this is why Microsoft

...