Hello and welcome to the Wednesday, April 5th, 2020, 3 edition of the Sansonet Storms, Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Let's start with a quick follow-up to the e-file.com situation.

The site has been fixed as of Tuesday morning.

It still has no public notice or so warning users that they may have been redirected to Malver

in the past.

I took the time today to take a closer look at one of the two malware samples that were delivered.

Chrome users got Update.exe, and Firefox users got installer.exe.

I took a look at Update.exe.

It's actually Python code.

It uses a pie installer common framework in order to turn Python code into

standalone executables, which makes reverse analysis relatively easy, pretty bulky piece of malware.

It initially actually downloads the entire PHP distribution and then has a brief PHP script

that actually implements a back door on a command control channel that's pretty straightforward.

It'll just pull a particular URL every 10 minutes, I believe it is, and then whenever there's

a command coming back, it will execute that command.

It can also download files, and that's pretty much all it does.

But, of course, being able to execute commands, being able to download and run code,

well, that's where the all that hacker needs to do to fully compromise a system.

One little interesting quirk here, if you run the

update script as a normal user, it'll actually complain and then ask you to run it as

administrator in order to be better able to make itself persistent by adding itself as a

...