Hello, welcome to the Wednesday, August 1st, 2018 edition of the Sands and Storm Center's Stormcast.

My name is Johannes Ulrich, and the I'm recording from Jacksonville, Florida.

Attackers are always looking for ways to use existing system tools to fly under the radar. One tool that has gotten a lot of

attention on Windows is cert util. Search Util can be used to base 64 encode content. This feature is

actually part of search Util's ability to convert different certificate formats.

For example, the popular binary DER format, it can be converted to the base 64 based PM format just

by running the file through cert util.

But when cert util performs this conversion, it actually doesn't check if the file that you

provide is a certificate.

It just takes the file, base 64 encodes it, and then adds the usual start certificate and

certificate lines to the file.

So attackers have figured it out and are using certutel now to decode various files.

Now, a normal certificate file is X509 encoded and that means that the first byte is always

48 or 30 in hexadecimal or if

you base 64 encode this it's the uppercase letter M.

So our handler DDA wrote a Yara signature as part of his day job looking for any files that claim to be a

certificate based on the start certificate line but don't start with a letter M in the base 64

encoded part he ran this against virus total and well no surprise here really he found a large treasure

throw of malware of course interesting here is not just that he found malware but also this

malware often wasn't recognized by any of the antivirus engines and of course instead of just

looking for certificates that aren't certificates, he was also

able to look, for example, for certificates that include Base 64 encoded executables or

...