Hello, welcome to the Wednesday, August 21st, 2019 edition of the San Bernard Storms on a Stormcast. My name is Johannes Ulrich.

Entertainment recording from Jacksonville, Florida. I think it was just yesterday that I talked about some of the dangers of DLL side loading and security software being used against you.

Renato wrote up a real great analysis of what he calls the Gilmah information stealer,

which is Malware that he has observed in Brazil.

One feature that sort of caught Renato's attention here, and certainly somewhat unique

for Malware is the use of Facebook and YouTube.

You have seen Malware use social media sites in order to basically serve as command control

server.

Not so much really Facebook and YouTube. In this case, these sites are used

to refresh lists of command and control servers that are being employed by this malware. Renato

has counted a total of 76 command control servers so far. And essentially what happens here is that the

malware is checking a certain number of Facebook and YouTube accounts and the attacker keeps updating

these accounts and deposits a list, an encrypted list of command control servers that's then being read by the malware.

Now, the malware, as often starts with a phishing email that tricks the user into downloading

the actual malware, most of it initially in JavaScript, and then as next stage it uses DLL site loading.

So what it does here is it launches a component of Internet Explorer, EXT Export.exe.

So this is not malicious software at all, but when it starts up, it searches for a number of DLs and the attacker is clever

enough to leave their DLL inside the Win 32 Libraries directory.

So that's where the attackers' DL is picked up by EXT, export at EXE, and executed.

Another interesting procedure that's being used by this malware is process hollowing.

I believe that's a little bit newer technique, really.

And what it means is that the attacker will suspend again a non-malicious piece of software

...