Hello, welcome to the Wednesday, August 22nd, 2018 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Stockholm, Germany.

Xavier today took a look at another malware sample that used Auto-It to bypass many controls that typically protect you from installing and running malware.

Auto IT is a quite popular scripting language to automate various tasks, so it is not malware,

and it is not recognized, of course, as such, by your anti-malware systems.

But in this case, Auto IT is then used to download a DLL that is then actually used to conduct

a number of malicious operations on your systems.

When Xavier first came across it, it was not recognized at all by any of the scanners that are supported by

virus total. But since then, it looks like the antivirus community has caught up somewhat,

and most will recognize it now as malicious. The scripts involved were obfuscated or even

encrypted, and Xavier goes over some techniques used to reverse them,

so he was able to figure out what this final DLL was that was downloaded by this malware.

And if you are using the proxy traffic in order to load balance traffic between containers

like Docker and the like, well, it's time to update.

And this is a very urgent update because traffic did include an API that was not authenticated

and leaked the private key that you're using for TLS connections.

A fix was released on Monday, but of course there are already scans underway to look for vulnerable servers.

Apparently the onion was protected by a vulnerable traffic server and its private key was already leaked to the public.

Now, once an attacker obtains your private key, they are typically not able to decrypt any

traffic that they collected beforehand or they collect just passively because of DeVie Helman,

which is used most of the time in modern

browsers, which doesn't allow you to decrypt the traffic just by knowing the server's

...