Hello, welcome to the Wednesday, August 26, 2020 edition of the Sandcentred Storm Center's Stormcast. My name is Johannes Ulrich. I'm recording from Jacksonville, Florida.

Quick diary today from Xavier about Living Off the Land Bineries or Lowell Bins. It really has gotten a lot of attention in the last couple years.

And what is all about is attackers not just uploading matter to your system, but instead

using software that's already installed on the system to do a lot of things that, well,

they in the past used malicious software for that was easily

detected.

Now this is a topic that we have covered before and some of these binaries like for example

Bits admin or cert util are heavily abused but not so often used really by normal users. So that's what this

approach to detecting misuse of these binaries is all about, that you're using tools like

Sysmon and PowerShell to figure out who and how these particular binaries are used.

Now, in general, we don't really talk a lot about iOS malware, because Apple, with its very

restrictive App Store, has been pretty good in keeping Malware out of the iOS ecosystem, but ever so often someone sneaks past it.

And, well, just appropriately that sneak the company that detects vulnerabilities,

independencies, libraries and such, discovered this ad network SDK by MoVista, a Chinese mobile ad tech company

that does misbehave and does steal ad revenue.

Now yes, this particular software development kit, if used by a developer in order to integrate ads

into the application, does exfiltrate more user information than it really should.

But the actual victim here is as much the developer that integrated the ad network, as well as other ad networks,

in that it claims clicks to come from its ads,

even though another ad networks,

SDK may be used to display a particular ad,

but it also may just generate fake clicks,

...