Hello, welcome to the Wednesday, May 19th, 2021 edition of the Sandson and Storm Center's Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Xavier came across an interesting malware sample that actually manages to execute JavaScript on a Windows system.

This is accomplished using Run DLL 32,

a technique that has been around for a while,

but is not commonly used in Malware so easily overlooked,

and it's one of these living off the land techniques where

the attacker uploads a piece of JavaScript and then uses tools like RunDL32.EXC to execute

it.

The reason that RunDL32 exists is that it's able to load DLL files and then execute certain functions

of these DLL files.

That's exactly what happens here.

The command line parameters are first JavaScript colon, then link to the library, and then finally the little bit of JavaScript that the attacker is

attempting to execute. In the end, the attacker then of course pivots to PowerShell where most

of the exploit happens. For more details, take a look at Xavier's diary entry. An ESET published a report outlining

some vulnerabilities that ESAT found in Stalkerware for Android. Stalkerware usually refers to

software that can be used to track a victim. And this distinguishes itself

by being rather stealthy about what it does. So it's not easy for the victim to figure out that

the victim is actually here targeted with this particular software. What he said found was that starting in early 2019,

they saw a big increase in that kind of matter.

But in their work that they published this week,

...