Hello and welcome to the Wednesday, May 31st, 2020,

edition of the Sansonet Stormstar's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, it's just a couple days after the last one.

We got another diary from Brad.

This time, it's about Modi Loader, also known as DeBad Loder.

A sample that Pratt found just on Monday, it uses the ISO file trick.

Remember, since Microsoft made it more difficult to execute code from files downloaded directly from the internet,

hiding them inside ISOs was one trick to avoid some of these restrictions.

We have a simple executable that then also uses OneDrive to communicate,

a cloud service that of course is less likely going to raise suspicion, in particular in Microsoft Network.

In the end, the victim ends up with Remco's RAD, the well-known remote admin tool, of course, the malicious type of remote admin that you're

going to invite in your network. More details, packet captures, samples, and everything

you need to follow Brad along as he analyzes the file can be found in links in the diary.

In Microsoft published a blog post with details regarding a vulnerability that Apple recently patched CVE 2020-232369.

This vulnerability allows bypassing SIPD system integrity protection.

SIP is important because it does prevent at hackers from altering system binaries, and the

only way to officially bypass SIP is to disable it if you're booting the system into maintenance mode,

which of course not only requires physical access, but also requires access to an administrator password.

But what Microsoft found is that the migration assistant, or at least the component started by it,

which is used when you're migrating your system to another system,

also has the ability to bypass SIP, and it can actually spawn, Bash, and Pearl, which are interpreters,

...