Hello, welcome to the Wednesday, November 1st, 2017 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Stockholm, Germany.

Xavier today took a look at a malicious PowerShell script and some of the features implemented in it.

For example, this particular PowerShell script had two different ways, how it sort of avoided

sandboxes.

First it queried the bias to check if it's running in a virtual machine.

If strings like VMware or Senver returned, then it knew it would run in a virtual machine. If strings like VMware or Senware returned, then it knew it would run in

a virtual machine. It also avoided sandboxes by looking at the uptime of the machine.

Sandboxes typically are rebooted quite often, so if the uptime was too short, then it assumed it was running in a sandbox.

It also includes functions to create screenshots, and it is able to steal saved password lists from a number of different browsers.

So this is pretty capable now. These particular script snippets are

necessarily new. Some of them for example come from PowerShell Empire

framework that does implement a lot of features like this in PowerShell. And yet

again Apple updated yesterday.

Everything.

We got updates for ICloud, for Windows, for iTunes for Windows, for Safari, TVOS,

MacOS, iOS, and of course, watchOS.

Now, probably the most well-known vulnerabilities that's being patched here across all platforms is

the famous crack Wi-Fi or WPA-2 key reuse vulnerability. It was partly addressed in

prior updates, I believe, but this fixed it again and hopefully right now one of the new

features that was enabled in macOS hysera was the new Apple file system

there are two vulnerabilities that being addressed in APFS one could leak

encrypted disk data via the Thunderbolt port. That has also been

...