Hello, welcome to the Wednesday, October 24, 2018 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the I'm recording from Denver, Colorado.

Well, Xavier went hunting again, and in doing so, he came across some malware that uses simple base 64 encoding in order to disguise itself,

which apparently is sufficient to fool most antivirus tools according to Virus Total,

and then it used PowerShell to install additional tools.

Now the PowerShell script did adjust itself for various Windows versions or whatever version

of PowerShell was available it used.

And then as a random bonus, it did download an invoice from an S3 bucket to sort of fulfill its claim that it was an invoice.

So supposedly this is going to make the user feel safe.

Now, they know nothing about that invoice.

It's sort of a very random invoice, but they just assume someone sent that invoice to the wrong

recipient.

Also, the invoice is displayed using the PowerShell Start Process command, which will use the default image viewer, so the user will see the expected image viewer for their particular system

pop up to display this invoice.

And then there is some pushback against DNS over HDPS.

The pushback comes from Paul Vixie.

Now, Paul Vixie was part of the early development of DNS, also part of the bind name

server.

Now, his main argument is that DNS over HDPS does bypass a lot of

enterprise security mechanisms. Now, some people may say that this is exactly what DNS over

HTTP is supposed to accomplish. Now, Paul says, if you just want privacy, you can use DNS over TLS. DNS over TLS uses

port 853, not port 443, so it's easier blocked in an enterprise network if this protocol is not

...