Hello and welcome to the Tuesday, March 11th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, Xavier went out and went Malware hunting again, and one of his malvers safaris he came across another odd

API calls that's just one of the tricks that excati often uses looking for odd API calls

the odd API call here was a Windows API call UID from string A so what it does is it takes a UUID, a universal unique identifier.

These are these long 128-bit identifiers.

And then it takes that string and converts in its binary format.

In this case, it was actually used to encode Malver.

So the Malver was encoded in UUID strings, 16 bytes or 128 bits at a time.

It was transmitted to the victim in this format and then decoded into its original binary form using this Windows API call, but the actual

script was written in Python. Turned out to be a Cobalt Strike beacon, but overall, still

important to know that yes, attackers can use these creative API calls to encode malware in various formats.

And apparently, according to Xavier, the Lazarus group, the North Korean group,

often going after crypto coin, well, has been known to use this particular trick in the past.

Let me have a little bit an interesting, tricky vulnerability.

I mainly want to cover it because it's a little bit confusing here.

It's a vulnerability in Moxa switches.

Moxa makes switches for factory environments,

so a lot of them are used in ICS and OT networks.

The problem here is that this particular vulnerability, which they call a front-end authorization

logic disclosure vulnerability that can be used to bypass authentication and gain admin

access to the switch.

...