Hello and welcome to the Tuesday, May 20th, 2025 edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich. And this episode brought you by the Sands IDU Graduate Certificate Program in Cybersecurity Leadership was recorded in Jacksonville, Florida.

In today's diary, we got Xavier taking apart a remote access tool.

This remote access tool starts out with scripts written in Auto-It.

This is something that keeps coming up.

It's not a new technique at all, but something I think that's often overlooked. Auto IT is a language designed to, well, rollout configurations, remote-managed machines,

and that's exactly what the bad guys take advantage of here. In particular, since these scripts

can also be compiled into self-contained executables, not requiring the victim

to already have auto-it installed. In the past, of course, we have seen a couple of examples

where the actor would also install auto-it on the system for the victim, but that's not the case here

with what Xavier saw.

It also enables some simple persistence by adding itself as a startup item, and then essentially

connects to a remote control server, some command control server that luckily is no longer

accessible.

From a defensive point of view, you probably don't want to outright block Auto IT

because it is a useful tool unless you're not using it in your environment.

And other than that, well, it comes back to downloading executables, letting users execute random executables.

Never a good idea.

And last week I talked about the unfortunate incident around RV tools, the VMware

Analysis Toolset, well, there was some confusion whether or not it was actually just

malicious version downloaded from some other random site or whether the actual RV Tools website was compromised.

We now got confirmation from rawfair.net, the entity behind RVTools, that yes, their website was compromised and the website is currently shut down.

Now, in different news, we have a similar incident around KeyPass, but in this case, it's not that

...