0:00

Hello and welcome to the Friday, June 7th, 2024

0:02

edition of the Sands & Stomps owners Stormcast.

0:07

My name is Johannes Ulrich

0:09

and I'm recording from Jacksonville,

0:11

Florida. Xavier

0:13

today analyzed an interesting piece of

0:16

malware. This malware was written in

0:18

Python and

0:20

distinguished itself by having a well,

0:23

don't basically run after a

0:26

particular date or as Xavier

0:28

called it, a best before date,

0:31

similar to an expiration date that

0:33

you often see for food and

0:36

the like. The interesting part

0:38

here is that once this day

0:40

expires, the malware essentially will refuse

0:42

to detonate and download the second

0:45

stage. Second stage here appears to

0:47

be Cobalt Strike. In my opinion,

0:49

this could very well be something

0:52

that may have been used as

0:54

part of a pen test. Also,

0:56

Xavier suggests because it uses in

0:59

part internal IP addresses that this

1:01

may still be under development. As

1:04

part of a pen test, of

1:06

course, avoiding some collateral damage is

1:08

always a concern. So limiting the

1:11

timeframe when a particular piece of

1:13

malware will actually run makes some

1:15

sense in that context could also

1:18

of course be for a real

1:20

attack where the bad guy is

1:22

attempting to limit their exposure. In

1:25

particular, for more targeted attacks, there

1:27

could be a problem if

1:29

the malware escapes affects too many

1:32

unrelated systems, it actually then gets

1:35

added to various anti-malware

1:37

signatures, which may help

1:39

the intended victim to

1:41

actually detect the infection.

1:45

And in a talk at

1:48

a cyber security conference

1:50

in Boston, an FBI assistant

1:52

director did note that

1:55

as part of their disruption

1:57

of the lockpit ransomware gang,