Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Friday, June 7th, 2024
0:02
edition of the Sands & Stomps owners Stormcast.
0:07
My name is Johannes Ulrich
0:09
and I'm recording from Jacksonville,
0:11
Florida. Xavier
0:13
today analyzed an interesting piece of
0:16
malware. This malware was written in
0:18
Python and
0:20
distinguished itself by having a well,
0:23
don't basically run after a
0:26
particular date or as Xavier
0:28
called it, a best before date,
0:31
similar to an expiration date that
0:33
you often see for food and
0:36
the like. The interesting part
0:38
here is that once this day
0:40
expires, the malware essentially will refuse
0:42
to detonate and download the second
0:45
stage. Second stage here appears to
0:47
be Cobalt Strike. In my opinion,
0:49
this could very well be something
0:52
that may have been used as
0:54
part of a pen test. Also,
0:56
Xavier suggests because it uses in
0:59
part internal IP addresses that this
1:01
may still be under development. As
1:04
part of a pen test, of
1:06
course, avoiding some collateral damage is
1:08
always a concern. So limiting the
1:11
timeframe when a particular piece of
1:13
malware will actually run makes some
1:15
sense in that context could also
1:18
of course be for a real
1:20
attack where the bad guy is
1:22
attempting to limit their exposure. In
1:25
particular, for more targeted attacks, there
1:27
could be a problem if
1:29
the malware escapes affects too many
1:32
unrelated systems, it actually then gets
1:35
added to various anti-malware
1:37
signatures, which may help
1:39
the intended victim to
1:41
actually detect the infection.
1:45
And in a talk at
1:48
a cyber security conference
1:50
in Boston, an FBI assistant
1:52
director did note that
1:55
as part of their disruption
1:57
of the lockpit ransomware gang,
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More