id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
18923	"PowerShell Virus found in JOSM ""josm-15628-tested.jar"""	anonymous	team	"I have been running JOSM (josm-15628-tested.jar specifically - but likely in most downloads) as a standalone executable JAR without admin rights on my corporate Windows 10 laptop. Our security team contacted me to point out that it was responsible for a PowerShell execution that makes contact with the Taiwanese Government Service Network. These are the relevant details from their report (personal details anonymised). I recommend a regular, thorough virus scan of these downloads:
------------------------------------------

Alert is triggered due to the when user executed a PowerShell command.

On Mar 10, 2020, 9:08:12.398 PM, javaw.exe created process powershell.exe - ""javaw.exe"" -jar ""C:\Users\XXX\Desktop\XXX\josm-15628-tested.jar""

Further powershell.exe created file
{{{
__PSScriptPolicyTest_n41xqwak.gvs.ps1
__PSScriptPolicyTest_fmqutwvz.sdc.psm1
_PSScriptPolicyTest_4lrcuaem.ycs.ps1
__PSScriptPolicyTest_3w1see1v.fzl.psm1
}}}

Evidence of xxxxx.psm1 and xxxxxx.ps1 created in C:\Users\XXX\AppData\Local\Temp\

Txt file “josm_exec_3310044807545867159.txt” is written and closed  under the path - C:\Users\XXX\AppData\Local\Temp\josm_exec_3310044807545867159.txt 

powershell -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;[System.Net.WebRequest]::Create('https://grca.nat.gov.tw').GetResponse()""
 

Checked the website present in the command Line, we found that this website is related to Government Public Key Infrastructure, Taiwan's Government Root Certification Authority (GRCA). This website and IP address is not reported in Virus Total and shows as clean.

XXX has not taken any action on this PowerShell execution.

ISP                       GSN Taiwan Government Service Network.
IP                        210.241.69.210
Blacklist Status          0/35
Domain Registration       Unknown
Usage Type                Government
Hostname(s)               210-241-69-210.HINET-IP.hinet.net
Domain Name               gsn.nat.gov.tw
Country                   Taiwan
City                      Taipei, Taipei"	defect	closed	critical		Installer Windows	tested	worksforme	Virus	Don-vip