Hello, welcome to the Friday, August 16th, 2019 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Did he take a closer look at a malicious word document that was recently used in a more targeted spearfishing attack and

well actually proofpoint wrote about the attack itself. What Dede did was take his well-known

scripts to analyze this document and show how to overcome various obfuscation techniques used in this

particular case.

Sort of interesting here and not really unusual is that the actual malware was sort of encoded

as a PM file format.

So PM is often used in certificates, but the reason attackers like to use this particular format on Windows is that they can use cert util, which is typically used to read certificate

files that are PM decoded to decode the file and then create the executable.

This, of course, is also supposed to evade some of the simple signature-based detection because you

no longer see the typical PE header that you have in Windows executables. On the other hand, as the D.D.A. points out,

with PM certificates, the first letter actually should be M. But if you have another file just

encoded as a PM certificate, that's no longer the case. So that's actually something

that could be used as

a signature to find these odd or invalid PM certificates. And I think pretty much every week

we have a couple of IOT security issues or failure of end of things security. Actually, I remember last week I didn't cover a couple stories that were kind of interesting

just because I figured, well, we had too much IoT security already to talk about.

And well, you probably noticed it keeps repeating some of the issues that are showing up.

Well, if you just thought that the issues

keep repeating, there's now some confirmation here from Sarah Satko with the Cyber Independent

...