Hello and welcome to the Friday, August 4, 2023 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Got an interesting malware walkthrough today from Jan.

It was one of those fairly common sort of purchase order emails that included a

SIPT link file. The link file itself then executed a PowerShell to download an additional

badge file that then would install the actual malware. Pretty straightforward in hindsight, kind of what's happening here.

Pretty common also to see compressed link files being used to sort of initiate and compromise.

What's somewhat surprising here is even though all of the different techniques being used here,

the obfuscation such,

none of that is terribly sophisticated, but on a virus total, this particular sample still had

zero hits, kind of showing again the gaps in anti-malware, in particular if you're relying on

just sort of simple static analysis without

actually running the malware. And Microsoft's threat intelligence team published an interesting

blog post with details regarding an attack that Microsoft calls Midnight Blizzard. They believe it is

associated with the Russian government.

This particular attack is heavy on social engineering. It uses Microsoft teams as a vehicle here to reach its victims.

It does start out by naming itself something like Microsoft Identity Protection.

The account is then labeled as external, but of course they then claim to come from Microsoft

and they registered some pretty plausible domains like on Microsoft.com, and then they're

using, for example, Teamsprotection.on Microsoft.com, and then they're using, for example,

TeamsProtection.onMarkrosoft.com.

They use then social engineering in order to trick the victim into, for example,

...