Hello, welcome to the Friday, December 3, 2021 edition of the Sansonet Stormsendors Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Brad took a look at the latest campaign using password-protected SIP files.

They're arriving via email once the user extracts the file enables macros and runs the

HTA file.

They will now be infected with iced ID or BockBot.

This campaign is part of what Brad describes as TA551, also known as Shat Hack.

It's essentially a malicious spam group that does distribute whatever malware comes around.

So have seen this quite a few times before pushing various malware.

There is also a possible follow-up with

Cobalt Strike if the infected system is part of an active directory domain. That's, of course,

something that has become the norm now, where an attacker will sort of install commodity malver.

If it's not a system, that's part of active directory. If it is

part of active directory, then of course the assumption is that it may be a higher value organization,

so it may be worthwhile taking a second look and then by installing Cobalt Strike, the attacker

often then proceeds with ransomware.

And for the Python developers out there, a neat little package, Pip audit. You just install it

with Pip itself, and it installs a little command line tool that if you just run it by itself,

will check your installed Python packages for anyone that are vulnerable.

Just ran it myself on my desktop and yeah, it found three vulnerable packages that I had installed.

Of course, a quick upgrade that mitigate this problem.

All in all, only took maybe five minutes, so certainly worth your time to give us a little

...