Hello, welcome to the Friday, February 19th, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Brad today has an analysis of the latest Trickbot sample that he came across.

Trickbot in the past has had some interesting, innovative features. This time around, nothing really too special and actually

looks like they're slacking off a little bit and messing it up here. They're downloading a DLL file,

not an executable. well, that's ultimately nothing

really new. And then they're setting up a scheduled task to start that DLL. The problem is

they're slightly messing up the path. So this DL, at least the sample that Brad, didn't actually then run. The emails that carry

this particular trick-bought version, nothing really all too fancy. DocuSign, again, is sort of their

theme here, and the user has to open an Excel spreadsheet and enable macros for the malware to run.

You may have heard the news about the indictment that was unsealed against some

hackers that are working for the North Korean government and were involved in the theft

of cryptocurrencies.

Today, the cybersecurity infrastructure security agency followed up with seven different

bulletins that contain details about the particular malver being used and, well, they call these

samples Apple Juice, where Juice is spelled

J-E-U-S. This malware operates on different platforms, so you'll find it on Apple as well as on Windows,

but the common denominator here is that they try to impersonate legitimate cryptocurrency trading applications and essentially

trick the user into willingly installing the application. There is no technical exploit really

involved in getting the application installed. In some cases, like for example for the Apple versions, it's not even digitally signed,

so you will get a prominent warning and may even have to jump through some hoops to install

...