Hello, welcome to the Friday, January 24, 2020 edition of the Sandsenert Storms,

on a storm cast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

Today's diary by Xavier has two interesting malware samples that distinguish themselves by their different approach they're taking

to evade antivirus. First one is good old EMOTET. Now, EMOTET is pretty common, makes the headlines

pretty much every day, so you would think that anti-malver pretty much has it down when it comes

to detecting this Malver family. Problem is, it keeps changing, and Antimelvar is still not

flagging all vert macros. Personally, I think they probably should do that, but then they're

like business people and such that may be a little bit opposed

to that idea.

And as a result, of course, they try to parse the macros that are attached to the document.

And in this case, the macro is heavily obfuscated.

There is a ton of unnecessary code that's sort of just being added to essentially

sort of flood and confuse the antivirus engine. And in this case, a couple major vendors missed it.

And as Xavier states, this particular document made it all the way to the user in a reasonably well-protected network.

So, Emotette here pretty much does standard evasion trying to not get detected as malicious.

The other example, a little PowerShell script, takes a very different and in some ways simple approach.

What it does is it actually doesn't try to evade

antivirus. Instead, it's actually trying to get detected. It's just trying to get detected with

the wrong signature. To accomplish this, the author did add the ICAR string at the beginning

of the PowerShell script.

ACAR is a standard string that's used to check if anti-malver is working correctly.

And essentially what anti-Malver does it, it looks in the first few bytes of a document.

...