Hello, welcome to the Friday, June 10th, 2020 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording again from Jacksonville, Florida.

I think I mentioned yesterday how Q-Bot is taking advantage of the unpatched Folina vulnerability in Microsoft Windows.

Now, today we got a walkthrough of a sample by Brad.

As typical for Brad, he shares the sample as well as network traffic and indicators of compromise.

He extracted.

So great to sort of walk through it and see how to

analyze these type of samples. The malicious email will likely arrive as part of a hijacked threat,

a technique that we have talked about before a few times, where a bot is injecting emails

into ongoing email exchanges, it finds on infected systems.

This of course makes it less likely that a user receiving an email like this will consider it

suspicious because after all it's coming from a colleague.

They just exchanged emails with the Fol Exploid is actually used late in the

infection chain here. A user will initially receive an HTML document, then they will get a SIP

file. If they click on the link, the SIP file contains then a disk image and only once the victim

opens the disk image, the work document

that is contained in the disc image will take advantage of the fully not vulnerability

and install the actual malware. Also, for interesting, it sort of uses some Living of the Land

attacks here, and Psyc setup.exe is the binary that is being used then to pull in additional stages.

The complex execution chain, I think, is probably to evade network detection techniques.

Also, Mark of the Web, kind of to avoid some of this.

Pratt observed that the MS debug trace tool that's sort of being used to as Partifolina

...