Hello and welcome to the Friday, June 30th, 2020,

edition of the Sanchez Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm

recording from Stockholm, Germany. Remco's rat is malware that Brad found this week in an email

attachment. Actually, well, the email attachment led them to the malware.

It started out as so often with an email to that included a link to a PDF.

The interesting part here is that the link went to acrobat.

Dot Adobe.com.

This is a legitimate Adobe.com URL, but it's used for

acrobat users to publish documents. So it's user-provided content that's not provided or in any way

vetted by Adobe, which of course can then be easily used to do what the attacker did here, publish a PDF document with a link that then leads the victim to a zip file.

And then the usual circus starts where you have the zip file being downloaded.

A password is being used to decrypted,

so that way it's more difficult to inspect the payload as part of any kind of proxy or so that

you have, which will then eventually lead to the malware. Also, all the communication happens

to be if I saw this right over HDPS,

so you do need to do TLS inspection to see anything here. As usual, Brad is providing

packet captures and malware samples or links to that in order for you to be able to follow along with Brad's

analysis. And if you're a user of ArcServe backup product, you may have seen a patch being

released earlier this week fixing a single vulnerability. It's an off bypass CVE 2023-26258. Researchers from MD

SEC originally discovered this vulnerability and a notified arc serve of this vulnerability. It's actually

very trivial to exploit and these researchers also have now

published a blog post with a proof of concept for this exploit. The problem is that the

...