Hello, welcome to the Friday, May 20th, 2020 edition of the Sandsenert Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Got yet another great diary from Pratt today, and Pratt took a look at the Mal malware that is using the transfer XL service.

Transfer Excel is a legitimate file transfer service, but like so many similar services, it is often

also being abused to transfer malware. And that's particular what of course Brad was looking into here, and he zoomed in on the

bumblebee malware that he looked at before.

And a particular sample that Brad ran into here is related to a threat group that Google

calls Exotic Lillian

has recently written up as in particular taking advantage

services like Transfer Now, Transfer Excel, We Transfer OneDrive, and of course other similar services.

In the sample that Pratt looked at the malware that's being downloaded from Transfer

Excel is arriving as a SIP file. Once you extract it, we have yet another ISO file, which then

when you double-click it, actually does the good old shortcut trick to then run a hidden DLL and that's when Brad first

saw the bumblebee command control traffic and then later Cobalt strike. As usual, Brad gives

you access to packet captures, indicators of compromise and lots of other details related to this particular

infection. And Microsoft today released an out-of-band update not to fix a new security vulnerability,

but to address an issue that cropped up with the May Patch Tuesday update.

One particular problem here was that people experienced authentication issues with active directory,

and this new patch now fixes these problems.

This is important because organizations have delayed rolling out the

update and this problem affected in particular the fix for CVE 2022, 26923, which was the

surrey fright issue that we have an active exploit available for.

...