Hello and welcome to the Friday, May 5th, 2023 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich,

and today I'm recording from Jacksonville, Florida. Xavier found a word document that uses an interesting

trick to get users to start a malicious executable.

Most of the time when you're dealing with malicious VIRD documents, you're dealing with macros.

But of course, these days enabling macros isn't really all that easy.

So attackers are looking for other ways to actually launch malicious payloads.

And we have seen a lot like with OneNote documents and the like some tricks here to bypass

some of these newer restrictions.

What Xavier found is actually quite simple and appears to be doing the trick here to trick the user into

launching malicious code without giving them any warning. This particular Word document has just

a straightforward Windows executable enabled and then ask the user to double click on the embedded executable

to launch it. Now, of course, this is not what the Word document says here. The Word document

does display sort of a small thumbnail image, which is really the application icon that looks

like, yeah, could be an invoice, but really too small to see.

And then it has a text telling the user, hey, this is really too small here because it was

created with a newer version of Word.

But by double-clicking on this thumbnail, you'll actually get the full-size version. What you actually

do when double-clicking is then launch the embedded executable. The dot-net executable turned out to be

an infesteeler. It collects data from the infected host and then exfiltrates them via email.

Xavier was able to extract the email configuration and posted it as part of the write-up.

The mail server happens to be in Saudi Arabia, mail.tcc.org.s.a.

And Cisco released a bulletin regarding a critical vulnerability in the Cisco SPA 112 to port phone adapter.

...