Hello, welcome to the Friday, October 20th, 2017 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich and the I'm recording from Singapore.

Brad today discussed in two different diaries how currently the Locky Ransomware is being distributed. The first one is sort of interesting. I haven't actually

seen that yet and it involves an ISO file as an attachment. Now ISO files are typically used

for CD-ROMs, DVDs. That's their file system. But yes, you can use them as standalone files and if you're double

clicking on them in Windows then the ISO will be opened just like a CD-ROM and you have

access to the files inside now as Pratt does discuss in diary, this doesn't really appear to evade any

antivirus. So not really clear why this is done, maybe just to evade some of the simple email

filters that just do delete or block certain file types like the very common SIPD JavaScript files that we had

in the past, and ISO files may not be on those blacklists. So within that ISO, you do have

the actual executable and the malware relies on the user clicking and running it.

The second trick used by lock is something that we have talked about a couple times in the last

few weeks and that's the DDE attack.

This is where VIRT actually calls an external program in order to provide it with additional data.

Well, in this case, this external program is malware.

And as talked about before, the user will see plenty of warnings.

And again, essentially, the malware relies on the user just

executing the malware. And then we got an update on Coin Hive, the cryptocurrency

miner that has been spotted on numerous websites. Well it turns out that the

people behind Coin Hive have changed directions and they now have an

alternative that they call off-mine. Now off-mine does explicitly request permission before

actually starting its mining task and with that they're hoping that anti-malware will no longer block

their miner.

...