Hello, welcome to the Friday, October 22nd, 2021 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Riyadh, Saudi Arabia.

In today's diary, Brad is updating us on the Stolen Image Evidence Campaign.

One interesting update here, the message that you'll receive is typically not sort of just

a simple spam email, but instead was likely submitted via some kind of web-based contact form.

The message then claims that there is some evidence of wrongdoing, some copyright violation,

or the like which will link to a SIP file. The SIP file, once uncompressed, will reveal a JavaScript

file, and then the JavaScript file does download and run a DLL.

That turns out to be malware based on sliver.

Sliver is often referred to as an adversary emulation tool.

Essentially a tool pen testers are using in order to create malicious files for their tests.

But of course, the same tools are also quite useful

for the bad guys. And as usual, Brad will provide you with all the P-caps and details in order

to train your teams in recognizing and analyzing any similar activity.

And Bit Defender ran across yet another RootKit that takes advantage of digital certificates

that are validated by Microsoft.

Netfilter was a similar case a couple of months ago,

and the problem here is that a lot of the protection that Windows

uses against rootkits, against drivers and such being installed are being bypassed as soon as

the Malware is able to present a valid certificate. These are not stolen certificates, but instead the malware author was apparently

successful into tricking Microsoft into signing one of their certificates. Aside from the fact that

this, of course, can be very damaging to a system exposed to this malware.

...