Hello and welcome to the Friday, September 16th, 2020 edition of the Sands and the Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Xavier today wrote up a somewhat unusual, if not new, a employed by attackers creating malicious VIRD documents.

The trick is something, well, that you may have seen in HTML, and that's iFrames and

frame sets. This feature, turns out, is supported by VIRT as well, just needs to be enabled,

as it's not used in typical Word documents and also

not necessarily visible. In this case, the frame set was used to hide a malicious RTF document

by including it as part of a frame, and that sort of works similar to what you may be used to

from HTML, where

the frame tag then just includes the URL.

The document is downloaded from.

Similar here, you just have that resource ID, and it will then download the actual, in this

case malicious document from that remote URL. The attacker also used some basic obfuscation techniques.

The IP address is expressed using a long integer format.

And then the URL, well, kind of looks like Morse code.

It's lots of dots and dashes kind of to obfuscate the URL a little bit.

Xavier, of course, went further and looked at what's being downloaded here, and ultimately,

what you're ending up with here is Red Line Info Steeler.

As always, Xavi walks you through the process, so if you have a similar document to analyze,

should be helpful to have them show you

how the analysis actually was conducted. And we do have what may be an exploit for the IPV6 IPSEC

vulnerability that was patched this patched Tuesday. CVE 2020-2-34-7-1. It was the vulnerability

...