Hello, welcome to the Friday, September 24, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Attackers keep mixing up old evasion techniques in order to, well, hopefully find something new that will not get detected by anti-matter.

And Xavier came across an interesting trick here that one particular attacker used,

and that's sort of a mix of Excel4 macros and Visual Basic for applications or VBA. So Excel 4 macros is the older way

how to do macros in Excel. These days you typically would use VBA, but of course, Excel 4

macros are still supported and we talked in the past about how they're also still being used

in malicious code. In this particular case, which starts as your usual DocuSign mal-spam,

visual basic macros actually then used to create an Excel 4 macro that will then download additional malicious

code and that's the actual malware that is then being scheduled to run automatically.

So the downloader has these two components, first VBA and the VBA creates an Excel 4 macro

that then does the actual downloading.

In addition to added complication, not really sure how much that'll do in order to throw

off anti-malware, but then of course they don't necessarily need to throw off all anti-malware

if they can't throw off a couple of products. This may increase

their chances of success sufficiently to make the additional complexity of the attack worthwhile.

Researchers at Eglitzmium found an interesting vulnerability in Windows platform binary tables or WPBT.

This feature allows hardware like motherboards and the like to supply the operating system Windows with drivers in order to interface with the specific hardware.

The feature has had a little bit of controversial history

because essentially it does allow, for example,

OEMs to add additional software into your operating system

that is pretty difficult to remove essentially sort of root kits, sometimes also being used

...