Hello and welcome to the Monday, December 5th, 2022 edition of the Sanchez and its Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from San Francisco, California.

In Diaries this weekend, Friday, we had Brad talk about the latest update to the Q-bot or quackbot Malver.

What makes them so dangerous is the fact that once they infect a victim, the Malver injects

emails into existing email threats, malicious emails will then be sent as replies to emails.

The victim received, making it more likely, of course, that the receiver will think,

hey, this email, this attachment is actually valid and something that I need to check out.

What makes the latest version of this different than prior ones is that the attacker is now using VHD files.

VHD files are similar to iso files, basically disk images.

One disadvantage to the attacker of VHD files is that they require administrative privileges to mount and open. Other than that, the attack is similar to what we have seen

sort of with these ISO files in the past. Now, the administrative requirement, that only applies

if you're actually an active directory environment.

And never like you bought often targets sort of home users, small businesses that of course

are less likely to be part of an active directory.

Or if they do so, well, the user now needs administrative privileges.

And of course, again, in many of these sort of less maintained environments, you do have

everybody sort of running with administrative privileges still.

More details and the respective files are again available as links from the diary on Friday again.

And then over the weekend, Guy and Dede wrote two related diaries with binaries that are installed

in Windows but are typically more associated with Unix

and of course with things like ZH and such now being becoming part of Windows

you'll find them now more easily and of course malware or attackers can take

...