Hello, welcome to the Monday, February 14, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Xavier has been hunting for isophiles that are being embedded in HTML and found another way how these isophiles are being

obfuscated. The latest example is apparently not at all recognized by any entire virus based on

virus total and it does encode the data as HTML ID attributes.

The document contains a number of paragraph tags.

Each one of them has an ID attribute and then JavaScript will just iterate through these

paragraph tags, extracting the ID attributes and then decode them to an invoice.

ISO file that's then presented to the user for download.

And to make things even more interesting, the ISO file does not include an executable,

but instead yet another visual basic script that then is executed

to load additional malware.

And the DLL that's being downloaded is hosted on the Discord CDN, which is yet another

sort of trick that's commonly used in order to make detection more difficult.

Well, to fight some of the exploits that may now be launched by malware like this,

we do have for a while now Microsoft's attack surface reduction tool that's part of its its Windows defender. And a good part here is

ASR, the attack surface reduction tool is getting better and better. One of the changes that Microsoft

published on Friday is actually preventing access to the LSAS process.

LSAS is responsible for authentication, so a common tool like mimic hats is often used to extract

credentials from LSAS, and with this new ASR rule, this is no longer possible. And now the block

credential stealing from Windows Local Secure the Authority subsystem, as this rule is called,

changed from not configured to configured and default mode is set to block preventing access.

...