Hello, welcome to the Monday, February 15th, 2021 edition of the Sandstone at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Looks like at least are from anecdotal evidence that lately we have seen a little bit researching of CHM files.

These are Microsoft Help files.

Used to be really popular in malicious attachments, but have been fading off until recently.

And the idea here is that these CHM files contain HTML that, since it's executed locally,

can then execute JavaScript that in turn, at least here in the example that Xavier came across,

is used to launch PowerShell.

Of course, once you have PowerShell, then the sky is the limit, and here

additional matter is being downloaded and executed. So it doesn't really give the attacker

any new capabilities. They didn't have sort of an existing, sipped JavaScript and HTML files,

but typically the reason why attackers are trying and rotating through different

extensions like this is just to see if you let down your guard, you're no longer looking

at these particular files, and as a result, they may be able to slip in some malicious content.

And SIFT, a company that helps prevent payment card fraud, has come across an interesting

scheme how fraudsters are able to monetize stolen account and credit card data.

Now, it's not always payment information that's being stolen here,

but in this particular case also login information for various food delivery services.

The way the data is monetized is that these fraudsters are then offering their services,

for example, via telegram, and the individual is then

able to place an order via Telegram using the fraudster at, of course, a substantial discount.

So it's a little bit like buying a super discount stereo of a van at the side of the road.

...