Hello, welcome to the Monday, February 21st, 2022 edition of the Sansonet Stormsendors Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Big thanks, as always, to our readers who send us interesting Malver Xavier looked at a recent example that claimed to be sort of a PDF.

The extension was dot tar.

Dot LC, but the file name ahead of the extension ended with a PDF.

I guess that's sort of how they try to make it look like a PDF.

Other odd thing, the dot-lc extension is usually not recoverable with Windows.

If you just click on it, it'll tell you need to load the appropriate tool from the app store.

Turn out to be just compressed and tart.

And then inside you didn't have a PDF, no, it was your usual visual basic script.

And Xavier is going through the decode of that script to figure out what it's eventually attempting to accomplish,

which in this case was installing a copy

of Remko's rat. A couple takeaways from this. First of all, of course, attackers are always trying

new things. They may not initially make sense, but well, still worth for the attacker to give it a try

and essentially see what sticks.

So be very of any unusual extensions hitting your users in email attachments.

And if you've got a critical vulnerability in the Cassandra no SQL database. Cassandra is an Apache project. Now, before you get

too varied, it's not exploitable in the default configuration. The problem here is that

Cassandra offers the option to provide user-defined functions.

And these functions are written in JavaScript, but can call Java,

and they are running in Cassandra's own sandbox.

...