Hello, welcome to the Monday, February 22nd, 2021 edition of the Sands and the Storm Center's Stormcast. My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

This weekend was sort of a flashback weekend that featured two diaries about DDE dynamic data exchange, a technology that has led to exploits,

well, back in sort of the early days, as far as I'm concerned, when OS2 was still a competitor

for Windows. DDE allows for many of the features that we now have in macros with that

malware that takes advantage of DDE is of course able to, for example, download and open

files from the internet. To the user, DDE actually sort of looks a little bit like macros in the sense

that once you open the malicious document, you do have to enable macros in order to allow

these DTEs to run. I assume that one reason why hackers tend to occasionally play with these older

techniques again is that they hope and well sometimes they're right about that that

modern anti-malver may have forgotten a little bit about these old techniques so it may not

detect this as malicious because after after all, there is no macro

present.

Xavier wrote about this sample on Friday, on Sunday.

We do have sort of a follow-up to this from DDA, where he shows how his oily dump tool

can be used in order to analyze these documents.

And researchers at Red Canary, VMware, and Malwarebytes have investigated and documented

some interesting Apple Malware and is yet another example of Malware that apparently

has specifically been compiled

for the M1 processor.

As so often with Mac Malver, it just asked the user to install it.

The ruse here apparently appears to be the very common Adobe Flash installer, which we have seen sort of as one of the predominant

...