Hello and welcome to the Monday, February 27, 2023 edition of the Sansonet Stormer's Stormcast.

My name is Johannes Ulrich and the I'm recording from Jacksonville, Florida.

On Friday, Brad wrote about iced ID or bogbot and they gave us an update on some of the

latest tricks that this Malbert family is up to.

Aside of using Google Ads, which is sort of one of the infection vectors that has become

already popular, the last few months as the bad guys figured out that's

pretty easy and cheap. Another trick that it's playing with malicious emails is, first of all,

one-note files, another sort of current infection vectors, really popular. And secondly, it's also

using dot- dot URL files.

Another new trick here is that it's using HTTP methods associated with WebDAF.

WebDaf, I believe SharePoint uses it.

I've seen it sort of more in the earlier days of the web to essentially sort of update websites

and the like but the prop find is the htp method that's associated with webdaf that's being

used in these latest attacks and if you are looking at ht traffic, this should really stick out and be something

that shouldn't be too hard to identify as abnormal. More indicators of compromise and other details

you can find in Brad's diary, which of course is linked to in the show notes. And DDA is just not running out of ideas on how to make his famous Oli Dump tool more

useful, not that it's not useful already.

MSI files is the latest file type that DDA added to OLLI Dump via a specific OLLIDump plugin, plugin MSI.Py.

MSI files are essentially Windows installer files, so often used to install malicious software,

and this plugin gives you sort of some basic information,

meta-dida style information from the MSI file to hopefully figure out whether or not a particular

file is malicious or not.

...