Hello, welcome to the Monday, June 15th, 2020 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Xavier came across an interesting Excel spreadsheet that used a couple new tricks in order to bypass anti-malver in particular being run in

a sandbox and also signatures. Now, as far as the sandbox goes, this macro will not automatically

run as the document is opened and some sandboxes rely on that happening. Instead, it actually

has a button that the user needs to click called document review that will then kick off

the macro. Now, the actual decryption of the malware only then happens as the user scrolls the document.

And another little trick that's probably really meant to make it easier to create new

documents as anti-malware vendors will come up with signatures is that it doesn't really

store the malicious code in a certain range of cells. Instead, it just

uses the XL cell type constants feature in order to enumerate all the cells with constants

in them. And well, that's where then the content of the actual malicious code is stored. So the attacker really can rearrange those

cons, not any time, use different content of those individual cells, and actually that content

is pretty small, so really doesn't make a lot of sense to sort of have a signature on one individual

cell. In the end, we get our normal

downloader that will then download the next stage of the malware. Sadly, at the time when

Xavier got a hold of the Excel spreadsheet, that domain did no longer resolve. It looks like we have at least one problem with last week's Microsoft updates and that

appears to affect USB printers.

Now lots of difference on a forum posts and such about it, so a little bit hard to tell

what exactly is happening here.

But apparently one problem is if you reboot the system while the printer is unblocked or turned off,

...