Hello, welcome to the Monday, May 1st, 2017 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich,

and I'm recording from Jacksonville, Florida. One thing we always enjoy is if people send us Malware and Xavier looked at

one sample on Friday. It used a pretty sort of interesting obfuscation technique,

which led to only five antivirus tools actually recognizing this particular sample as malicious,

even though it was, well, just another vert macro. So first little trick that this malware plays is that it doesn't actually start automatically.

The user has to first start the macro.

This removes one common signature that's being used and this is the auto open function.

Secondly, the malware then downloads additional code and that's again kind of common,

but it does so iteratively. So each download does give it another snippet of code. Essentially,

it checks just what works. That code itself is heavily obfuscated and then exhort with a key that was downloaded in the initial

matter. So without the auto-open function and no recognizable executable being transmitted across

the network, that apparently does cause problems for many antivirus products in this particular

case. However, no need to be too concerned about this particular sample because in the end it

actually ends up downloading fairly commodity malware that is widely recognized. We have seen this

before where attackers go through quite a few hoops

and use fairly sophisticated exploits initially, but then end up downloading commodity malware

that doesn't really work if you have any kind of reasonable antivirus installed. However,

I wouldn't totally discard the sample.

Another thing that often happens, if the first sample is being downloaded is being caught

by antivirus, you may actually see the downloader reach out to additional URLs and then

download additional malware until it finds a sample that does not

get recognized by your antivirus.

...