Hello, welcome to the Monday, October 17th, 2016 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Baltimore, Maryland.

Over the weekend, we got two posts related to Malware, first one from Brad about the latest news from the pseudo-darkleach campaign,

which is something that Brad has been following in his last post, which was about two weeks ago,

he observed how it's being used via the Rick Exploid kit to distribute the SIPMIC ransomware.

Apparently, they now changed out the ransomware for Kerber.

This is very common where sort of different components in these campaigns are being exchanged

depending on whatever works best that particular day or that particular week.

I guess development of the older ransomware isn't quite keeping up with antivirus, so they're now switching to server.

And then we have the DA talk about how to decode obfuscated visual basic script that you often see in malicious macros

by essentially just running the appropriate part.

And then, for example, filling it into an Excel cell so that you can just read whatever came up or use a message box in order to

display the decoded content. Now, this trick works really well. He then actually also

shows you a little video and how to do that, not just, of course, with visual basic macros

in Excel, but also in VIRT you use essentially

the same Excel spreadsheet technique in order to do that.

I think it should be understood.

You have to be careful when you do this.

It's very easy to mess up and run more of the script than you intended to.

But this is very similar to what's often done

for example in JavaScript where you just sort of put a text area around some

off-uscated JavaScript and then have it decode itself in that text area which can

work actually quite nicely.

...