Hello and welcome to the Monday, October 24, 2022 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Augusta, Georgia.

Brad in the diary from Friday looked at one of those tech support scams you may have seen. The scam

starts out by displaying a pop-up tricking the user into installing a fake browser update.

Brad calls this particular scam script is spisen, if I pronounce this correctly. It's the particular name that the JavaScript uses that is being injected into websites to display the pop-up message.

In the past, Brad observed these scripts installing solar marker matter, but more recently recently it switched to net support rat.

More details and indicators of compromise can be found in Brad's diary.

One interesting tidbit here, it also installs a Russian version of Google Chrome. Did he over the weekend wrote a diary with some hints to use his RTF dump tool?

RTF documents still frequently used as malicious documents and well a part of the reason

they're popular is that you can obfuscate parts of them and

makes it more difficult to analyze them of course and more difficult to identify them as malicious

did they added the dash capital f option to the tool and this helps you identify and de-officiate

some of the more popular obfuscation tricks. If you use this dash-capital F option, or find

option, the tool will look for hexadecinal strings ininesal strings in the document and it will then attempt

to decode them.

DDA shows how the option works and uses a malicious RTF file downloading the form book

malware to demonstrate how it all works.

And talking about bypasses, we got more ways to bypass the mark of the web in Windows.

This is, of course, something that Microsoft sort of has been improving over the years.

The mark of the web is this alternate data stream that's added if you download a file from the

web and it's supposed to trigger warning messages as a user attempts to open the files,

particular execute files.

...