Hello and welcome to the Monday, September 19th, 2020 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Friday we got yet another interesting office document taken apart by DDA.

Of course, one thing that PICDDA's interest is the Visual Basic for applications of VBA code

included with the document.

But beyond that, the custom XML part attracted to his attention.

This custom XML part contained a good amount of hexadecimal

content starting with the classic MZ header, well, the hexadecimal representation of these

two ASCII codes for PE files. DDA was able to pull the hexadecimal part out with one of his famous tools and

converted to a binary file.

No surprise, you ended up with Windows executable at which part did he kind of lost interest in it.

Apparently, he is on a well-deserved holiday,

but well, what better to relax to at the beach with some nice malware? And I can't find it right now,

but I think someone responded on Twitter that they saw a similar piece of malware last week,

so this may be part of a larger malware run.

Gaps in the implementation of two-factor authentication have made big news recently, like

bombing victims with pop-up notification.

That's a trick that was heavily used by the lapses group, if you remember,

and of course since then others have picked up on that same trick.

A different issue comes up with second factor authentication tokens that are sent to the phone

as a message, either via SMS or via specific

messaging apps. Some users will allow these messages to be displayed on their lock screen.

...