Hello and welcome to the Thursday, April 13, 2023 edition of the Sans and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, today we got another Malware diary to start out with.

Pratt wrote about iced ID or also Bokbot that he saw

this week. This particular sample comes from Tuesday and, well, given that Google is making quite a

bit of money with malicious advertisements, they're giving back to the malware community,

but also hosting their malicious password-protected SIP archives in Google Firebase.

That's what this particular malware does.

The attacker is first sending a PDF to the victim.

The PDF includes a link that will then download

the particular SIP file from Google Firebase. The PDF, of course, also provides the password

that the victim then uses to unsip this archive, which then ends up with an executable that's actually valid digitally signed.

Ultimately, the victim then ends up with the Iced ID, Delal injected into a valid process.

Now the follow-on activity that Pratt observed includes BackConnect as well as VNC.

So the attacker may very well then switch to a more manual, second third, or whatever you want to call it, stage to then infect, encrypt, or do whatever with the victim.

Brad, of course, as usual, provides P-Caps,

hashes, and all that good stuff. So great learning opportunity here to take the P-CAP and sort

of follow along as Brad did here and analyze the P-CAP in order to detect the particular

malicious activity.

And then a follow-up to patch Tuesday, we got more details from Checkpoint regarding some of the Microsoft MessageQ vulnerabilities.

There are three vulnerabilities.

Total, one is a remote code execution.

...