Hello, welcome to the Thursday, April 7, 22 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Brad today wrote up a story of Meda Steeler. A Meda Steeler is a malware that has been around for a while, but

well, it keeps morphing as most of this malware. And this particular sample arrived as an Excel

spreadsheet. Of course, the victim had to enable macros. It does use the good old docusine

lure in order to get people to enable macros. It does use the good old docu sign lure in order to get people to enable macros.

And then, well, urgency again here, it does claim that you just transferred some money

and the attached document will tell you more or possibly, of course, block the transfer. Now Now once you enable the macros, then the

macros reach out to GitHub. GitHub of course being usually considered a benign website and has

a lot of good uses, but well like with many file storage sites like that, it's often being abused.

It also uses transfer.

js.h, which we have talked about last week, I believe, we had a story with transfer.

That's, again, a very simple and free file transfer service that's particularly designed to sort of allow

simple scripted transfers.

Well, all the files being downloaded are then being used to create DLL and executable.

That is then being used to, of course, download additional instructions and connect to the

Medastaler command and control servers.

There are a couple of red flags here for the user, like having to enable macros and later

to actually allow a process called notice.exe to make changes to your device. But all of this, of course,

may be considered normal by user who really just wants to block this straight bank transfer.

That's at least sort of what the email claims this is all about. From a detection point of view,

I definitely would keep an eye out for Transfer.jsH.

...