Hello, welcome to the Thursday, August 12, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and the I'm recording from Stockholm, Germany.

And Brad did some malware analysis again, and he looked at the latest example of TA 551 or Shad hack.

This particular Mountar group he talked about before and it's your typical malicious email.

In this case the attachment arrived as a password protected zip file.

Now once extracted you got your standard word macros

that then dropped additional matter, including the bizarre loader.

Now, what we see more and more lately, of course, is Cobalt Strike Next.

And Brad has, in the right-up, the traffic that actually Cobalt Strike generated.

That's probably the most interesting part here, because you see this in so many different

malice samples these days.

The traffic captures are again available for download, so if you would like to play with them yourself,

you may do so just look at Pratt's diary.

But well, it's not just Windows users that click on things. Apple users aren't immune either.

And Sentinel Labs looked at Adload.

MacOS Malva family, it has been around since 2019.

And Sentinel Labs looked at 150 unique samples just this year. What's sort of interesting here

and pointed out by Sentinel Labs is that Apple's ex-protect, which is supposed to protect

you from Malvern like that, apparently isn't that terribly effective. Well, X-Protect is

really very much a signature dependent and typically

easily evaded. According to the article, there are about 11 different signatures in XProtect

for different ad load versions, but the ad load keeps mutating and specifically evading these signatures that Apple has

...