Hello, welcome to the Thursday, August 20th, 2020 edition of the Sandcent,

and it's Storm Center's Stormcast, my name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Little treat today from Xavier who walks you through a somewhat unusual obfuscation technique used by a recent sample of QuagBot.

It was delivered as one of those DocuSign documents and emails that you've probably seen quite

frequently. In this case, the macro that then actually caused the quagbot sample to be loaded had this

interesting obfuscation technique that Xavier took apart for you.

What's also sort of interesting is that the file name actually depends on the current timestamp

on the system, downloading the file.

Now, what Xavier here assumes is that the file name actually doesn't matter.

It's being used to download the sample.

Instead, that's probably more meant to sort of obfuscate the request as it's traveling on the wire.

So, for example, someone observing these

downloads may not necessarily see a lot of documents being downloaded using the same

file name. Xavier, in addition to decoding this scheme that's being used to create the file name,

also decoded 10 different host names that are being used to create the file name, also decoded 10 different host names

that are being used to download this sample.

And we got the interesting paper from a group of German security researchers that looked

at problems with encrypted email, and they looked at common with encrypted email.

And they looked at common open PGP and SMIM implementations.

They looked at 20 different male clients and found eight to be weak to actually in some cases

pretty easy to exploit vulnerabilities.

Four of these clients were actually vulnerable to something they call a mail-toe key

...