Hello, welcome to the Thursday, August 24th, 2017 edition of the Santernet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Virginia Beach, Virginia.

Xavier came across a pretty interesting, malicious-looking email. Now, this email has a Portuguese subject that states that it does request a product

budget. Now, it does load a script that then, and that's where it gets interesting, really,

installs a binary that is validly signed with an AVASD certificate. Now, it identifies itself as the EVAST Safe Zone browser.

It does add some firewall rules, again, sort of odd and interesting,

and then adds itself to the run registry in order to gain persistence.

Not really clear what the end game is here,

whether it's actually the valid safe zone browser,

but that would be odd.

Behavior doesn't really match there,

or whether this is some kind of malware

that actually managed to adopt that particular certificate.

Now, the malware was downloaded via CDN, which did have a valid Zell certificate,

but it just used the host name for this particular CDN, so that's no real big surprise there.

One reader actually commented that the safe stone

browser maybe legit that it is the actual safe stone browser but it's really just

used to execute malicious DLLs that are actually being delivered with this

particular executable but by actually presenting signed and valid binary, people are more likely

going to execute it.

And Mindcast made big news yesterday with a new attack that they describe as a rope maker.

Now, what they're really talking about is is the use of externally

hosted style sheets in email. So if you're receiving an HTML email, there is of

...