Hello and welcome to the Thursday, August 24, 2023 edition of the Sandsenet Storms, Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Excel continues to remain one of the favorite targets of attackers and attackers as well, find new ways to evade some simple filters

and deliver macro-Latin documents to end users. The latest example here is something Savier came

across. It's an X-LAM file. This is a macro-enabled add-in for Excel. The icon looks sort of somewhat like the

normal Excel macro. There are legitimate add-ins that are often being used like the solver add-in,

for example, or the analysis toolpack. They are usually pre-installed or quick sort of install in Excel, but this new

add-in now, well, it does execute code in the form of old style macros.

In this particular example, it then actually uses the good old equation editor trick that's

vulnerably back from 2017 to download additional

matter in the form of a visual basic script. So overall, nothing really terribly sophisticated

here, probably just going after users that have nothing to defend them, but some simple

rules that block certain extensions.

If you are one of those users, well, you now got one more extension to add to the list,

XLAM.

And while we're talking about Excel, Microsoft also announced that it will start supporting

Python in Excel.

So finally we get a real nice scripting language for all of these attacks.

And then we have more bad news for users of WinRR, the popular Windows compression software.

Group IB is reporting that they have seen active exploitation of a seraday vulnerability

in Winrara.

Exploitation goes back till April 2023.

...