Hello, welcome to the Thursday, December 12th, 2019 edition of the San Sanct Storm Center's

Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Brad's malware of the week today was actually German mal-spam.

This one again included a word document and delivered Trickbot.

Basic scheme here again where the Word document wants you to enable macros so it can do its

evil deeds and download additional malware which happened to be trickbot in this particular

case. Given the language, this is likely targeting German recipients, but often this spam

is sent kind of to anybody. It's a resume, first of all, and then also a rental agreement is sort of the title

of the document that's being used in this particular attack. Personally, I've seen a ton of

resume, of course, over the years. The rental agreement is a little bit new and different, so maybe they're

trying out a couple new tricks here to see if they are successful. Well, I've ever heard

the saying that you shouldn't really invent your own crypto. Well, Fsecure looked at a lock, the Kiwi smart lock, and found the interesting

vulnerability in how it is encrypting its messages.

The main problem here is this lock is using Bluetooth low energy.

Bluetooth low energy had a lot of problems, so they're actually encrypting the messages being

sent from the mobile application to the lock and back, which sounds like a good idea.

They're using with AS 128 ECB, a reasonable good encryption algorithm, but what they are getting wrong is the key

generation.

Now, what they're essentially doing here is they're using the Mac address of the device in order

to generate the key.

According to F-Secure, Kiwi went through quite a bit of tricks and so to make it difficult

...