Hello, welcome to the Thursday, January 14th, 2020 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich.

And the name is I'm recording from Jacksonville, Florida.

Well, must be nice to be a bad guy that develops malware because you get to take an entire month off over the holidays and

New Year. At least that's what it looks like for the Hankytore Malware. This is

Malware that Brad Duncan has been tracking for quite a few years now and well last year

on the 17th of December the Malware went quiet. No new

samples had been discovered, but all for a sudden on Tuesday, it started up again. So I guess

their vacation was over. That's also kind of a sign of how professionalized some of these

Malware teams have become. And really, the Malware sort of picked up where it left off

back in December. So not really a lot of changes here or sort of development during the time

they went offline.

It starts with a docuSign email, a fake docusine email,

that asks you to click or to view an invoice,

which then will send you to a Google hosted document.

Google, common theme that we have seen also

and talked about last year is sort of becoming a

favorite hosting facility for a lot of these malicious document. And then the document, of course,

when you open it, it's avert document. We'll ask you to enable macros because apparently

the document is protected. At least that's what it pretends to be.

So really good old word macros are then being used to download additional malware.

One interesting thing that Brad notes with Hank Hattor is that as long as the user that's being infected here is connected to an active directory

...