Hello, welcome to the Thursday, January 25th, 2018 edition of the Sandsenet Storm Center's

Stormcast. My name is Johannes Ulrich and then I'm recording from Jackson Mall, Florida.

Brad took a look at the latest Hank Itor Malveh. Now, this one follows the old pattern. It uses

RTF documents that then try to exploit some reasonably recent vulnerabilities

that were patched back in November.

The common subject line appears to be new incoming EFax document from and then an 800 number.

As Brad points out that this is pretty easily

quarantined by spam filters, also standard malware protection pretty much takes care of that. In

particular, if you're running Windows 10 and are enabling some of the security features in Windows

10. Sort of interesting in that this particular variety did deploy a good old banking Trojan

Seuss was the tool of choice here.

No ransomware for a change, but of course that kind of changes on a day-to-day basis.

And if you are not a developer, you may not have heard of

the electron cross-platform development framework. It's a pretty intriguing piece of software.

Essentially, what you can do with Electron is that you create a web application using JavaScript,

HTML, cascading style sheets, and then Electron will convert this into a native

MacOS, Linux, or Windows application for you. Now, if you use a tool like this, then of course,

you leave a lot of the low-level bit grinding up to these frameworks, and apparently that's sort of where a mistake happened

here. If one of the applications that were built with this framework did register a protocol

handler. So, for example, if you have anything, call in slash slash and then link it to your

application, well, then you're actually exposing your

application to an arbitrary code execution vulnerability.

...