Hello, welcome to the Thursday, January 30th, 2020 edition of the Santernet Storm Center's

Stormcast. My name is Johannes Ulrich, and the time I'm recording from Augusta, Georgia.

Early this week, I talked about how big news events are often picked up by malware to trick users into clicking and opening malware

attachments. Well we have sort of two interesting examples that show this effect, but

actually in very different ways. The first one is from the US recent trickpot sample

and what it apparently does is that it attaches is from the US recent trickbot sample.

And what it apparently does is that it attaches excerpts from news articles about the Trump impeachment to the actual file.

Now, this text is not meant to be read by the user.

It's part of a binary file or XIF tags that are being added

to the file, but apparently it's meant to trick anti-mail-ware into letting this malware

in. Now it's not really clear if this technique works here. There has been some work recently where some artificial

intelligence engines could be fooled into allowing Malvern pass by just attaching benign code

to the binary. I don't think that same principle would sort of apply to text, but you never know.

And maybe the Malvern writers here know something that I don't know.

I've certainly seen similar techniques, for example, used to full anti-spam filters and such,

but that's when you usually expect text. So not as sure if this additional text in binary files would really make

a difference.

Now, unlike in the US, where impeachment, of course, at the top of the news still in Asia, it's

the coronavirus, and Japan has seen some EMOTET emails that do use the coronavirus to trick users into opening attachments.

What they're doing here is the email sort of looks like an official announcement.

It's coming from some disability health care provider,

at least that's what it claims to come from.

...