Hello, welcome to the Thursday, January 6, 2022 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the name is I'm recording from Jacksonville, Florida.

Ever wonder how the bad guys are writing malware?

Well, it's actually not that different from how any other software is written.

And Xavier has a nice document where he shows how recent Excel macros are really just copying code from GitHub projects.

Well, this isn't really a big surprise and, of course, has going on for a long time.

Also, different malware versions

copying code and techniques from each other this of course does present a problem for

malware detection because many of these techniques and also these code snippets are being copied

here are also being used in non-malicious code

and as a result, of course, malicious and non-malicious code

can end up being fairly similar.

And Checkpoint found some interesting malabre exploiting

an older vulnerability in how Windows verifies digital

signatures. The Malvern question is C-loader, and C-loader itself has been around for a while,

but as typical for Malware, it keeps changing, it keeps adding new tricks, and one of the new tricks

it recently added is to actually append itself to legitimate DLLs.

Now, this should be detected by the signature that is being used to verify these DLs, but due to an long-standing bug in Microsoft, if you are appending data to the

signature section itself, then it remains undetected.

Now, Checkpoint points out that this was fixed originally back in 2012, but Microsoft has removed.

Some of that fixed made it optional again because it had some impact on legitimate software as well.

So by default, this patch is not necessarily installed.

...