Hello, welcome to the Thursday, June 11th, 2020 edition of the Sandshernd Storms, Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Now, Brad today is updating us on C-loader.

He has seen it come in this week as a password protected Excel file.

Of course, macros again are to blame.

Now, kind of interesting here that the URL is actually only working if you are connecting to

it from outside the US.

This is kind of a rare case where the US apparently is not in the target range here.

Now we have seen sea loader go after other countries like just about a week ago I think

Brad wrote about a version of sea-loader where the email actually

was written in Polish.

So they may be diversifying here a little bit and maybe also trying to stay out of the view

of many of the U.S.-based security companies.

So the basic infection chain here is an email in English

that does have the Excel spreadsheet as an attachment.

The email claims that this is a resume.

So a little bit odd that it used an Excel spreadsheet,

not a Word document, but either way,

the password is listed within the email's text.

And then when you open the Excel spreadsheet, you're being prompted for the password.

And then, of course, you're also prompted to enable macros. As typical for a C-loader, it downloads

...