Hello, welcome to the Thursday, May 12, 2020 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Brad has one of his famous Malware walkthroughs, and this time it's the TA 578 group that is pushing isophiles in order

to spread the bumblebee malware.

Now, what's sort of interesting about this is that they're using threat hijacked emails.

What that means is that they actually already compromised a system and then they're

checking the email conversations on the hijacked system and are injecting themselves into existing

email threats. So you may receive a reply to an email that you sent earlier that contains the malicious document,

which of course makes it much more likely that you're going to open the file, in particular

since in this case the file is an ISO file.

A second sample that Brad is walking through uses a SIP archive that's password protected,

sort of as an immediate step, before you are actually getting to the ISO file. Also interesting,

the actual download links are exclusively using storage.govopiys.com. That's, of course, a very common location

for malware these days, but popular enough for legitimate content that you probably have a hard

time monitoring downloads from storage.govio APIs.com.

And affirming Google's ranking towards the top of matter distributors, NetScope did a report

on phishing downloads and saw that not only there was a sharp increase, no big surprise

here, but also that one of the

techniques that they really saw increasing is search engine optimization techniques

in order to improve the ranking of malicious PDFs. And the number one download site here

was Google Trive.

So not the API, but still Google Properties.

...