Hello, welcome to the Thursday, September 16th, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida. Brad today dropped one of his usual diaries, including packet captures and everything you need to reconstruct and follow the lessons that Brad is teaching you here.

And in this case, Brad is illustrating the latest Hankitor campaign.

Now, Hankitore is essentially a malware delivery mechanism.

In the past, it often has used Google Cloud

features in order to deliver its malware, like, for example, docs.com, or feedproxy.com. Of course,

pretty much no cloud service is immune from being abused to deliver malicious content.

It looks like Hank Gator now set its sides at the Microsoft OneDrive service in order to spread its malicious Word documents.

With that, it also changed strategies a little bit. In the past, the document was

usually served using a base 64 encoded script. But in this most recent hand guitar version,

it essentially just points to a Microsoft OneDrive URL.

Of course, malware campaigns always try to mix up things a little bit as detection is catching

up. Also, as detection of these cloud providers may make the 12 time that the malware

achieves inside these clouds a little bit too short to be fully

effective, so that's when they may, for example, switch to a different cloud in order to

gain the full effect of the samples they are preparing.

So remember yesterday when I talked about Microsoft's patch Tuesday and I pointed out that Microsoft did patch critical vulnerabilities in the open management infrastructure or OMI.

And I wasn't really sure how widely this particular product was used.

It's an open product that Microsoft also published on GitHub.

Well, it turns out that this is actually a huge problem if you are running a Linux virtual

machine on Microsoft's Azure Cloud Service.

As many cloud services, if you are running a virtual machine,

...