Hello, welcome to the Tuesday, December 10th, 2019 edition of the Sandton,

the Storm Sunners Stormcast. My name is Johannes Ulrich, and the time I'm recording from Jacksonville, Florida.

Well, when I received a suspicious word document earlier today, I knew Olly Dump is the tool I want to use and lucky for me.

We do have a current diary that Didier published yesterday that walks yet again through a current

malicious word document and shows how to extract and decode some of the malicious code embedded in

this document. Given the huge number of malicious documents that we keep seeing and also the

wide range of different sort of obfuscation techniques that the bad guys are using, these

diaries are always a great thing because you usually can't kind of use whatever is being

explained in this diary within a couple days.

And talking about new tricks, Sophos has a neat write-up with some details about the Snatch

Ransomware.atch Ransomware.

This Ransomware has been around for a while, but recently apparently added a new trick

to its repertoire where it reboots the system into Safe Mode.

So it will first add itself as a service to be started in safe mode, then it reboots the system into

safe mode, which will in this process disable most anti-malware products.

Malware has always tried to disable anti-malware software and typically just killed these processes,

of course, over the years, Antimalver has become

more resistant to these sort of simple shutdown attempts.

And I guess the simple thing about safe mode is that it's sort of one size fits all, pretty much

all anti-malware should be shut down in safe mode.

So the author doesn't really have to bother with

individual software and how to shut it down.

...