Hello, welcome to the Tuesday, December 21st, 2021 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Jan took a look at a malicious PowerPoint file today, and according to Jan, he has seen a steep increase in PowerPoint being used to distribute matter.

Of course, PowerPoint being a Microsoft Office type document, it is able to hold the same macros as any other office document.

This particular document did bring Agent Tesla,

and it arrived as a PPM file.

PPM stands for PowerPoint add-ins with macros, and, well, the last part here.

Macros is really sort of what's important.

Jan has a good walkthrough of this particular malicious file and how it works, nice diagram

in the different stages, how components are loaded.

He also points out that a good part of this particular malware

is actually just based on open source code.

And while some of it is sort of exploit code,

like a UAC bypass, there's also some more generic code,

like for example, how to deal with SIP files.

That's just borrowed from GitHub.

And if we got updates from VMware, actually two updates on consecutive days for workspace

one, and the critical one with a CVSS score of 9.1 is a server site request forgery

vulnerability that would allow anHacker access to sensitive information

without having to authenticate.

VMware also published a pretty extensive list of products that are vulnerable to log 4J.

Some of them start having some patches available now.

...