Hello, welcome to the Tuesday, July 5, 22 edition of the Sansonet Stormsendors Stormcast.

My name is Johannes Ulrich, and I'm recording from Stockholm, Germany.

One thing I mentioned last week is how 7-Sip introduced new option to allow you to apply the mark of

the web to any files extracted

from an archive that was downloaded from a website. This feature has three settings. You either

may not set the flag at all for any file extracted. You may set it for all of the files extracted.

And then there's a third option, it's kind of interesting, and that applies the flag only

to office files with, well, the history of office files being abused, of course, makes some

sense.

So Didi take a closer look at how this feature actually works,

actually disassembled part of the code here of 7-Sip. And what he found was that yes,

somewhat expected. This really is only applied if specific extensions are being used for the file name.

You have your standard subjects suspects here, like Doc XLS, PowerPoint, PPP, and such.

One thing that they found missing was RTF, a lot of, in particular, like, Folina exploits and such that we have seen recently took

advantage of RTF to kind of fly a little bit underneath the radar and be not sort of

fully identified as an office document.

So just apply the mark of the web to all files.

It's probably a safe option here.

Remember, this only works if you're using the NTFS file system.

Then an alternative data stream is added to the file that does contain this flag.

And then prompts the user to acknowledge that the file was downloaded

from a specific website. And Kaspersky has a good write-up of an interesting IIS backdoor that

...