Hello, welcome to the Tuesday, March 10th, 2020 edition of the Sandsonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the I'm recording from Jacksonville, Florida.

It looks like Diddy really sort of opened a large can of worms here with these XL4 macros.

Now, a lot of research, of course course recently has gone into Visual Basic for application code

in office documents and looks like there was a little bit of blind spot here for these

older Excel 4 macros.

We keep getting interesting samples from our user.

Did he just look at another one that came from our user.

Did he just look at another one that came from a user?

And what was interesting here is that the initial Excel macro actually downloads additional code from a website, adds it to a spreadsheet, and then executes it.

Now, initially we weren't able to get all of that code that it downloads, but eventually

the was successful via a virus total search to find the additional code which would download

more HTML actually and then again insert it

into Excel to execute it.

So these are some of these interesting multi-stage kind of exploits where you first have a

downloader that's then downloading additional code.

Have seen this a lot of course with a matter,

but really interesting to see how the same concept is being implemented here in Excel 4.

And then again, as a reminder, these Excel 4 macros, yes, they will run in the greatest

latest version of Excel. And of course often missed by anti-malware.

And then for a change, we don't have a side channel attack in Intel CPUs, but today against AMD CPUs.

This is where comes from researchers at the Technical University Kratz as well as the University

...