Hello, welcome to the Tuesday, March 17, 2020 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Jan today took a look at good old desktop.in.i.

These files in Windows are typically used to assign icons to different files in a directory.

But what Jan found out is that, well, they can actually be also used to rename files within

Windows Explorer.

So using a specifically crafted desktop. I and I,

and essentially just easy to rename files,

replace the file names that are being displayed in Windows Explorer,

and with that, of course, tricking users into clicking on the wrong file or executing malicious

code.

Now you may ask, why not just rename the file or the folder?

Well, the advantage of doing it via desktop.I&I is that whenever you rename folder, well, there's

an event tricker that could possibly be detected, but if you do it via changing or creating a desktop.I. file,

then you technically don't rename the directory or the file,

and such there is no event that is being created

that could be used to detect this activity.

And if you are relying on VMware, VMware Workstation, VMware Fusion to isolate

malicious code from your host, well, make sure you update.

VMware did patch use after free vulnerability in VMNet DHCP that could be used to execute

arbitrary code on the host. This vulnerability was assigned a CVSS version 3 score of 9.3.

...