Hello and welcome to the Tuesday, March 21st, 2003 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Augusta, Georgia.

Xavier came across yet another fishing kit that takes advantage of telegram in order to exfiltrate credentials. What's really kind of

neat about these fishing kits is that they're all JavaScript, so all self-contained and don't

really require any kind of hosting infrastructure. Maybe on some case you'll just see them in

a compromised WordPress site, which I think is where Xavier found this particular fishing kit.

The code that's actually used by this particular example is amazingly simple.

It's a simple HTML form, and whenever the user submits it, it will actually insert a message that the password was wrong,

hopefully trickering the victim in supplying maybe other variations of their password that they

may be using on different sites. And then it will send the message to Telegram. The disadvantage of

this type of fishing kit is that all the credentials need to connect to telegram have to be provided in the open as part of the JavaScript.

And that's kind of where this particular attacker messed up in, well, not initializing that token that's actually needed to connect.

So as it is, as Xavi found this fishing kit, it's actually not functional.

And security company CoFense is reporting that the Emote Head Boardnet is back and

it's jumping on the OneNote bandwagon.

OneNote, of course, is the method de Jure in order to bypass more recent macro protections

that Microsoft implemented in Windows.

Other than that, the emails are sort of standard fare.

It's a SIP file, in this case a SIPPed OneNote file,

that will then download the EMOTDL file.

Well, if you are using Windows 11 version 22H2, so the most recent version of Windows 11, and

you would like to use the Unified Update platform or UUP with your WOS server,

then you have to apply an update actually to get all the latest quality and security fixes.

...