Hello, welcome to the Tuesday, March 30th, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

If you're into Malver analysis, you'll enjoy Xavier's diary from today.

He's analyzing an RTF document.

Now, what was sort of special here is, first of all, it was actually a valid RTF document.

It did open a fake document if you open it in an RTF reader, but the shell code was just sort of appended to the end of

the file. Of course, Xavier didn't stop here. Xavier will walk you through the entire analysis

and show how he managed to actually decode this shell code and figure out what it did.

And probably the biggest news today was that over the weekend, it appears the

PHP Git repository was compromised and at least two malicious commits were pushed to the PHP source repository.

At this point, there's still a lot of questions about as to what actually happened.

The two commits are implementing a pretty obvious backdoor that would allow an attacker to execute arbitrary codes via a specifically

crafted HTTP user agent header.

Now in my opinion, looking at the commits, it looks like the attacker wanted these commits

to be found.

They were not very well hidden, but essentially demonstrate what

could have happened here if the PHP maintainers would not have been more careful reviewing

the code. If you're currently a PHP user, this is unlikely going to affect you because

these commits did not make it in any of the current

released versions of a PHP. So this will only affect you if you did download the actual current

Git version of a PHP. On the other hand, since we don't really know much as to what exactly happened, there is still

a question that this may sort of be a tip of the iceberg kind of situation where we have

...