Hello, welcome to the Tuesday, May 26, 2020 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Unless you are sleeping under a real, real big rock, you are probably aware with how macros in Office and Excel can get started automatically

as a user opens the document.

Now, PowerPoint didn't really, at least at first look, have a feature like this, but Xavier

came across an interesting PowerPoint template that actually does just that.

Now, this PowerPoint template actually turns out to be a PowerPoint add-in, an extension to a PowerPoint,

and once the user opens it, yes, it's able to automatically execute macros using its own set of functions to do so.

In this particular case, it's actually even a little bit more twisted in that the macro is started when the PowerPoint file is closed.

They're using the auto close method here, probably trying to further

evade signatures that are looking for these specific features or functions that usually

are being called as the document is opened. And since the PowerPoint file is otherwise empty, it's likely that the user, after opening

it, will immediately close the document. You may learn more about this particular technique from

Xavier's diary who walks through the analysis of this particular file step by step.

And talking about odd ways to deliver Malware,

the Ragnar Locker Ransomware crew came up with,

well, a little bit of cumbersome way to deliver Malware

in delivering an entire virtual machine. Now, the virtual machine is the micro XP edition of Windows XP running within Oracle Virtual

Box.

And what's being delivered here is actually about 280, I believe, megabytes of code.

So the hypervisor, so virtual box is being delivered.

In addition to then the disk image with micro XP.

...