Hello and welcome to the Tuesday, May 2, 2023 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Today we got a diary from Jan looking into what he calls passive analysis of obfuscated phishing emails. Typically when

analyzing malware, you sort of have two options. You can just do a dynamic analysis where you

run the malware and see what it does, which often tends to be the fast way of doing it if you

have a lab set up for it, but it has the risk of tipping

off the attacker because often you need to allow the malware to interact with the attacker's

infrastructure to really see what's happening. The other option, of course, is static analysis

where you are analyzing the source code.

This has the advantage of not actually running the code.

Of course, this case, there is no interaction with the attacker's infrastructure,

but tends to be tedious and slow.

So passive analysis is something that Jan uses specifically for JavaScript and phishing emails,

where what he does is he basically modifies the obfuscated JavaScript to print itself into the browser Windows by adding a document right around the JavaScript.

This has the advantage of basically allowing the JavaScript to decode itself and not

completely running the JavaScript.

Of course, there is still a risk that you're interacting with the attacker's infrastructure,

but it's kind of more a balanced method of

having something that's reasonably safe, but still much faster than doing the static approach.

And Apple today, for the first time, used its rapid security response feature.

This is a feature that was included in the latest iOS and macOS update.

...