Hello, welcome to the Tuesday, October 1st, 2019 edition of the Sandsenet Storms and a stormstormcast. My name is Johannes Ulrich. And the time I'm recording from Jacksonville, Florida.

The here today is walking you through the analysis of a malicious office document. It actually arrived, encrypted, and then used PowerShell in order to download its actual

payload via bits.

It's a little bit of follow-up to a diary that the DA posted this weekend.

And what was sort of interesting about the sample initially was that the password

mentioned in the email actually turned out to be wrong.

But in this analysis, DDA is using the correct password for this particular document and

then was able to extract the PowerShell script that this document

attempts to execute.

Now the use of bits is nothing new.

Bit stands for the background intelligent transfer service.

That's sort of the closest thing to W. Get and Curl that you find on a Windows system, and

the nice part about it is that it's a standard systems component used to download updates,

so it wouldn't be all that unusual to see Bits with its fairly characteristic user agent

reaching out, outbound.

Now, some people saying that, hey, Bits is only really used by Microsoft so you can look

that it doesn't reach out to any non-Microsoft IP addresses.

Not really true.

I have also seen Bits being used by other legitimate software to download updates. But anyway, if you

want to follow DDA's analysis, he did put together as a step-by-step guide as to how he

analyzed this particular document. And the XIM mail server is the gift that keeps on giving for the bad guys, yet another

vulnerability in the XMail server, yet another remote code execution issue.

...