Hello, welcome to the Tuesday, September 1st, 2020 edition of the Sandcent and the Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

DDA has pointed out a couple times in the past how visual basic applications with password protection are working and some of the limitations

of this password protection. Now, it doesn't really get in the way of the analysis of any malware.

However, in the latest case, it actually helped him analyze the malware.

And this is a document that Xavier wrote about.

This was this malicious Excel sheet that was actually modified by some kind of security software,

so the actual macro would no longer run. Well, the DA now shows us how to find

the original file before it actually got hit with this end-high malware and identified a document

based on the password hash that is included in the document and that was not modified by the security

software.

These password hashes are salted, so even if an author does pick the same password for two

different documents, there will be a different hash embedded in the document, allowing us to find the actual unique

document that then was obfuscated or defanged by this anti-matter.

And Slack fixed an interesting remote code execution vulnerability. Part of the problem with Slack is that it uses the electron framework. And in Electron, you are using essentially JavaScript and HTML to write desktop applications. But vulnerabilities that are typically associated with web applications are now also

exposing these desktop applications.

In this particular case, JavaScript was able to be injected into the Slack application,

which then of course led to remote code execution.

To make things worse, there was also a cross-site scripting vulnerability in files.slag.com,

which in turn allows NetHacker to essentially use that domain that's associated with Slack to host the

malicious code.

...