Hello and welcome to the Tuesday, September 20th, 22nd2 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Malware arriving in the form of isophiles isn't new, but sadly it's still spreading fast. Tom observed a significant

uptick in the infections with the chrome loader malware, which initially arrives as an

isophile. Typically, the user is confronted with the malware after clicking on a malicious

search result, so that's where the author of the malware after clicking on a malicious search result. So that's where

the author of the malware uses search engine optimization to make links to the malware rank

high for specific popular keywords. After the iso file is downloaded, the user will then launch

the malware by clicking on a Properties.

Bad file that is included in the ISO.

Now, Tom is including more details in the diary, but the end effect is that the user ends up

with a malicious browser extension that will, in its simplest form, inject malicious ads.

But the real question that Tom is trying to answer, how do you prevent all of this from

happening in the first place? In Windows, you're able to block automatic mounting of iso files

either via group policies or registry settings.

Probably a good thing to configure this as I do not see a lot of legitimate software that arrives as an isophile

unless it is actually, well, of course, a physical city or DVD, if anybody is still using that.

One important exception I just want to point out in some Sands classes, we use isophiles to store the virtual machines.

It doesn't happen that much anymore, but I still think some classes are doing it.

So a little bit of a throwback from the days when we actually had DVDs for some of

these virtual machines.

Also, Tom isn't the only one noticing the search in Chrome Loader attacks.

Red Canary, Microsoft VMware, they all had similar warnings for the most part again. It just displays ads,

...