Hello, welcome to the Tuesday, September 8, 2020 edition of the Sansonet Stormsanders Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

And if you are listening to this podcast regularly, I guess you got the idea by now that all things never really go away

in this business. And Jan has a good reminder here of a visual basic six executable

that was encoded using XX encoding. XX encoding pretty old. I vaguely remember it from some early email

attachments where this type of encoding was often used to send binary files via email. Of course,

these days, base 64 encoding pretty much sort of replaced that. It looks at first side a little bit similar

when you're looking at the text in XX encoding. Now the reason that an attacker will use an old

technique like this is often to evade anti-malibur tools. It doesn't seem to be terribly

successful here.

21 out of 68 engines at virus total are recognizing this file as malicious.

And Dede wrote up this weekend diary answering a reader question.

And again, we love those reader questions in this case. It was

what the reader considered a little bit an oddly formed office document. DDA explains how this is

actually perfectly normal. There is a SIP file that sort of of at the beginning of the document while the entire

document is a SIP file itself. And the reason for this is simply just that there is

theme data that's being included as a SIP file and sort of prepended to the actual document.

And the DA walks you through the extraction of this data on how to recognize it.

But also good observation from the reader to actually notice this.

And yes, SIP files do sometimes contain additional garbage at the beginning or at the end

in order to obfuscate the actual SIPT content.

And we got an interesting cross-site scripting vulnerability in Golang.

Now, GOLang isn't used a lot, I would say, for web applications, but certainly somewhat

...