Hello and welcome to the Wednesday, December 4, 2020, edition of the Sansanet Storm Service.

Stormcast, my name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, I mentioned malformed work documents yesterday.

Today we have a diary by D.D.E.

Not about malformed, but about perfectly normal,

at least syntactically, word documents and how to analyze them if they include embedded files.

As I mentioned yesterday, word documents are just SIP files, and these SIP files may contain multiple components.

One of these components may very well be a binary.

Now, these executables won't execute by themselves.

The user has to execute them by double-clicking them.

So typically, an attacker would send a VIR document with some kind of

pretense that would trick the victim into double-clicking the icon that represents

the executable and in doing so starting and executing the malicious payload.

The tools that the DDA used are the all too familiar file magic.py as well as

OliDump.PyI in order to parse and dissect the Word documents payload.

Let me have a real odd case of a supply chain compromise coming from Korea.

Apparently, South Korean company manufacturing satellite receivers has been delivering receivers

to a particular broadcasting company that came pre-configured with a DDoS tool.

These DDoS tools were apparently installed on the request of this broadcasting company.

So the broadcasting company was not sort of here innocently just buying these receivers.

These appear to be more sort of TV satellite receivers the way things are written,

but there's very little information in the press release,

...