Hello, welcome to the Wednesday, February 1st, 2017 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes O'Rourich, and I'm recording from Jacksonville, Florida.

We got a great guest diary today by Ismail and Mark about a malicious office document,

actually an Excel file that installed the Keybase matter. Keybase is a keystroke

logger, can also copy your clipboard. And what made this particular incident so interesting is that

this malware used an exploit against the event viewer to actually bypass the user account control, which of course is supposed

to protect some of the things that the installer here does in order to get the matter on this

system. The exploit also doesn't require any files on the system. It's a fileless exploit.

That of course makes it even more difficult to detect,

in particular after the fact because you don't have any artifacts on the disk that you could

sort of rely on in order to see what happens. And then it goes ahead and downloads Keybase

and installs it on the system. Real nice walkthrough here by Ismail and Mark about

how they analyze this, what tools they use. For example, one tool that I really like is hyperanalysis.com

makes it really easy. So get a quick snapshot of what's going on with a particular piece of malware.

And earlier this week, a tool that Apple had on its website to check if a certain phone

or iPad was activation locked, all of a sudden, disappeared, so it wasn't really clear why.

Well, there's a YouTube video now that essentially shows how this tool helped people

to bypass activation lock. Now, this was not a trivial exploit. You had to take your device

apart, including unsodering a couple of chips, but what you needed in order to make the exploit

work was a serial number of an unlocked

device.

And of course that tool that Apple offered did help you find that serial number.

...