Hello, welcome to the Wednesday, February 3, 2021 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier today took a look at a malicious Word document that was submitted by a user. Now, Brad looked at the traffic from that particular document.

So basically, he did the dynamic analysis.

And now from Xavier today, we do get the static analysis.

There's actually walking us through the macro being used here.

Kind of interesting, the macro being used here.

Kind of interesting, the macro first dumps an XSL file and XML style sheet,

and that actually then contains the code that is being executed.

An execution, well, that leads then to additional malware being downloaded in this case a version of Quagpot. Also interesting, Xavier's analysis does reveal what appears to be

the author's name, Alex Petrenko, at mail.r.U.

And starting in April, which should be Google Chrome 90, the Spanish Certific Authority,

comma, Fima, will likely no longer be included in Google Chrome.

We only had a handful of cases like this where certive authorities

had been revoked, and Google has documented a number of violations of standards that set

of authorities have to comply to with a comma firm. Whether or not other browser makers will follow Google's lead is still

somewhat open. Mozilla is debating currently whether or not they should accept a remediation plan

that KamaFerma did present. On the other hand, KamaFerma only issued 8,000 certificates so far, so the impact

should be rather minor. And of course, in the past, this entire set of authority ecosystem

has been the weak point when it comes to TLS, much more so than any TLS weaknesses in algorithms.

And in recent years, browser makers had attempted to be more stringent with certificate

authorities that do violate common required practices.

And remember, a couple weeks ago, we had Billy Wilson, a Sandsdot EDU student,

...