Hello, welcome to the Wednesday, July 27, 2022 edition of the Sands and at Storms,

and its Stormcast, my name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today's diary is just a quick reminder by Xavier that even Mac users should be aware of security Apple published and updated

security guide back in May. Xavier collected a number of different links with various

security hardening guidance and such from different organization specifically for Mac OS.

So if you're using Mac, take a look and make sure that you are following some of these

hardening steps.

And yesterday I mentioned how attackers are hiding part of their malicious code in

registry entries on Windows to evade some of the Antimelver scanning engines.

But there's another registry-related trick that attackers are able to play.

X-86 Matthew published a blog post showing how executables may be delivered in registry files.

So these dot rec files, that's the extension they are used to using,

they are used for registry data.

But in this case, the file contains an entry to add a Windows executable to Run One key.

Run One's key, this is software that's being executed on boot.

Now, the simple exploit just includes a path to the executable, but that of course would

require the attacker to then also deliver the executable into a predictable path on the victim's

system.

So Matthew goes actually a little bit further here and embeds the executable in the same.

Dot rec file.

Now it's only one file that needs to be delivered and one file the user needs to click on

in order to trigger execution.

...