Hello and welcome to the Monday, June 16th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and this episode brought you by the Sands.edu credit certificate program in cloud security is recorded in Jacksonville, Florida.

Well, in diaries this weekend, we had a diary by Xavier looking at yet another Malware

sample that uses images to hide executables.

This one starts out as, well, your usual Microsoft Excel macro, so nothing really all

that excited here, and OlliDump does a good job in actually

then extracting the relevant data from this particular Excel spreadsheet. Now, where it gets

more interesting then is the second stage here. There is an HTML application that's being loaded that,

well, again, so you use at least a file name kind of to obfuscate what it's doing,

and it is loading a bad file, and this bad file then does download an image. Now, quite a bit of interesting sort of

simple obfuscation happening here, but Xavier will walk you through how to actually

figure out what's happening until you end up with this particular image. This is a JPEC image.

Now, we had in the last couple examples, PNG images.

In PNG images, we have that end indicator,

and then we can just add any data after this indicator.

In this particular case, it works a little bit different. There is this NCO and then

FEM indicator here. These tags basically enclose the executable, so you don't actually

necessarily have to add it to the end. It's a base 64 encoded piece of data here. And as Xavier points out, this TVQQ add-at

part, that really then basically does decode to your standard PE file header. And, well, that's then

just the actual payload DLL that is being loaded and executed.

So interesting walk through here how to very quickly analyze a piece of malware like this

even though it went through a couple different stages and yes some obvious scation here.

...