Hello and welcome to the Wednesday, March 19th, 2020,

edition of the Sands and it's Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Alixabier came across an interesting piece of Malware that he's sharing in today's diary.

The Malware itself arrives as a SIP archive.

Nothing really that special about it.

It's called Hootsweet.com.

Hootsweet, I'm not sure if they're still around.

What sort of a frontend for Twitter X.

They had some issues when their API pricing changed.

But either way, it's probably well enough known company

where some people may open that zip file.

Also, the zip file itself, at least at first,

doesn't appear to include anything malicious.

There is a legitimate PDF reader.

There is a PDF.

Now, Redcast's interesting is once you are starting

the PDF reader. The reason the attacker is sending you that PDF reader is because this PDF reader

is vulnerable to DLL side loading. If it loads a DLL file, a library, it will prefer the file in the local directory

over the one in the system directory.

And with that, it's easy to replace a system library with a malicious one.

That's exactly what's happening here.

...