0:00

hello welcome to the wednesday

0:02

august 17th, 2022,

0:05

edition of the sandstorm center

0:07

stormcast my name is johannes

0:10

recording from florida

0:14

they got yet another great

0:17

post by did he watching us

0:19

through the analysis of a malicious

0:21

office document did he

0:23

uses his tool only dumb of

0:25

for the initial analysis to extract

0:28

the visual basic for applications

0:30

courts that well as so often the

0:32

code was heavily op you skated

0:35

as part of the obvious case this

0:37

script calls multi bite

0:39

to white scarf a

0:41

function that allows conversion of

0:43

bites into characters by

0:45

specifying and encodings know

0:48

typically you would find something like duty of

0:50

eight or do tf sixteen

0:53

but not so here the attacker

0:55

actually picked the roderic ancient

0:57

you t f seventh back

1:00

in a day or member of this encoding sometimes

1:02

lead toward the bypass have some cross

1:04

site scripting filters but

1:06

here you to have seven is just use

1:09

to school and i'm albert olds to

1:12

ignore and not being able to really figure

1:14

out what's happening here well not

1:16

so of course with the help of a did

1:18

he did he isn't fooled so easily

1:21

and he'll walk you through decoding

1:23

a these scripts the

1:26

output is a binary code

1:28

followed by some as simply source

1:30

codes which she doesn't make

1:32

sense and did eat yes

1:34

is it that the assembly source

1:37

code was just left a by mistakes

1:39

now they showed code did he was

1:42

able to analyze as sixty

1:44

four bit code and

1:46

that finally revealed then you're

1:49

all that may be used to nord additional

1:51

coat so pretty

1:53

thorough walk through your off some interesting

1:56

and somewhat uneasy usual

1:58

as sample

2:01

microsoft recently went after

2:03

a threat group that they're

2:05

calling seaborgium and

2:08

dennis likely lined with interests

2:11

course microsoft always uses the

2:13

name of certain elements to identify

2:15

different threat groups like

2:18

so many advanced persistent threat

2:20

campaigns this one also

2:23

takes advantage of fishing and

2:25

then, of course, breaches

2:27

organizations typically here, that

2:32

will go after they

2:36

mention 80 years example,

2:38

and many other organizations are

2:40

targeted, hear the leaked information

2:42

typically so of to ship

2:44

the narrative as microsoft

2:46

put it or is he in some cases?

2:49

maybe discredit at these particular

2:51

individuals are

2:58

using microsoft or talks

3:01

about how date for exemple use

3:03

linkedin accounts in order to collect open

3:05

source intelligence on their targets they

3:07

will also set up email address

3:10

as a with free email providers

3:12

impersonating certain individuals

3:15

and then they start sending some emails

3:17

first some harmless friendly

3:19

messages to sort of to establish

3:21

a conversation and a little bit

3:23

a report a with the victim at

3:26

before they are then sending

3:28

some weaponize the email

3:31

microsoft blog includes many

3:33

samples and additional details to help

3:35

you identify possible intrusion

3:38

spiders group will always find interesting

3:40

here is when they are this thing that this thing

3:42

said were used as part of the campaign of course

3:45

those domains are no longer really

3:47

being used but so to been nine

3:49

nature of these domains a how does it fit

3:51

in a with a domain that you'd

3:54

typically would expect i think including

3:56

some of those the main aims a may make

3:58

a good unless for the baroness programs

4:01

to tell us or is that while still the

4:04

bad guys don't always was evil example dot

4:06

com the

4:09

last few years ultra wideband

4:11

real time location as systems are

4:13

located are systems has become

4:16

more more com and they used industrial

4:18

equipment some of his of of smart cities

4:21

they're being used and to even sort

4:23

of apple's a fine my system

4:26

kind of fits into that a category

4:29

now what is it doesn't doesn't have used

4:31

the larger scale they typically

4:33

have location anchor still receiving the

4:35

signals of from a these

4:37

a devices from the tax that are sending

4:40

space the radio signals and

4:42

then these locations anchors a

4:44

beard and connecting back to some kind

4:47

of central server yeah

4:49

via why fi or via

4:51

eleven of course because these are often sort

4:54

of fed distributed systems across

4:56

a larger area why fight

4:58

is white com the

5:01

researchers at knows oh me oh

5:03

look the into the savoy

5:05

indoor tracking system and the it

5:07

of all you are rainy if i bronze

5:09

that correctly our team is enterprise

5:12

system and typical looked

5:14

at the y fight communication you're

5:16

not so much at the communication

5:18

from the tax to the anchor that has

5:20

been discussed in the past as their

5:22

as saying but are instead of how is

5:24

that information them hold back

5:27

at who have this server and

5:29

a what he found here is it uses an unencrypted

5:32

of binary protocol that wasn't

5:34

would be so hard that who is decode

5:37

and a with that the attacker

5:39

would be able to spoofed occasions

5:42

he beat some of these as safe areas

5:44

and a jew fencing that is implemented

5:47

in be systems that keep for example equipment

5:49

how it's of hazzard sounds or

5:52

or alert uses the and are one and

5:54

then of course they would also

5:56

be able to spoof the locations

5:58

of certain the happened or individuals

6:01

in addition of course doll to figuring out

6:03

or what the location is in the

6:05

first place as often advice

6:07

is here to limit access to the network

6:10

used to send these messages

6:13

well and that's

6:15

it of for two days thanks

6:17

for listening and talk you again

6:19

tomorrow