Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
hello welcome to the wednesday
0:02
august 17th, 2022,
0:05
edition of the sandstorm center
0:07
stormcast my name is johannes
0:10
recording from florida
0:14
they got yet another great
0:17
post by did he watching us
0:19
through the analysis of a malicious
0:21
office document did he
0:23
uses his tool only dumb of
0:25
for the initial analysis to extract
0:28
the visual basic for applications
0:30
courts that well as so often the
0:32
code was heavily op you skated
0:35
as part of the obvious case this
0:37
script calls multi bite
0:39
to white scarf a
0:41
function that allows conversion of
0:43
bites into characters by
0:45
specifying and encodings know
0:48
typically you would find something like duty of
0:50
eight or do tf sixteen
0:53
but not so here the attacker
0:55
actually picked the roderic ancient
0:57
you t f seventh back
1:00
in a day or member of this encoding sometimes
1:02
lead toward the bypass have some cross
1:04
site scripting filters but
1:06
here you to have seven is just use
1:09
to school and i'm albert olds to
1:12
ignore and not being able to really figure
1:14
out what's happening here well not
1:16
so of course with the help of a did
1:18
he did he isn't fooled so easily
1:21
and he'll walk you through decoding
1:23
a these scripts the
1:26
output is a binary code
1:28
followed by some as simply source
1:30
codes which she doesn't make
1:32
sense and did eat yes
1:34
is it that the assembly source
1:37
code was just left a by mistakes
1:39
now they showed code did he was
1:42
able to analyze as sixty
1:44
four bit code and
1:46
that finally revealed then you're
1:49
all that may be used to nord additional
1:51
coat so pretty
1:53
thorough walk through your off some interesting
1:56
and somewhat uneasy usual
1:58
as sample
2:01
microsoft recently went after
2:03
a threat group that they're
2:05
calling seaborgium and
2:08
dennis likely lined with interests
2:11
course microsoft always uses the
2:13
name of certain elements to identify
2:15
different threat groups like
2:18
so many advanced persistent threat
2:20
campaigns this one also
2:23
takes advantage of fishing and
2:25
then, of course, breaches
2:27
organizations typically here, that
2:32
will go after they
2:36
mention 80 years example,
2:38
and many other organizations are
2:40
targeted, hear the leaked information
2:42
typically so of to ship
2:44
the narrative as microsoft
2:46
put it or is he in some cases?
2:49
maybe discredit at these particular
2:51
individuals are
2:58
using microsoft or talks
3:01
about how date for exemple use
3:03
linkedin accounts in order to collect open
3:05
source intelligence on their targets they
3:07
will also set up email address
3:10
as a with free email providers
3:12
impersonating certain individuals
3:15
and then they start sending some emails
3:17
first some harmless friendly
3:19
messages to sort of to establish
3:21
a conversation and a little bit
3:23
a report a with the victim at
3:26
before they are then sending
3:28
some weaponize the email
3:31
microsoft blog includes many
3:33
samples and additional details to help
3:35
you identify possible intrusion
3:38
spiders group will always find interesting
3:40
here is when they are this thing that this thing
3:42
said were used as part of the campaign of course
3:45
those domains are no longer really
3:47
being used but so to been nine
3:49
nature of these domains a how does it fit
3:51
in a with a domain that you'd
3:54
typically would expect i think including
3:56
some of those the main aims a may make
3:58
a good unless for the baroness programs
4:01
to tell us or is that while still the
4:04
bad guys don't always was evil example dot
4:06
com the
4:09
last few years ultra wideband
4:11
real time location as systems are
4:13
located are systems has become
4:16
more more com and they used industrial
4:18
equipment some of his of of smart cities
4:21
they're being used and to even sort
4:23
of apple's a fine my system
4:26
kind of fits into that a category
4:29
now what is it doesn't doesn't have used
4:31
the larger scale they typically
4:33
have location anchor still receiving the
4:35
signals of from a these
4:37
a devices from the tax that are sending
4:40
space the radio signals and
4:42
then these locations anchors a
4:44
beard and connecting back to some kind
4:47
of central server yeah
4:49
via why fi or via
4:51
eleven of course because these are often sort
4:54
of fed distributed systems across
4:56
a larger area why fight
4:58
is white com the
5:01
researchers at knows oh me oh
5:03
look the into the savoy
5:05
indoor tracking system and the it
5:07
of all you are rainy if i bronze
5:09
that correctly our team is enterprise
5:12
system and typical looked
5:14
at the y fight communication you're
5:16
not so much at the communication
5:18
from the tax to the anchor that has
5:20
been discussed in the past as their
5:22
as saying but are instead of how is
5:24
that information them hold back
5:27
at who have this server and
5:29
a what he found here is it uses an unencrypted
5:32
of binary protocol that wasn't
5:34
would be so hard that who is decode
5:37
and a with that the attacker
5:39
would be able to spoofed occasions
5:42
he beat some of these as safe areas
5:44
and a jew fencing that is implemented
5:47
in be systems that keep for example equipment
5:49
how it's of hazzard sounds or
5:52
or alert uses the and are one and
5:54
then of course they would also
5:56
be able to spoof the locations
5:58
of certain the happened or individuals
6:01
in addition of course doll to figuring out
6:03
or what the location is in the
6:05
first place as often advice
6:07
is here to limit access to the network
6:10
used to send these messages
6:13
well and that's
6:15
it of for two days thanks
6:17
for listening and talk you again
6:19
tomorrow
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More