About

On today's show, Nick Carr and Christopher Glyer break down theanatomy of a really cool pre-attack technique - tracking pixels - andhow it can inform more restrictive & evasive payloads in the nextstage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) toexplore one such evasive method seen in-the-wild: Macro Stomping. Andwe close the show by deep-diving with Matt Bromiley (@_bromiley) oncritical vulnerability we've been responding to most in 2020 - andwhat we've seen several attackers do post-compromise.Just as a targeted intruder might, we start our operation with emailtracking pixels. We break down how these legitimate marketing toolsare leveraged by attackers looking to learn more about their plannedvictim's behavior and system - prior to sending any first stagemalware.We break down the different variations on these trackers for bothbenign and malicious uses. For examples of each style of trackingpixel, see Glyer's recent tweet thread(https://twitter.com/cglyer/status/1222255759687372801). We talkthrough additional red team operators' responses to how they use thistechnique in their campaigns today - discussion sparked from thisgreat offensive security discussion(https://twitter.com/malcomvetter/status/1222539003565694985). Thistrend of professional target profiling - drawing both inspiration andspecific tracking tools from the marketing industry - is highlyeffective and a trend we expect to continue.Next on the episode, we explain how document profiling accomplishesthe same end goal as email pixels - and how it can share informationabout the current version of Microsoft Office on the potentialvictim's system. Similar to execution guardrails, this Office versioninformation for Microsoft Word or Excel could be used to delivermalware that is highly evasive and only runs on that profile.We also pivot into some potential use cases for fingerprinting Officeversions. We discuss VBA macro stomping and file format intricaciesthat require attackers to understand the version of office a targetmay be using, in order to create evasive spear phishing lures that maybypass both static and dynamic detections. Rick Cole joins us to talkthrough an active attacker using macro stomping for evasion - bothp-code compiling and PROJECT stream manipulation. Rick walks through abrief overview of the technique and a particular financial threatactor who loves macro stomping as much as they love Onyx. Rickco-authored a blog on the topic(https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) and has an excellent tweet threadlinking to other research(https://twitter.com/a_tweeter_user/status/1225062617632428033).Finally, we're joined by a surprise second guest! Matt Bromiley dropsin to discuss FireEye's efforts to respond to the critical Citrixvulnerability, CVE-2019-19781, that went public on January 10, 2020.Matt helps us break down some of the activity we've seen since then,including distinct uncategorized clusters of activity for NOTROBIN,coin-mining, and attempted ETERNALBLUE-laced ransomware.In addition to securing his customers in Managed Defense, Matt's beenworking with the team to release several blogs, defender tips, andtools on the vulnerability:• Matt and Nick published an initial blog on the topic – detailingexploit timelines, evasive attackers, and resilient approaches todetection(https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBINand the concept of exploit squatter's rights in the blog with thetitl