Hello and welcome to the Friday, April 5th, 2024 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Thanks to everybody attending our webcast today.

If you missed it, a link to the recording is up on the Internet Storm Center's homepage,

and I'll probably leave it up there for the weekend. As mentioned at the beginning of the podcast,

it's really not so much about figuring out how to detect the current XC util backdoor, but really much more about how we are able to detect the current XI Util Backdoor,

but really much more about how we are able to detect future issues like this,

now that we know what Playbook did hacker use in order to infiltrate the XC Util Project.

In Diaries today, we have a great analysis of the Donex Ransomar by John Mutas.

He wrote a guest diary and is walking us through the reverse analysis using Binary Ninja.

So, real great if you are into reverse analysis yourself and would like to sort of

see a step-by-step walk through through the process for this particular sample. Now, Don'tex,

in case you haven't heard about it, is the latest reincarnation of LockBit. LockBit, of course, was sort of one of

the somewhat successful takedowns for ransomware groups, but the source code had leaked, and

successors like Dark Race, for example, and now Donax have adopted that code.

And, well, as John shows here, have done little really to change it and just sort of readapted it,

made it pass some simple signatures, so it's not as easily detected.

But other than that, very close still to the original logbit code.

And then we have yet another denial of service attack against HEP2.

The just recently had the reset flood that I talked about, and this time it's a continuation flood.

When you're sending an HTTP request, you as typical for HTTP, start with headers.

If these headers exceed a single frame, you can add continuation frames.

...