Hello, welcome to the Friday, August 3rd, 2018 edition of the Sandsenet Storm Center's

Stormcast. My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

Today, Brad wrote of a new variation of the good old D.HL. Malspam as typical for this type of attack, the email

tricks the user into running a loader that then installs additional malware.

This is where it starts to become a bit unusual with this particular sample.

The loader did retrieve an animated gif file.

As it turns out, this file actually was a normal functional file, even displayed the little

animation, but it had executable attached to it. So after the file finished, there was a second file with the executable.

Now, this executable then included the Agent Tesla spyware.

Now, I read up a little bit on this, and Agent Tesla has used sort of tricks in the past,

where it was delivered with, for

example, a corrupt header in order again to fake out anti-malware and trick it into not scanning

the particular file. That's probably the intention here as well that anti-mailware thinks this is just an image.

I don't have to scan it.

And that's sort of how this particular file then gets delivered to the victim.

The loaded in strips off the gift file and just runs the executable.

As usual, Brad provides a number of indicators of compromise that you can use to look for

this particular threat in your environment.

About a year ago, you may probably not have heard of Microtig routers.

They are a bit more of a niche router overall and not as popular as routers from the big brands like lynxys or Netgear.

But they keep popping up in this podcast and in security news for of course all the wrong reasons.

Yet again, Microtick is in the news for a botnet that was built using these

...