Hello, welcome to the Friday, May 6, 2020 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording today from Jacksonville, Florida, but actually teaching virtually in San Diego, California.

Brad was on duty again today, and Brad did write up an infection that led to Remco's rat.

Now, it started all out with the usual Excel file. It was in this case password protected,

with the password being a five-digit number listed in the malicious emails. Then, of course,

it tricked the user into enabling macros before downloading Remco's rad. One tool that I've

pointed out before, but really one mention again that came in handy here for Pratt was JA3 hashes.

JA3, a tool developed by security engineers at the Salesforce.

Essentially, hashes the client Hello packet that a client sends to a TLS server.

It looks at all the different options being used and how they're being used.

And in this particular case, the hash was specific to Remco's rat.

And emerging threats included that particular hash in its signatures.

So that's sort of how Brad was pointed into the right direction to then identify what's going on.

And also he then found the particular key log file. As usual, all the packet captures and such can be downloaded from links in Brad's diary.

And if you actually are interested in hearing more from Brad, Brad will be speaking

about some of these packed analysis techniques at our Sands Fire Conference as part of our

evening talks. And while having a password-protected Excel spreadsheet causing mayhem does sort

of fit its password day after all.

And well, as Brian Grebs actually noted in Twitter, it should really be enabled two-factor

authentication day not come up with stronger passwords.

Now, along those lines, Microsoft, Apple, and Google today announced

that they will support upcoming FIDO Alliance standards. And what's really so great about it

...