Hello, welcome to the Friday, November 15th, 2019 edition of the Sanct Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Riyadh, Saudi Arabia.

Well, with me skipping Thursday, I have two diaries to talk about.

The first one is one of Brad's famous Malver walkthroughs. This one is the latest

incarnation of Locky Bot, something that he has found this week. And in this example, well,

the bot arrives as an email, actually better set an email attachment, sort of

claims to be a document because it starts with docs underscore in its file name.

It's actually a RAR archive, so a compressed file.

If you uncompress it, it uncompresses directly in executable, but it does use the PDF icon to make

it more likely that the user will actually click and open it.

Over time, Lockybot Ridkey sort of has become a jack of all traits. It's still predominantly

sort of being advertised as an information stealer and key logger, but it can also

install additional files on the system.

Like I think it was a month or two ago I talked about it, hiding some of the information

in image files.

Then, for example, extracting additional executables out of these image files

in order to bypass some anti-malware tools. As usual, Pratt provides PCabs and samples

and links to reports from sandboxes, so you can easily replicate his analysis. The second diary we have is from Manuel.

Manuel looked at Seek.

Now, Seek I think, is still a little bit an underappreciated tool.

In particular, when it comes to network forensics, and Manuel shows some new little tricks how to for example

...