Hello, welcome to the Friday, September 11, 2020 edition of the Sandsenet Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm quoting from Jacksonville, Florida.

Brad today is keeping us up to date on what Tridex is up to Tridex, a very prolific Malware family, has been kind of quiet the last few weeks,

but looks like they're starting a new run. Now, the initial lure is very similar to what they

have done in the past. It's a Word document that, of course, then tricks the user into enabling

macros. In this case, it just

states the document is created with an online version of Microsoft Office, and that's why you need

to enable macros to actually edit and view the document. Now, as far as persistent goes in this particular version of

Tridex, it uses Windows registry keys, it does add a scheduled task, and then also adds

a menu shortcut to Windows startup. Also note that Tridex is using legitimate Windows binaries in order to run itself.

The way it accomplishes that is by copying a DLL file with a malicious code into the same directory

as this Windows binary, and then of course that DLL gets loaded as the Windows

binary gets started and the malicious code is being executed.

As usual, Brad is supplying you with links to samples and traffic captures, so you can use

that to test your defenses and also to experiment a little

bit yourself with recovering binaries and analyzing this traffic.

And we've got a couple of security news items related to Zoom.

First of all, a study that looked at Zoom bombings. Zoom bombings refers to

strangers joining a Zoom call and disrupting the call. Now, what this study found is that the

people that are performing these Zoom bombings, at least the vast majority of them, are, well, not so much

strangers. They're not brute forcing meeting IDs. They're not finding passwords randomly

posts on the internet. Instead, they're usually known to participants off the call and received

...