Hello, welcome to the Monday, December 28, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the time recording from Jacksonville, Florida.

We've got a couple of smaller diaries over the long weekend, starting with actually a guest diary by a student that took a class

with Xavier and Jim explaining how to quickly extract indicators of compromise from the Tridex dropper.

Tridex, a very popular family of malware, so it's certainly nice to have some relatively automated

quick tools to get a handle on how you possibly detect who in your environment got infected

by a particular variant that you may run into. In addition, Xavier analyzed a malicious word document that delivered

an octopus backdoor, and then we have a couple of small diaries by DDA, again, talking

about extracting strings from malicious documents and also dealing with different encodings

in Base 64 dump.

And one item that caused national news this weekend was on the 25th when a bomb went off

in downtown Nashville.

Now, the RV that contained a bomb was parked in front of an AT&T building, and while luckily

nobody was hurt too badly in this event, it did cause a major disruption to AT&T's network

in the southeast.

This is one of those cases where very specific points in carriers' infrastructure can have substantial regional effects.

And in this case, much of the southeast was at least for some time without wireless and in some case internet service.

By now, most of the service has been restored

according to AT&T, but they're still working and are still not back to normal as I'm recording

this. And then last week there was some confusion about a report by Microsoft where Microsoft stated that

they found a second piece of malware on solar winds installs that were infected by the famous

back door that was delivered with solar winds. That's often also called sunburst. This new malware was named Supernova,

...