Hello, welcome to the Monday, December 2nd, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from San Francisco, California.

This weekend, we got two diaries to talk about. First one by Pratt about an ancient Tesla sample that he found. This sample arrives disguised as

an installer for the messaging application Discord. Brad came across the sample via the

Any Run sandbox, so he already had the packet capture file from Eniron and didn't have to create his own.

Agent Tesla is an information stealer.

And it typically exfiltrates information as an email.

Now, to avoid networks that block port 25, Agent Tesla uses the submit port on 587, which is usually allowed outbound, unlike Port 25.

And, well, lucky for Pratt, the SMTP traffic for Agent Tesla was not encrypted, at least not for this variant.

Looks like this makes a nice quick sample to test basic packet analysis skills in Vyershark.

So if you are interested in that, feel free to follow the link to the PC-CAP that Brad lists in his diary. Like most

malware, I come across these days. Again, this malware does not actually exploit any vulnerabilities

per se, but just requires that the user cooperates and installs it.

Now, the second diary from this weekend comes from Russ's tool reviews.

This time, he is looking at Soren. I also have this tool called the Eye of Soren based on where the name already comes from,

a tool that searches files

on a system for sensitive information.

Ancient Tesla, for example, limits itself to exfiltrating information from a few very specific

well-known locations.

But all too often, users keep Word or Excel documents on their systems or on file shares with sensitive data like passwords.

Sor and I will find these documents and assist in exfiltrating the data.

The exfiltrated data volume is quite small as a result because it just picks those

...