Hello and welcome to the Monday, February 26, 2024 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Did he finally found a solution for a problem that we have been chasing for almost two years and that's scans that

contained the string MGL and DD. These scans were not obviously malicious. There was no obvious

purpose of this string. It for example showed up as an HTTP, which of course is not defined, typically not causing anything to happen.

Well, thanks to a reader Mikhail Solitzik for reaching out.

Mikal did actually record a video about a tool that is created by Ripe, the European Network Agency.

It's a little bit sort of like R.D. Shield Honeypots, but what they're distributing is

what they're calling Ripe Atlas. It's a little computer sort of Raspberry Pi-like.

It's actually a little bit smaller, that you can connect

to your network, and then they, and researchers are able to use it to basically run various

network tests to check Internet responses, Internet response time, and various other things.

One of the tools installed on Ryeb is Magellan, and Magellan allows you to send

packets with various protocols like DNS, HP and such, with that particular string, MGL and

DD, identifying them as being originating from Magellan.

This is, again, just sort of part of an Internet measurement effort.

It's not malicious.

Also sort of not really used as a port scan or things like, you know, we have on Friday I mentioned

of some of the other researchers,

Chaudan and the like that really are looking for open ports.

And Xavier brings us yet more malware.

We always love malware in particular if it's being analyzed by Xavier.

...