Hello, welcome to the Monday, January 22nd, 2018 edition of the Sands and Storm Center's Stormcast.

My name is Johannes Ulrich, and the M. Recording from Jacksonville, Florida.

Usually, when we are looking at RTF documents, one of the assumptions is that it's probably some kind of exploit in the sense that they're trying to

exploit some kind of Microsoft Office vulnerability. Well, DDA looked at an RTF document

we received recently and for a change it didn't contain sort of this traditional type of exploit

instead just a fishing attack.

And DDA walks you through his tools RTF dump, for example, to figure out not just that it's

probably not an exploit in a sense of a buffer overflow or anything like that, but just a fishing

attack and then also to extract the fishing URL.

And then we got a little bit more insight in the traffic on port 3,333.

Now, I already mentioned that this particular port is often associated with mining pools,

but it turns out that the Claymore Miner for Windows also provides a remote monitoring and management interface on

this port, and apparently, well, there are some vulnerabilities here, and this may actually

be the real cause sort of of the scans that we have seen,

that they're not really going after the mining pools, but instead after this software.

Chinese security company NetLab 360 came out with an interesting write-up where they're

looking in one of these bot nets that's actively going

after these Claymore miners. Now to make things a little bit more interesting here, Claymore

mining equipment is really sort of more a device, but it does actually run Windows. More typically

you tend to find Linux on devices like this, but in this case, no, it's Windows.

No password is required for the connection on port 3,333, and typically it's used for monitoring the mining equipment,

but in older versions of the software, it can also use to actually perform actions on the equipment.

...