Hello, welcome to the Monday, January 29th, 2018 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Ever started investigating a suspicious email just to figure out that it was part of a pen test?

Of course, you often don't know until you did much of the analysis.

Now, D.D.E. is going over a case like this in his diary from this weekend.

And in this case, it was a Word document, not just a link to a web page as you often see him.

Did he was able to analyze the document quickly using his slick set of Python tools to extract

the text from the word document.

Now this text in his case was written in Slovak explained that this particular word document

was part of the

pen test. Of course you should still do a quick look and make sure that this is actually

a test and doesn't include any malicious payload. You could see an attacker use a text like this

to prevent this particular word document from being reported.

Now, when you investigate Windows malware, one tool often used to download additional documents

is the background intelligent transfer system, or bits for short.

It's part of the update system in Windows. For attackers, it plays a role similar to W.

Get and Curl on Linux systems. As Xavier explains in his diary from Friday, Bits offers a number

of features that are useful to attackers. Bits is intended to download patches, so after

downloading a patch you can run a script to apply the patch. Well, that's part of Bits and of course

often abuse to then execute the code that was just downloaded. Now Bits parser, a tool created

by French researchers, can be used to better understand

the Q manager files that are being left behind by Bits. So if Bits was used as part of an exploit,

...