Hello, welcome to the Monday, July 12, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida. He noticed some interesting scans against his honeypot,

and these scans while they're using HTTP and are going to port 443, the payload indicates

that they actually attempt to establish a secure socket tunneling protocol or SSTP connection.

SSTP is a VPN solution that's somewhat proprietary to Microsoft. It's essentially sort of a PPP over

HTTP connection. The nice part about this, of course, is that it can work with some proxies

and does enable a pretty straightforward and simple VPN gateway on Windows systems configured with

this protocol. It's not enabled by default as far as I can tell, but it does on the other hand

possibly open up a gateway with weak passwords and such. So not really clear what the attacker is going

after here, if they're going to try some weak passwords or if they're just enumerating systems,

there is no currently known widely used vulnerability in this protocol. And on Friday, Brad wrote up some interesting new behavior of the Hankitore malware.

In this case, the malware is downloading an dot-xll file.

Dotxll files are Excel add-ins.

They're a little bit similar to DLL files in terms that there are

binary extensions that are being downloaded and executed by Excel, probably trying to attempt

to bypass some simple filters with this little bit odd extension. Other than that, it's well your standard hand guitar malware.

In this case, what Brad observed is that he ended up with Cobalt Strike if the malware is operated

in an active directory environment.

This is something that has been showing up more and more over the last

year, where malware behaves differently if it's an active directory environment, where in particular

it downloads Cobalt Strike, suggesting that an attacker is then going to do some manual follow-up

if it is part of a larger network, Of course, often with the intent then to

...