Hello, welcome to the Monday, June 18th, 2018 edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Lorna got a real nice puzzle on Friday if you're interested in cryptography, that may be something

for you to look at, but apparently what we're

looking at here is some kind of command control channel or X-FEL mechanism.

The data is being sent to a domain do not spam today.com and contains as subject three sort of

random letter combinations, then the letters MID colon, and then what

looks like sort of an MD5 hash. The body is then again what looks like eight words, but really

just the random characters. So not really sure what is this all about, but if you did see similar emails

leave your network and in particular if you were able to capture any of the malware responsible

to it, then please let us know. Or if you're just interested in a little crypto puzzle,

well, maybe you can take a stab at it

and figure out what algorithm, what keys are being used in this case.

And DDA came across an interesting trick with office documents.

Turns out that if office documents are encrypted using the password Velvet Sweatshop,

they will be displayed automatically without the user having to enter the password.

The reason for this is that apparently old versions of Excel had this as a default password,

and for backward compatibility, well, a new version of

Excel will just automatically open documents encrypted using this particular password.

Of course, this may still throw off some anti-malware solutions that will not open the document

because it is encrypted and because they do not know

about this fairly uncommon default password.

...