Hello, welcome to the Monday, March 11th, 2019 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes

Ulrich. And I'm recording from Jacksonville, Florida. I've got a couple interesting diaries by

D.D. about analyzing malicious HTA files. Part of this is based on work by one of our

readers Ahmed who had actually some issues analyzing in these files the trick

with htah files is their HTML applications that what htah stands for but

unlike normal HTML and JavaScript they're not executed by the browser. They're executed

by the HTA engine or MSHTA.exe. And some of the constraints that apply to browsers do not

apply to the HTA engine. They run with the full privileges of the user opening the file.

So real good way to sort of infiltrate malicious scripts into the user's system.

All the user has to do again is double click and open the particular file.

And probably not a big surprise that in the end, this particular script ended up executing

PowerShell and the ghostler process how it was able to de-officate this particular script.

And Guy wrote a brief diary taking a quick look at the comparison between port scans to

port 22 and 2,222.

Of course, the second is a very frequent alternative port for SSH.

And well, Guy's conclusion was no big surprise here that that port gets scanned well not almost as

often as port 22 but about a third of the scans are going to the port 22nd

instead of 22 so it doesn't only make sense to hide as H on that port pick a

different port and you have a better chance of evading regular scans.

I believe port 2222 has become such a big target, particularly after May Ryan's

such incorporated this particular port into their scanning routine.

But let's talk about a couple of vulnerabilities that were released and some of them patched

...