Hello, welcome to the Monday, September 16th, 2019 edition of the Sansanet Stormeners Stormcast.

My name is Johannes Ulrich.

I'm recording from Stockholm, Germany.

This weekend, Xavi took a look at a Rick Exploid kit that delivered a malicious visual basic script to one of his users.

Couple things that sort of tipped him off here that this was probably malicious.

The entire infection started out with a set of redirects to various .xyc domains. Dot XYC domains are quite popular among malicious websites,

just because they're cheap to use. But on the other hand, I haven't really seen a lot of good

stuff with dot XYC as top level domain, so that may be something that you want to take a look at.

It also appears to use a number of little tricks to make analysis a little bit more difficult,

short of actually visiting the malicious site, like for example, checking whether or not you're

using the correct browser that you're claiming to use.

And then as typical for exploit kits, it uses a number of different vulnerabilities to try to infect the system.

Like, for example, a flash file, also a PowerShell script is being used.

And it also tries to take advantage of the CSE.E.exe compiler that's part of the dotnet framework

that's often installed on systems. And actually just happened that Xavier has written about this particular technique. I believe it was

as recently as last week. So probably the easiest way to detect this particular type of attack

is looking for these dot XYC domains a little bit more closely. IP address not all that useful here because the malicious sites, at least part of them,

were hosted behind Cloudflare.

And whenever I am talking about penetration testing in class,

I usually mention the importance of permission and actually having permission

that covers the entire scope of the engagement.

Now, yes, people talk a lot about possible criminal charges, but often the more common

...