Hello, welcome to the Monday, September 21st, 2020 edition of the Sandtonet Storm Center's

Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Oh, the weekend we had a couple of interesting diaries, one from Xavier, where he went hunting again on Byrus Total for office documents

with interesting objects. And now what he came across, there is something that also

did he publish about earlier, and that's documents that include Python code,

which is a little bit odd because of course typically on Windows systems

and you would expect a Windows system to open the office document,

you don't have Python typically installed.

So Python, if it's used on Windows systems, often arrives compiled. This code would

only run if Python was already installed on the system. Now, he found actually a couple

different samples there. Some looked like they may be experiments, maybe someone is of developing

some exploits here,

or internal red team exercises because they tried to connect to internal to 192-168 IP

addresses.

We also found a third address.

That's a 156.132 address.

And that one is now actually assigned to the United States courts system.

So kind of interesting there.

It wasn't always assigned to them if you're looking up in some IP address information system,

so it may not necessarily come back with anything yet.

Let me got a second diary by Guy.

Guy is writing about Fish trying to impersonate Salesforce.

...