Hello, welcome to the Thursday, April 21st, 2022 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Marriester, Florida.

Prior today, published a diary with a recent version of Quagbot or QBot.

Now, at this time, Quagbot was used to install DarkVNC.

As so often it started with an email and a link, the victim then download a SIP archive

that contained an Excel file, and then of course macros were used to download the Quagbot DLL files.

After checking connectivity, which interestingly used the openssel.org website, it then

established command control traffic and installed DarkVNC.

Dark VNC as the name implies, well, it is VNC.

It allows a full desktop remote access, but with traditional VNC, the regular user of

the workstation may notice the activity.

With dark VNC.

You typically have a second desktop that's of a hidden desktop that's being set up that the attacker controls and the victim does not notice that there is a second user connected

to their system.

Typically that's then being used for banking malware and the like.

By using the victim's desktop, you're actually able to bypass some of the checks

because you already are using the correct IP address.

You're using some of the cookies that the website may leave behind, making credential theft so much

easier.

In the case of compromise, as well as samples, and of course anonymized P-CAPs are available

for download.

Yesterday, I talked about the Oracle quarterly Critical Patch update and how it included some updates for Java as well.

...