Hello, welcome to the Thursday, April 2nd, 2020 edition of the Sansonet Storms on Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Let's try today to have a couple stories that are not related to the coronavirus.

And the first thing we have is a good old quackbot, mal-spam that Pratt analyzed.

Now, this is typically sent from infected Windows hosts.

So one of the things that Malware, of course, does if it infects a host, is to use these hosts to send spam itself.

So Pratt goes as usual in quite a bit of detail as he walks through the different aspects of disinfection. This particular mal-spam is sending fake

water phone emails and also some of these DHL shipping notifications.

So he's explaining how to analyze this using virus or extracting the email messages and

figuring out what additional payloads are being downloaded.

And Tom is telling you how how to enable submitting the shield logs from teapot.

Teapot is a honeypot that incorporates a number of different sort of pieces of honeypot software

and a pretty neat elastic stack to analyze it all.

So a little bit more heavy weight there, but pretty neat,

and really not that difficult to enable submitting the shield logs using this honeypot

just by enabling it in Cowry, which is, of course, one of the components that teapot uses just like our own Honeypot to emulate S.H and Telnet.

And talking about S.S.H since S.H is so often scanned, one of the tricks of course that many users are using is to run the SSH server on some random

high port. This may cause some issues with the latest update of macOS, 10154, according to a blog

post published by Tyler Hall. Now, I wasn't able to reproduce the exact behavior that he described, but there are a couple

other similar posts, so hope it wasn't just a bad April Fool's joke.

What he observed was that if SSH is listening on a port that's greater than 8,1001.92. And if you are connecting to the

...