Hello, welcome to the Thursday, August 15th, 2019 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Brad today looked at the latest payload being distributed by the Rick Exploid kit and turned out to be Medusa HTTP.

Now, this malware itself has been around a couple years but hasn't really shown up much

and it has a somewhat unique command and control channel which sort of is responsible for the

HTTP part. Or all, it is responsible for the HTTP part.

Overall, it's used for denial of service, but what's particular unique about this particular

payload is that it uses the HTTP 100 continue response code, which you typically don't see in normal web traffic.

So this would make a pretty good indicator of compromise likely.

In general, the protocol looks very much like HTTP.

I would call it an HTTP-like protocol.

It uses posts, it uses HTTP headers and the like.

Like I said, that 100 continue is a little bit odd and then it also breaks up the request

into two parts, one up to the expect 100 continue line and then it continues with the request

well as the spec actually suggests after

the 100 Continual Response Code is received.

Then returns a cookie which actually does include the host's public IP address.

So kind of interesting signaling going forth and back shouldn't be too

hard to spot and then of course Brad as usual is making available the raw P-Cabs and the malware

samples. So if you want to run this yourself, here is your chance. Always refer to Brad's di Diaries when students in the intrusionation class ask for more samples

to really hone their skills with, and this actually makes a great sample for that.

And security company Veronis is describing a little bit of modified crypto coin miner that they found on a customer system.

...