Hello and welcome to the Thursday, August 25th, 2022 edition of the Sands Internet Stormsanders Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Brad is on a role with his second Malware analysis diary in as many weeks.

This time Brad grabbed a Monster Leipra sample.

Now, Monster Leipra is also known as TA551 or Shattac.

And again, as so often, the malware starts out with a Word document and of course tricks the user

into enabling macros.

Yet another reason why it's so important that Microsoft is clamping down on these macros.

This initial macro downloads a DLL file that then installs Iced ID, which in the end pulls either Dark VNC or Cobalt Strike.

That's a very typical combination that we have seen in the past.

Sometimes in the past we have seen, for example, dark VNC being installed more on sort of standalone systems

and then Cobalt Strike more on active directory controlled systems. Packet captures,

indicators of compromise, and more are as usually included in Brad's write-up. And talking

about malware and traffic analysis, security company Upticks has published analysis

showing how what they think is crypto miners, even though they haven't really observed

the crypto miner part here yet, but Malware taking advantage of the talks peer-to-peer protocol for command control.

So not Tor with R, instead, talks with an X in the end.

And TOX is well, well-suited for this kind of command control.

It's a serverless protocol.

You have seen sort of these peer-to-peer protocols pop up from time to time.

Machines are only talking to each other.

There is no sort of central server infrastructure that could be taken down.

...