Hello and welcome to the Thursday, December 19th,

2004 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

Another great guest diary today by one of our sands.edu undergraduate interns, this time taking apart an attack

that is associated with Team TNT and Spinning Yarn. This particular attack attacked

web server, of course, a honeypot that simulated a vulnerability that was then exploited by the attacker to install script.

This script was heavily obfuscated in order to bypass malware detection, and then was

used to download additional malware.

What's sort of interesting in here is that there is sort of multiple stages to install all

the components needed to actually execute the malware, and then the malware went ahead and also

did disable security measures on the system. In the end, the malware did install Cryptominer

and then did harvest ZH keys, clear system logs, and also execute yet another reverse shell in order to provide persistent access to the attacker.

Interesting write-up on a fairly common attack and something that you definitely should be

ready to detect.

Typically, the crypto coin miner itself should trigger some anti-maliburr signatures.

The problem there sometimes is that the standard crypto miners are necessarily included

in these signatures

because they're not themselves necessarily malicious software.

One quick check that you may want to run is XM Rick is the number one crypto miner that we

do see being used. Make sure it gets detected on your systems.

Yesterday we had a couple stories involving Anydesk.

Well, today we switch to another favorite remote control methods for attackers,

...