Hello, welcome to the Thursday, June 4th, 2020 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Orrich, and today I'm recording from Jacksonville, Florida.

In today's diary, Brad is looking at a recent copy of the sea loader malware.

It was actually peddled using Polish language malicious spam messages.

Now, overall, nothing really all too special here. It's an Excel spreadsheet with a macro

that will then download the C-loader.dll.L. One thing of note here is that all the traffic is HTPS. So if you

don't inspect HPS traffic, you're pretty blind here. On the other hand, once you do inspect

HTTP, there are a couple sort of telltale signs here like odd user agent headers and the like that should make it pretty straightforward to actually detect this kind of malware.

If you don't have TLS inspection, you are pretty much left with DNS lockups.

And there are some sort of interesting host names here. Not sure how

well they would sort of pop up in a busy network. They are using the dot AT top level domain.

I believe that's Austria that does use .AT.

So not a super common top level domain,

but nothing like the dot XYC or dot top top level domains that are calmly used by malware.

Another giveaway here, of course,

is also that the binary is directly downloaded,

so you'll get your

typical Windows executable header. That's also pretty easy to pick up on for any kind of

intrusion detection system. And Cisco fixed an interesting flaw in a number of its

routers and switches affecting the IP in IP protocol.

It's a little bit of weird protocol where we are really just sending an IP packet inside another IP packet.

So you have two IP headers following each other, almost a little bit like a shortcut to GRE, which you could

...