Hello, welcome to the Thursday, March 17th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, today we got an update from Brad about QuackBot.

QuackBot has been around for quite a while.

This is a sample that Brad captured this

week and it follows the standard pattern. It arrives as an email with a link. You click on the link,

you download a SIP file and that then extracts to an Excel file with macros, which of course

the user will then enable. That macro will download the Quackbot DLL files and then there is

command control traffic which was sort of interesting here that there wasn't just the standard

quagbot command control traffic,

but there was also Cobalt Strike, which has become somewhat common, of course, these last couple

years, and then there was VNC, VNC, probably sort of for convenience and also ease of use.

Interesting that it took 17 hours actually for the command control traffic to show up.

This maybe because it was done more interactively like VNC, so pretty much had to wait for the attacker to wake up and start

actually connecting back to the infected system. But also sometimes these delays show up in order

to avoid detection in sandboxes. As always, Pratt is making available the P-Caps and all the indicators of compromise,

in particular the P-Caps, of course, are a great resource to learn how to take apart the traffic

generated by this type of malware. And Unlop has a write-up about Ghost Grinch.

That's a remote access tool that's sort of derived from the Ghost Ratt according to

Unlab and going back to December 2018.

What's sort of new here is that it's now using vulnerable Microsoft SQL and MySQL servers

in order to install additional tools like Ghost Grinch, the remote access tools.

...