Hello, welcome to the Thursday, May 14th, 2020 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

In Diaries today, we have Brad talking about the latest version of Tridex that he ran into.

Now, this particular sample was collected on May 12th, so earlier this week on Tuesday,

and well, it follows off the standard pattern as far as Tridex goes.

It arrives as an email that then links to a SIP archive.

Now, the user has to download and decompress this SIP archive,

which then reveals a visual basic script

that will actually do the malicious action,

which in this case will download three different DLs.

Well, actually first the DLL with the Tridex payload, and then over HTPS, it will download

those three additional DLs.

Sort of interesting, but I've seen this in most malware samples and also fishing samples these days.

If your IP address happens to be on a placlist,

essentially something that the attacker believes is a researcher or the like,

then you will be redirected to a benign page,

making it look like this email was just spam.

Now, while this is sort of your run-of-the-mill tridex, we have seen this for years,

ESET has what they're sort of considering a more cutting-edge piece of malware that they're

calling Ramsey.

But what's kind of amazing is that there are a lot of similarities between this malware and sort of your run-of-the-mill

malware that we see every day. First of all, it doesn't really look like it's using a very

...