Hello, welcome to the Thursday, May 21st, 2020 edition of the Sansonet Stormsendors Stormcast.

My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

Brad today is walking us through an ice ID infection that he observed earlier this week. It arrives as so often as a VERT or Excel

document with macros and then installs an executable. Now, a couple things that sort of stick out

here. First of all, as so often, we do also see odd top-level domains like XYC.club and dot-top.

Don't we see a lot of valid domains among those top-level domains, so something that in many

organizations they may just block these top-level domains. Another interesting sort of feature here is that part of the executable is encoded in a PNG file,

so in an image, and then used by the initial downloader to assemble the actual malicious executable.

This type of malware tends to be fairly easy to defend

against, like for example, these top level domains and then simple techniques just to harden

windows. Now, what these actors usually count on is that you have a couple systems in

network that are out of spec

and can be used to then essentially serve as a beachhead for an attack like this. And of course,

they're also just often going after home users. And researchers at Tel Aviv University came up

with an interesting new denial of service attack that again uses

DNS. They're calling it the NXNS attack and well the name comes from the NX domain. The Kent found

a reply as well as from NS, NS records that are being used in this attack.

This attack requires that recursive name server will first connect and try to resolve the attacker's domain.

Now, the attacker is going to reply with a pretty long list of

NS records, name servers that are actually not responsible for

the particular domain. So what will happen now is that your recursive name server will

...