Hello, welcome to the Thursday, September 27th, 2018 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and the time recording from Las Vegas, Nevada.

Brad today has an update for us on Emotet. Emotad used to be a banking trojan but has morphed, as Brad explained, to

a malware delivery service. Now, the latest round that he has been observing used word macros

in order to then download additional malicious files. The word files either arrived directly as an attachment to an email

or just as a link that if clicked on would then download the malicious document. In some cases,

Brad has also observed PDFs with, again, links that will then download the Word document. So the PDF itself isn't really

malicious other than delivering the malicious link. In the case that Brad is describing here,

Emot had actually then installed three different pieces of malware. As usual Pratt does show how all of this

happened. He also links to indicators of compromise, IP addresses,

hashes as well as traffic captures from the infection in his lab. And if you are

running Fedora Linux you may have run into a problem with SSH after the latest

round of updates.

Fedora updated its crypto policies, which essentially changes the order in which different

crypto algorithms are being used for

S-S-H connections. The problem here is that as a result, if your server does support multiple

cryptographic protocols, you may actually get a different key from the server than the one

that you have saved in your known

hosts file. This will result in a warning that essentially the key has changed. Now, in an

interactive session, this may not be a big deal, but if you are relying on S.H in Grand

Jobs and the like, so for unattended SESH sessions, these sessions may

now fail because of this warning. This affected Fedora 29, and an update has already been

...