Hello, welcome to the Thursday, September 29th, 2016 edition of the Sands and the Storm Center's

Stormcast. My name is Johannes Orrich, and today I'm recording from Jacksonville, Florida.

Brad wrote up a diary about the Rick Exploid Kit that he has seen more recently replacing the

Neutrino Exploid Kit. If you remember, Neutrino is sort of on its exploit kit that he has seen more recently replacing the neutrino exploit kit.

If you remember, neutrino is sort of on its way out, the crew behind it is no longer in

business and the Rick Exploid kit seems to be replacing it.

In this particular case, this downloader was then used to download Ransomware, and well, nothing new here.

Locky, of course, was downloaded.

The sort of interesting part with respect to the URLs being used was that in this case, the URL was login.

Php. Haven't seen that lately, but then again, I think that has come up in the past.

From a detection point of view again, the downloader does use an artificial user agent, so you may be able to pick that out.

Also, the binary that's being downloaded is encoded so you won't really see any of the basic sort of

PE signatures here but the content type is application XMS download so

that may trigger some alarms here.

And in his latest variant, sticking sort of with its Nordic God theme, the extension of

the encrypted files is now dot Odin.

And a couple of years ago, Facebook released a tool OS query.

OS query allows you to query systems throughout an enterprise for things like which processes are running,

which ports they're listening on, what software, what files are present on the system.

So essentially all these little investigations, you usually do sort of one-on-one by remoting into a system.

You can essentially do across the entire enterprise. Problem was until now this tool was not

available for Windows. Well, it now supports Windows. They have ported it. And with that,

...