Hello, welcome to the Tuesday, December 18th, 2018 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Washington, D.C.

Now, I always encourage you to send us malware samples or whatever you sort of see being odd in your network.

One of our readers, Jason actually followed my advice and not only sent us the malicious

document, but also his rather complete analysis.

So Didier wrote it up?

And now one interesting little twist on this was this was one of these documents that

arrives as an encrypted zip file now of course the password is usually mentioned in the email

but the email by the time that jason got a hold of this particular zip file was no longer available

so he actually had to use a little tool.

He used F-GRAGSIP and this particular tool takes a password list.

And now of course these encrypted zip files that usually see as email attachments,

well, they tend to have simple passwords.

So wasn't really all that terribly

difficult to find it here using one of the standard password lists. So thanks again, Jason,

for sending us this file in your analysis, and for more details, as usual, refer to the diary.

Not just earlier today in class, we were talking about covert channels,

and so it fits quite nicely that Trent Micro has a blog post

about an interesting cover channels via malicious memes

that they discovered for a particular piece of malware.

This malware is watching a particular Twitter account

and waiting for images to be posted with a particular URL patterns.

...