Hello, welcome to the Tuesday, January 5th, 2021 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich Entertainment recording from Jacksonville, Florida.

In Diaries today, Jan did sort of well a year-in review.

He looked at his last year's quarantine email inbox and essentially picked a

random, interesting looking sample and is sort of walking us through the different obfuscation

techniques used in this particular sample. Turned out it started out all as an email with a well suspicious

attachment which was a RAR compressed file. Once decompressed well it turned into a dot

bad file actually had two extensions.pdf.bad probably to sort of trick the unsuspecting user into opening the file,

which would then, of course, launch PowerShell. And after downloading additional malware,

de-offuscating it, decoding it, injecting DLs, and all the other good stuff,

we end up with a good old info stealer.

So overall, a real need summary of current evasion techniques, while none of them is

particular sophisticated or difficult to analyze, just getting the entire sequence straightened

out and getting all the parts can be quite complex.

And Citrix released a fix for the DTS vulnerability that has recently been abused for distributed denial of service attacks.

So this was not really an attack against the Citrix server. Instead,

the Citrix server was used as an amplifier. And due to all the traffic this generated,

this actually sometimes then resulted in a denial of service against this Citrix server,

even though that was probably unintentional.

So DTLS is really TLS over UDP and UDP of course is easily spoofed and often abused

for these type of denial of service attacks, but the specification actually takes that

into account.

...