Hello, welcome to the Wednesday, June 26th, 2019 edition of the Sansonet Stormsetters Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Interesting piece of malware from Brad today.

Brad came across another case of the Rick Exploid kits. Yes, we don't see a lot of

exploit kits these days, but Rick appears to be the one that's sort of still active and

left over. What's kind of almost more interesting here than the exploit kit itself is the

Malver that was installed by this exploit kit.

This malver P2B turned out to be a little bit challenging to analyze in that it refused to run

in virtual machine, so he actually had to run it on a physical machine. Of course, the way, if you

have read some of Brad's diary, the way he analyses his

malware is essentially by doing runtime analysis and looking at network traffic to then collect

indicators of compromise.

This of course is still pretty straightforward with a physical host, just a little bit more

effort in getting it all set up

and cleaned up after the fact.

This Malver then went ahead and started sending spam and it also connected back to a command

control server on Port 2287.

The domain used to spread this malware is Make Money Easy with Dot me and yes, the domain was

recently registered June 19th and apparently used by the Rick Exploid kit as early as June

21st.

And if you are running servers in Amazon's cloud, traffic monitoring has always been kind

...