Hello and welcome to the Wednesday, March 1st, 2020,

edition of the Sand and Stormsterners Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

I've got a diary by Brad today talking about, well, the latest news around Quagbot or QBot, as it's sometimes called.

This particular infection came thanks to a URL marked at virus total.

And as usual, Brad ran the sample, collected traffic and collected with that also indicators of

compromise. A couple interesting components from that compromise. First of all, the bot downloads,

an encrypted zip file, but then also connects to an HTTP website with a self-signed certificate where the organization

name in a certificate, and the common name, is Gifts.com, but a certificate is not actually

associated with that site. Maybe the attacker is trying to sort of fool analysts here to see the host name in the

certificate and ignore it as harmless, just considering that a user may have just visited that

particular site by IP address instead of host name. I'm not really sure why they do it,

but that's sort of my best guess. Another thing that's

probably worthwhile mentioning again, it's nothing new here, but this particular bot also uses

about a dozen different normal sites for connectivity check like rs.gov, oracle.com, Microsoft.com, and others.

So those sites are just used by the bot to check connectivity.

Should probably not be used as an indicator of compromise and some kind of detection scheme.

And if you have more details from lastPass regarding the incident that ultimately led to the theft of some encrypted password wallets, well, the additional details.

Note that the initial access actually happened via a compromised developer's workstation.

Apparently, the software package Plex, media player,

was used in order to gain access to the employee's laptop.

And from there, the attacker was essentially using sessions

...