Hello, welcome to the Wednesday, November 6, 2019 edition of the Sanson, Storm, Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Brad wrote today about a malicious RTF document that's distributed as an email attachment,

and that's pushing formbook.

Formbook is a little bit different and so far that it's an information stealer.

It's going after passwords, so not the crypto coin miner.

We see all over the place these days.

And as usual, Brad has plenty of indicators of compromise, as well as links to the actual

malware and P-CAPs.

And well, I didn't get quite to write about it today because it's sort of took me a little

bit longer than expected, but I made a little bit a major update to the Honeypot

script that we are using. It's now updated to the latest and greatest version of Cowry.

Also, some issues people had with SSH not working correctly are now fixed, so at least I hope.

And it also does now fully work on Ubuntu 1804.

Of course it still works on the Raspberry Pi and that's still probably the most popular

platform people are using, but we had some requests to run these scripts

in a virtual machine that's often simpler than setting up a separate piece of hardware

if you already have a server to run virtual machines. So now just grab the latest

Ubuntu 1804 LTS server and it should work just fine on that.

The easiest way to learn more about this honeypot is just iSc.sand.edu slash honeypot.html.

And search.org released an interesting warning regarding an odd behavior of office documents on the Mac.

You are able to disable all macros without notification, which seems to be secure settings.

...