 All right, everyone, thank you. We're going to kick off our next speaker. And being in Vegas, we're going to have something with a little bit of theme. You're no George Clooney. And this ain't Ocean's Eleven. So welcome our next speaker. Hi, everybody. So I heard that this is my first time speaking at DEF CON, although this is my 25th DEF CON that I've attended. And there is this. Thank you. There is a tradition that you're supposed to take a shot as your first thing on the stage. So I'm not a big heavy drinker, but I do believe in responsible enjoyment of your weekend in Las Vegas. So everyone, cheers to you. Thank you. So I'm Andrew Brandt. I'm a security researcher and analyst for SOFOS XOPS. And this talk is a little bit about social engineering and a lot about malware that's dropped by so. Sorry. These things are really important. So I want to take one minute, though, to do a land acknowledgment, which I don't know has been done at DEF CON at this year so far. So for the past 31 years, DEF CON has been held on this land that is the traditional land of a tribe called the Nuovi. They're also known as the Southern Paiute Tribe. And there are sub-tribes within the Nuovi that include a tribe that is specifically based here in Las Vegas. The lands of the Nuovi stretch all the way from central Utah to almost the border of Mexico, Mexicali. The tribe spanned this enormous area and lived here for hundreds of years, but then started to fail in the 19th century. So in 1826, settlers came to Nevada to do trapping and hunting. And then the US government took control of this entire area in 1848. And accordingly, the tribe suffered, was moved along. And it wasn't until 1970 that the tribe finally gained official status and earned itself a reservation here in the area 122 years after it was the first white people came here. So a little bit about myself and what I do. I already mentioned I work at SOFOS. I'm a former journalist who turned malware analyst. It's a weird transition. But actually, it seems like a lot of people who are tech journalists seem to be working for vendors these days. I also volunteer at a retro computing museum in Boulder, Colorado called the Media Archaeology Lab. So if you're ever out in Boulder, feel free to come by if you ever wanted to play with an Apple II or Commodore 64 or play in an Atari 2600. We have all that stuff. And then there's something else I wanted to mention just briefly, is that so I am in the process. Oh, I turned off the screen. I am in the process of running for political office. This is a challenging time. Thank you in this country. And this community is some of the smartest and kindest and have the most creativity of people that I have ever met. So I'm running for school board in the local area where I live. I would very much welcome your support and donations as this is a off year campaign. There are literally no off years these days. I am running on a very progressive platform to protect groups of people that are currently under threat around the country. I also have a lot of policy ideas about just teaching kids tech. And I would love to have a national standard for educating kids in cybersecurity and safety and online privacy so that we are not continuously doing these same war stories about people getting tricked by scummy criminals every year for the next 31 years. So I hope I can get your support. All right. So let's talk about a little bit what we're going to talk about today. So there's going to be a few reaction gifts of George Clooney, but mostly we're talking about normal people who don't pretend to be debonair, like Esquire model guys walking into casinos to break into the safe with their whole team of like super hackers. No, these are just shlubby guys figuring out how to get on the right side of the victim and convince them to do something that they shouldn't be doing or that they wouldn't want to do under normal circumstances. There's going to be a little bit about the social engineering and a lot about the attack. So I'm going to keep pushing the wrong button. Let's talk about the first one. So earlier this year, the XOPS team working with our managed data response team did an investigation into what we discovered was a pretty widespread attack in this country of social engineers who were targeting tax accountants. So these are like small businesses, sometimes just one employee, sometimes like five or 10. People were these tax accountants were receiving really interesting solicitation notices. They were getting emailed by people who said, hey, I just lost my accountant. I got to get my taxes done. Are you accepting new clients? And so the beginning of the attack was just this like back and forth engagement conversation between the attacker and the victim. And what ended up happening was eventually the attackers would say, OK, so do you need to see my last year's tax returns here? Let me send you a file from Dropbox, right? And so they would send them an email with a link to a zip file that they said was their tax returns. I'm sure you can guess this was not their tax returns. Inside of these zip files that they were sending to these accountants, they were all password protected with the same password. There was two files inside of each archive. There was a decoy file, and there was a Windows shortcut link. And so the first thing that the person would do is that they might open like this thing that was a PDF or a JPEG, and then they would double click it. Well, it was actually not that type of file. So the computer would throw an error, and then they would try to double click the shortcut, which is where all the trouble began. It was a little bit goofy. Yeah, what most people saw was something like this. So if you tried to double click something that's not a PDF, and it says PDF, this is going to happen. And so what we did was we retrieved a bunch of these samples. And the file that was the decoy is this MP3. I don't know how to do the volume control. So guys on the board, be ready to turn it down. But I'm just going to play a few seconds of this music. So the instrument is called an oud. And it's a traditional instrument of the Middle East. And I've been talking to some music professors at CU Boulder, and they don't know what the song is, but they assured me that this is actually oud music. And what a weird thing to be sending to someone as a fake file. All right, so that aside, the next thing, like the person would click that, it wouldn't work. They wouldn't know what to do, so they click the shortcut. And what happens when they click the shortcut is it starts the attack. But when we as analysts start looking at the shortcut, I mean, the first thing I'm going to do is right click that shortcut and say, well, where is it going? So I do that. And it's blank. What the heck? It is a completely empty shortcut. And it even says PDF document in the comments field turns out this is a year-old exploit that was discovered by a guy and written up on his blog in April last year. And it is a trick to basically fool Windows into being able to do a shortcut without actually showing anybody what the destination is. And it's by a prepending like a ton of like blank, like null value bytes at the beginning of the shortcut command line. And that's all it took to basically bypass this. By the way, the researcher who reported this bug and posted about it on his blog reported it to Microsoft. Microsoft declined to fix it, saying it is not a bug. It is just an unusual circumstance. So they just have not fixed it and probably will not. Inside of this shortcut, though, and you can see what the screen looked like that was the actual shortcut file, was this long command line. And it had this invoke web request and pointed at a URL. And this was something that actually made me really excited because it was something that I had not seen in a long time. But if you can see, I don't know if you can read the URL. It says HTTP colon slash slash 0xc2.11808979. What the heck is that? That is not a TLD. And that is not an IP address. That is what we call a dotless IP address. And it is actually two forms of dotless IP address that they have combined in a weird way to make it work together and actually be a do it. It will point at an IP address but does not resemble one in any normal way that you would expect. So there is a hexadecimal form of a dotless IP. And there is a decimal form of dotless IP. And they have managed to sort of concatenate it in this weird thing. And the reason that I got excited when I saw what this was is that, so as I said, I've been going to DEF CON for 25 years. This is a 25-year-old vulnerability in the Windows TCP IP stack that has never been adequately addressed. It is core to the way that the TCP IP stack works. And it was exploited in two different ways against Internet Explorer 4 and Internet Explorer 5 back in the ancient times of before the millennium. And I was so excited to see this because I'm like, what is going on? I was working as an editor at PC World. And K had come to my first DEF CON in 1998 and then saw this and figured out how it worked. And now I'm not a programmer. I'm an English major and have no formal technical training. So apologies for anybody who thought they were going to learn about getting into the code here. But I am very good with spreadsheets. And so I built myself this little calculator in Excel that basically demonstrates how to make a dotless IP address from a regular four-dotted IPv4 address and flip it back again. And I had not touched this spreadsheet since 1999. So I had to pull it out, take a look at it, and then I made this little addendum at the bottom to sort of amend this spreadsheet. But let me just explain briefly how it works. So normal dotted IP address is four sets of numbers from 0 to 255. If you were to take any of those sets of numbers and translate it into its hexadecimal equivalent, you basically can take that for each of those octets and you can concatenate those bytes together. That is your hexadecimal dotless IP address. If you take that concatenated hexadecimal and just convert that to decimal, you end up with like a 12-digit number. So you can literally have like HTTP and a bunch of numbers with no dots. That works as well. And what they did in this case, what the guloder attackers did who were distributing this malware was they mixed it up. The first octet, they just left the hexadecimal dot and then the next three hexadecimal values converted to decimal was the rest of the URL. And it was so cool to see this happen, right? And there were so many of these. Like this was just one example, like in one day's worth of data of collecting samples from the addresses where the bad guys were hosting their files. We pulled in like all these different like shortcuts, pointed, each one of these is pointed at a different visual basic script that was hosted on one of these three IP addresses here. So bad IP addresses, bad neighborhood. So what's on the other end of that stuff? It was like I said, it was a visual basic script. And I know it's really hard to see on this screen, but basically it was a heavily obfuscated and very large, like 200K VBS. And almost all of it was a like 150K block of Bay 64 encoded data. And then the rest of it was just code that decrypted that or decoded that. So the VBS, it had two large variables in it. And in this particular version of it, there was one that was called IR8 and one that was called O7. And in every version of the script, they modified the variable names. But basically the flow was the same, right? So they work in tandem with the Windows registry and PowerShell to do a bunch of bad stuff. So what is it doing? So decodes the IR8 variable, decodes into another script, a PowerShell script that is filled with like hexadecimal chunks, which then the script takes all these individual chunks of just a few bytes each chunk and concatenates that, BXORs, the concatenated data, and then Bay 64 decodes that into yet another script and then executes that. So in the parlance of XOPS, we call this Matryoshka malware. So Matryoshka doll is the little Russian nesting dolls that like you open it up and there's always a smaller one until you get to the one that's like a little tiny nugget and like that is how this attack was working. And then that content that gets loaded out of the registry that comes out of the O7 variable. So it's actually too big to fit on one screenshot. It was a gigantic file. So it writes a bunch of data into the Windows registry, which I'm gonna show you in a minute, like what that does. And in addition to creating all these registry keys, it is also changing like environment variables on the device. So it created a environment variable called SaltoQ that was pointed at PowerShell and a bunch of other variables. And the way that that worked was basically it creates a run key in the registry that was called overproduce. And it invokes that SaltoQ variable to run a PowerShell command. The PowerShell command pulls out that data out of a registry that's hkey current user slash clog like. And it had a giant amount of VBS inside of that command. And that VBS was, it was like a blossoming flower. Like the more you let it run, the more stuff it like would just pull out of different places. And eventually what you end up with was this malware called Gulloader that injected itself. And again, ironically into a old disused Internet Explorer component called IELOutil, which is actually the microphone tuning utility for Internet Explorer 11. So yeah, that was Gulloader, right? And that's just one of these cases where it just started with a very simple thing and just cascades out of control until you've got this malware that is, it is physically present and persistent on the machine, but there is nothing in the file system, nothing to work with. The cleanup is basically just go into the registry and clean it up. All right, stopping, having a drink. Cheers. Thank you very much. All right, so for the second attack, this was an incident that we were called into investigate last year. And we sat on this for a little while because we really wanted to sort of disclose this attack at DEF CON. So this is the first time that anyone has heard about this. We published our blog about it yesterday on our website. So you can go to news.sophos.com and read about it. We call it the Image Spam Attack and I'll tell you why in a minute. So yeah, so this one was, I find these kinds of stories so interesting. The regular conventional malware is so boring but these are great stories. So let me set the stage for the attack. So there's a lot of text here. I'm not gonna read the whole slide. You can read along, but I'm basically gonna just tell you the story. So these attackers, they had done their homework and they found a target that they wanted to target. And they figured out who they wanted to contact at that target and they got their contact information. They figured out what department they worked in. They learned all they could about the target and then they struck. And the way that they struck was on a Friday afternoon, they called this company and called this guy's line directly and said, hey, we're calling from a shipping company and we've got this priority package and we were supposed to deliver to the other office for your company and they were closed and there was no one there to take it so we need to redirect it to your office and you're the only person that we were able to reach. And the person that answered in the phone is they don't normally receive packages, right? They work in this office and they said, oh, okay, well, so is it addressed to me? No, no, it's addressed to your boss but he was unavailable but can we deliver it to you for you to give it to him? And this person was, of course, this sounds like a high priority thing. You couldn't reach anybody. They knew that this person's boss was out of town so he was just the only person there to accept the package. So they say, okay, look, we're going to send you an email. We already know your email address. We're sending you an email right now. While the guy's on the phone with them, the person who's got this phone call gets this email message and says, hey, inside this email is a tracking number and you need to read the tracking number back to me so we can validate that you, the recipient, are the appropriate person to be getting this package and literally turned the authentication process back on the victim. You would imagine, right, like most people would say, like, hey, do you really want to be, you know, who are you? How do you prove that you are who you are? Well, in the middle of the call, the email came in and he says, okay, so just open up the thing that's in this email and read me the number out of it and then we'll be by in 10 minutes to drop off the package. I'm just about a mile away. So yeah, so this redirection technique, it was really weird. This is the email message that he got. So it is written in French. The person who received it, the company and the person is based in Switzerland and Switzerland is as everyone here knows, the national languages are French, German and Italian and so it would be totally normal for anybody who works for a Swiss company to receive an email in any of those three languages. The message body of this says your documents had been sent by a delivery service that hasn't had contact with the destination and it goes on to say that for reasons of security, delivery isn't possible unless you provide a correct code to the shipper and you have to get the code from the attached PDF. You wanna guess what that is? Not a PDF. The email also indicated that the shipment was something that weighs about the same as a letter and it had elevated government agency priority. So whatever that means. I mean, when I get my tax returns, I don't get government agency priority. So yeah, anyway, there was a few things that were wrong with the email message. Number one, the entire body of the email, everything below the headers was one giant embedded image including the line that looks like an attachment. It's just one big picture. There is no attachment. The big picture fills the entire screen and looks like it's designed to look exactly like a message in Office 365. In addition, because there's no attachment, the entire image is basically one giant hotlink and it points to a redirection URL that was hosted on some random website that belongs to a company that had some like ad redirect script on there that basically accepted any input to redirect someone to any other website. So in this case, it redirected, it was this abusable redirect script that basically pointed people to another website and you can, I've blocked out a little bit of the URL, but what you can see is that it was actually sending the user via this other website to safedelivery-company.com, which is, you know, I like safe deliveries. Here's another view of what the payload looked like, what the email body looked like. It was basically a completely empty message with just an image link and an anchor tag. Yeah, so I mentioned safedelivery-company.com. We also discovered after the fact that another attack that had happened that we subsequently discovered that they were using aircareer-company.com. So either way, you know, either your aircareer or your safe delivery is bad. So what happened next, the employee basically went along with all of this. They double clicked the thing, they got a code, they read the code to the person on the telephone. Person on this phone said, great, that's the right code. I'll be right over, hangs up the phone. Nobody ever hears from them again. 15 minutes passes, the employee starts to get nervous. The employee calls the IT security team and says, ah, I might have done a bad. What happened? And they said, don't turn off your computer, pull out the ethernet cable. And the employee did it, and it preserved all of the evidence, which is fantastic. When we finally got called in a couple of weeks later when this company decided that they needed somebody to do a post-mortem on this attack, they called us in, we discovered everything up until this point. And, but the website that the malware had come from was already shut down. And what was funny is that it's, they use this React.js template that's called deadline. And we keep seeing this pop up. Like there's a lot of criminals that use this template as like a placeholder for when they host something bad on their website, and then they want to take it down real quick, but they want the website to stay live so that it still shows up and the search results is benign. So yeah, anyway, so very, very clever. Sorry, this isn't a George Clooney. This is Muldoon from Jurassic Park played by Bob Beck. I just like this reaction gif. So we finally did the post-mortem and we found some really interesting stuff. So a couple of details. So the attacker only was able to access the computer, the machine for 15 minutes. They download, during that 15 minutes, they were very busy. They downloaded and ran a bunch of PowerShell scripts. They were running. They had deleted the original payload, which wasn't executable, which we then, you know, we didn't have. We knew that they had downloaded this executable. We knew its file name. It wasn't on virus total. So we had to figure out like, you know, a roundabout way of trying to figure out exactly how this worked. And then we did see some flow data that had like the IP addresses and the domain names of where, you know, the victim had clicked. And so we saw some of those pieces had been preserved. But then the things that were left behind on the machine just, we were so weirded out by them and the MDR team, you know, didn't know what to do with them. So they, that's when they called us. So one of the things that they found on that machine was a full installation of Notepad++, which I mean, I don't know about you, but like that is a really, I mean, we see all kinds of threat actor activity where they're gonna install enterprise level remote access tools, right? So lots of ransomware actors will like throw any desk or some other, you know, remote shell program on there, not just Cobalt Strike, but like the real commercial stuff so that it evades endpoint protection detection. But yeah, no, you don't really see people like installing like a text editor. Like it was such a weird thing. We also saw that there had been a bunch of like certificate authority certs installed into the certificate store on the machine and those certificates were odd because, you know, we didn't, it looked like it was legit, but like why would you add a certificate to the certificate store? One of the other things that was really odd was that the copy of Notepad++, even though it was just basically benign executable, they had some, for some reason, they had signed it with another code signing certificate so it was not signed by the valid certificate that was used by, when you download, you know, Notepad++, it's got like a, it's signed code. This was signed by a different certificate. Why would they do that? It would make no sense. It seems like it just kind of raised more questions than it answered. And then once we dug into that installation of Notepad, wow, that was a hot mess. What they left behind was a directory full in addition to just the full installation. So hey, if you want to like use Notepad++, like you're great, but like in the updater directory, like this installation of Notepad comes with a self update tool. I mean, it's part of like the normal installation, but it usually only has like one program that's called update and a DLL. And you can see here that there were tons of Linux libraries. There was a Windows version of a Linux tool called Socat, which is used for opening, you know, just raw sockets for either listening or sending data. There was a complete portable Tor installation in a sub directory. There were multiple copies of the CURL library for some reason. Just a bunch of weird things. What are you doing? And then even so like, and as you know, Notepad++, it's an open source project, right? So they have a GPL license. Even the license was tampered with so that they could do some kind of spying on it. And what was inside of that license was the weirdest thing. It was, no, normal license is like 8K of just lawyer speak, right? And no one ever looks at them. No one ever reads them. This was 8K of lawyer speak, followed by almost 60K of base 64 encoded data. And we're like, well, that is license terms that I do not like. So once we decoded that, we figured out that it was another PowerShell script that they managed to sort of like bury inside of the license, which is again, the worst license ever. The script included levels of additional scripts that were encoded. So again, we're into this like matryoshka malware where the more you crack open, the more smaller little pieces that you find. And what we discovered was, oh, this is how the certificate got inserted into the certificate store. So you run that first PowerShell script. It had three giant blobs of base 64 and the code to decode them and run whatever came out. And the first one, it drops the certificate on the machine and installs it into the Windows certificate store. The second one dropped the same certificate on the machine and if Firefox was present, it would install it into Firefox's certificate store because Firefox has to be special and have its own certificate store that's separate from the operating system. And then the third thing that it did was it created a scheduled task that once a day at a certain time would check into Tor and communicate with a website that there were a list of five onion addresses that were embedded in the script and it would just pick one at random and check in with it. So why would you put a CA certificate on a machine? So I used to work for a company that made a box that was a machine in the middle TLS decryption box for security purposes and the way that it works is you would generate a CA certificate and you have to install it in the certificate store and then when someone wants to browse to a HTTPS website, instead of getting that warning pop up that says, hey, there's a certificate problem, this doesn't match, something's wrong, it would do the certificate resigning automatically and the end user would never notice but then on the back end, you could decrypt that data and sort of see everything that they were viewing on an HTTPS website. So yeah, kind of an interesting technique to be using for a notepad plus plus installation. What they were doing was they were doing TLS interception and the certificate that they created was made to mimic a real one issued by the certificate provider Komodo but it was not issued by them. Yeah, and then the third script was triggering the, as I mentioned, it was that scheduled task thing and it would trigger one of these two files that were in the updater folder, one was called gup.exe and one is called gupwith2ps.exe and both of them were used for phone home and it would pick either of them at random and then it would pick one of those five onion addresses at random and use that to phone in once a day to just check in and let everyone know that it was home and had been reached. That was not the only bad thing that we found. Once we started digging into event logs and other sort of like collected telemetry, we found, we had found the end result of this but we didn't find the PowerShell script that created it until we dug through the event logs and this is great. If you can turn on the event logs you can actually record any PowerShell script that gets run and then retroactively you can go back and find and recreate those scripts even if they get self-deleted or if the threat actor deletes them. So we recreated it and what we found was this thing that writes out a file called matches.txt and the matches file, it would scrape data and collect it in this matches file. It was scraping from accounting software like QuickBooks. It was pulling down in full system configuration. It would look for any passwords that were saved in the browser any cryptocurrency wallets and the cookies, browsing history and list of installed plugins from every major web browser platform and by every major platform I mean Firefox, Opera, Edge, Brave, Chrome, Chromium, Vivaldi and Tencent's QQ which is only used in China really, right? Who uses QQ? Anybody in here using QQ? Don't use QQ. All right. And don't use this. So what happens next? So they had deleted this executable that did all this stuff, right? The PDF that had the tracking number in it. Hey, funny enough, if you go on VirusTotal and you look for that weird license file that was embedded in there that had that Base64 in it and then you look for related files, you can find all sorts of executables that dropped that same weird Notepad++ with all the configuration stuff and all those extra files in it and we found the original one that was sent to the people in Switzerland. We also found one that was sent to someone in France and then while we were working on this and I was having a chat with the MDR team and just sort of letting them know the status of how this is going, one of them spoke up and said, oh, hey, yeah, back in September we had a customer in Australia who had this happen to them too. It was so weird, like it was almost exactly the same thing and we had preserved that one so we took a look at that. They were all identical. So we have attackers who were targeting people in Australia and France and Switzerland. They were basically all over the world trying to figure out ways of breaking into companies and then using this very like colluge together hodgepodge of like files to do some pretty sophisticated like data collection and exfiltration of data and hiding their tracks by going over tour. I mean, this was wild stuff, right? But then once we found the applications it was so fun to look at them because look how cheerful that is. It's beautiful, like it was actually just a very fancy electron app, right? And if you don't know what an electron app is it's basically a self-contained chromium-based browser with just the scripts and images that you would need to like make a self-contained application. It was really cool. It had the whole Notepad++ all these other extra files inside of it and it would drop it in the same place and it would run that same PowerShell script and it was golden. We could see that flower bloom and blossom into the bad thing that it became. And judging, we were looking at the dates. So the file names contained a eight digit date of year month day in the file names and we understood that like the date actually lined up with the attack that we investigated. The date for the one in Australia lined up with the attack that that analyst investigated and then we found a few more of these and they corresponded to within the same timeframe but other dates, other languages and it seems like these people have been pretty active doing this for a while. So what did it do? When once we got it it was fun to play with. So one of my hobbies, fun things that I do I run a lab out of my house and it's filled with old laptops running a variety of windows and I just infect them with malware and let them run continuously for several days to weeks. You've all seen the XKCD about the malware zoo, that's my house. And so I ran this thing and I allowed it to sort of connect and immediately what it did was it dropped all these things in their right place. It instantiated Tor and opened a connection and then it created three different instances of SOCAT that were running, listening on three different ports to just out to the Tor network so that if the attacker could find my IP address they could connect to me but again I didn't know where they would be coming from. Very sophisticated, although it was so goofy looking and it was so cheerful. I love the UI that they designed for this. Yeah, when we found all these copies of it and they were floating around, we had some in our repositories, there were some in Virus Total, we went out looking for more, we found a bunch of them and basically all of these scripts that we had found and pulled down, that they were all basically identical with the one exception of the variable names in all of them were different so that you can literally see that when I diffed it all the lines look diffed but basically it's just the variable names and just the onion addresses and everything else in the script is basically verbatim. And we also found that same fake Komodo certificate that was embedded in all of these things. We reported the certificate to Komodo to let them know that they were being imitated by these guys. There's nothing they can do about it. I mean you can literally make a CA certificate for yourself that has any company's name in it. It wasn't a valid certificate but it didn't need to be. It just needed to be installed in the certificate store so they could do this machine in the middle of the decryption so yeah. So what do you do if you answer your phone? Does anybody here actually answer the phone when anybody calls anymore? You are a brave person in the back. Yes, congratulations. I'm grateful for you. I keep trying to get my kids to answer the phone as well. It's terrible but listen, there's a few lessons that we can learn, right? So like social engineering, it's really hard to fight and especially because human nature is that we all want to be good to each other. We want to be helpful. People get a call and they hear someone who sounds harried and upset and oh my God, like can you please help? I need to get this thing to you. They want to help to make this person feel better. I think we've done a good job in training people to avoid phishing attacks. We've trained people to not just double click any office document that people randomly send to them that they call an invoice, right? The shipping confirmation stuff, I mean please, like it's been 10 years of this but telephones, really hard to like, and when you've engaged with somebody, especially in the first attack when the person was reaching out to the tax accountant, there were small errors in the typing but not enough to make you think that they were a Russian speaker, just like the normal typos that like a person who's in a rush might make. It was a very sophisticated, very low key social engineering attack and that is why it's so important to be good to your employees, to not teach them that like when they've done something bad they're gonna be made fun of or mocked, you have to tell them, look, we want you to do the right thing. Come to us, it's okay. We, you will not get in trouble for telling us that you answered a phone call from some random person and they told you to read something to them on the screen, we just want to help and that was the lesson that we took away from that company was that they had a very good internal culture where their employee felt empowered to reach out to the IT team without feeling afraid that they might get into trouble or that they would be made fun of and it saved their bacon. And yeah, so these are the references, the two blog posts that cover both of the incidents. We, at Sophos, we practice radical transparency so everything that we possibly can where there's indicators of compromise, we publish those, those are on our GitHub and then there's the references for those who want to look up some ancient history and learn about the history of the dotless IP and how it was used to break the security zones in Internet Explorer 4.5 and 5.0. So I'm told there's five minutes left and so we have a little bit of time for questions. Thank you. Does anybody have questions? Yes. Right, so let me repeat the question, I will paraphrase. It looks like a spearfishing attack but it also was just very misdirected. It was just like they had the kitchen sink that they threw at everybody and do they just dox the fuck out of people and then spam it at people until they click it. Here's the thing that I cannot discuss who the targets are. But I can tell you that the targets in the case in Australia and the case in Switzerland is that they work in industries that have vital national defense interests. They were private companies and that they work in the national defense space and that they themselves as a company would have been a pretty legitimate target for espionage. So while it did look like a hot mess, a bucket full of random crap, I believe that it was actually more directed than it appeared to be. Yeah, any other questions? Yes. Okay, so this person has seen some of these types of obfuscations before in email and do we know who the threat actor is? So in the case of the first incident, we know that the malware was called guloder and it's a pretty widely distributed malware. We should have not seen it used, distributed in exactly that way where the way the tax accountants received the zip file. But Sophos doesn't do attribution. We do defense and it's much more important for us as a company to figure out not who the person is that's doing it but what they're doing and why and try to head it off. So we have behavioral detections that look for things that are trying to dump out the NTFS like key store or looking for things that are poking around in the registry. But we don't really know who exactly was doing it. We just know, hey, they're doing some bad stuff. Anybody else? How we doing on time? Are we good? All right. Okay. Any other questions? All right. Yes. Yeah, so the question is a little tangential but how did they company pursue the investigation on the phone part? So they, all I know is that after we issued our report to them and told them what we found, they reported it to local law enforcement and then they're in Switzerland so it was a black box for us. Law enforcement doesn't come to us and tell us what they're working on. So I have no idea what the end result of that was. Yeah, sorry. It's a little unsatisfying. I would also like to know who these people are and what they were up to. They were clearly up to no good. Was there another question over here? No? Maybe? Yes? Okay, all right, we got one minute. If you have any other questions, if you want to hang out and talk, if you want to CD, come and meet me outside. Otherwise, thank you so, so much for coming. I really appreciate it.