Early the next morning

Nigel awoke in a cold sweat.

Did I have another bad dream? I can’t remember. It’s been so long since I’ve had any trouble sleeping.

His thoughts turned to Peter’s computer; those images had left a lasting impression. Earlier, Nigel had dismissed it all as some movie-making magic, but something about it put him on edge. He lay in bed for another two hours; the only sound was Jet’s breathing. He decided to spin up that image one more time. Nigel got out of bed as quietly as he could, as he didn’t want to wake her. With their loft connected to the shop, there was no need to get dressed.

Five minutes later, he was scanning the computer image for any droppers—as in, a piece of software capable of receiving a signal from another server to instruct it to download more code. Hackers and malware authors used these tools to download the real payload.

Time to crack the mysteries of Peter’s malware. Nigel chuckled at the thought.

After reviewing the preliminary scans from Peter’s computer, Nigel dug in a little deeper.

Something’s not right—a lot of internet traffic is concentrated on Edinburgh. What’s there?

Nigel examined the logs on Peter’s computer. He was interested in the custom scripting language built into the operating system.

The latest High Tower operating system (HTOS) includes a custom scripting language based on PSnake called Supershell. If Peter is running as an administrator, I’ll be able to see that activity.

Nigel looked at the internal logs on the system that wrote all system and user activity. Then he examined the configuration settings that were stored in a special area known as the ledger; this kept track of any configuration on the laptop, including flash drives.

I wonder if the malware got installed after Peter inserted a flash drive or hard drive while editing his videos.

You could be reading stolen content. Head to Royal Road for the genuine story.

Nigel pulled up the ledger that contained thousands of subgroups leading to data nodes known as keys. The operating system stored these keys in top-level areas known as hives. Nigel examined the area known to store these values. He traversed the following path:

ROOT/LOCALMACHINE/SYSTEM/ControlSettings/PortSTOR

Under the “PORTSTOR” key, Nigel examined the entries with serial numbers. He also noted the device manufacture names.

It’s time to do a little device recon.

Nigel exported the entire key to an external file. He added the serial numbers and manufactures to a spreadsheet.

The network stack on Peter’s computer is clean. Local attack vectors? Infected flash drives? It’s worth a shot.

Nigel started the arduous process of creating a secure connection to the dark web. If the marketing materials on the MORP browser were to be believed, MORP was all you needed to safely access the dark web. Nigel knew better, so he started layering VPN connections before launching MORP. The purpose of this was to hide your original IP address from any random hacker or denizen with ill intent.

I learned my lessons from Jet and her brother George well. Now it’s time to put my knowledge to the test.

Nigel could only layer six VPN connections before the MORP browser became unresponsive. He preferred at least seven but decided six was enough. After navigating to a dark web site with the strange title of “Raid Cookies”: a common dark web site that dealt in various attacks that relied on exploiting computers without a network connection. Nigel found many of the techniques the hackers posted to be fascinating. One hacker bragged about being able to exploit computers through the walls of hotels. Another claimed to use a drone to exploit infrared systems. Like most dark web sites, there was no logical layout of information. He had to sift through a lot of random stuff. It took him an hour to find the information he was looking for.

Nigel used several search techniques to find what he was looking for: attacks that leveraged a certain brand of flash drive called a “rubber quacky.” Despite its ridiculous name, the quacky was a powerful weapon. The quacky’s manufacturer, HakSystems, claimed their devices were for research purposes only, but Nigel knew of many attacks that used the quacky to deploy malware. This technique was even used by highly funded nation-states. All the adversary had to do was infect the flash drive, and then add a label like “payroll,” or “porn.” Then they had to pretend to lose the flash drives in parking lots or public restrooms. The adversary’s plan relied on one crucial element. Human curiosity; employees would pick up the drives and insert them into one of the company systems. Then the entire segment network would be owned.

Most manufactures of the flash drives added metadata in serial numbers that identified where and when a particular device was made. Nigel wanted to see if he could track any of that metadata against the information he’d found on the Raid Cookies site.

I’d better get comfortable. This is going to take a while.