CyberWire Daily - BABYSHARK is swimming again! [Research Saturday]
Episode Date: April 23, 2022John Hammond from Huntress joins Dave Bittner on this episode to discuss malware known as BABYSHARK and how it is swimming out for blood once again. Huntress's research says "This activity aligns with... known tradecraft attributed to North Korean threat actors targeting national security think tanks." Huntress also adds that the activity was spotted on February 16th and immediately their ThreatOps team began following the trail of breadcrumbs. They said "This led them to uncover the malware that was set to target specifically this organization–and certain influential individuals within it." The research can be found here: Targeted APT Activity: BABYSHARK Is Out for Blood Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down threats and vulnerabilities, solving some of
the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
One of our FredOps analysts had found a peculiar file.
It was an auto-run, so just kind of a program or an application that was scheduled to start up automatically
when a computer either turns on or a user logs in.
And it just looked a bit odd and peculiar.
That's John Hammond. He's a cybersecurity researcher at Huntress.
The research we're discussing today is titled Targeted APT Activity. Baby Shark is out for blood.
And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
2024. These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific
apps, not the entire network,
continuously verifying every
request based on identity and context,
simplifying security
management with AI-powered automation,
and detecting threats
using AI to analyze over
500 billion daily transactions.
Hackers can't attack what they
can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And interestingly enough, this autorun file was reaching out to a Google Drive document.
The analyst kind of kicked it over to some others on the team, and we started to explore this thing, and the Google Drive file looked empty.
And that was just something to kind of scratch our heads over,
but that's really where the story kicks off is we have the seemingly empty Google
Drive document. Yeah. I mean, I suppose there are two ways you could go with that. I guess
on the one hand, someone could say, oh, there's an empty document, nothing to see here.
But I suspect you and your colleagues being the way that you are, it probably grabbed your
attention. Oh, absolutely. I mean, at that point, it's time to do a little bit of digging,
a little investigative work, some detective shenanigans.
And we noticed at the very, very top of the document,
if you open a Google document up in your web browser,
it includes the file name at the very, very top of viewing it in your web browser.
And oddly enough, the file name for this, again,
empty and seemingly innocent Google document was ginormous.
The file name was long.
It was scrolling all the way off your monitor.
You had to use your horizontal scroll bar to kind of go check out the whole thing.
And it was seemingly random.
Letters and numbers and symbols and punctuation characters all over the place that didn't make a whole lot of sense for, hey, any human regular individual
not knowing what they're seeing here. Right. So where did you go next? I mean,
what was the exploration of this file? What did it look like?
So the oddball stuff that we saw in that file name, again, massive, humongous string of text,
but there were seemingly some like designating markers or just text indicators
that would say, oh, the beginning or end of some special thing. It honestly had delimiters,
John end and John begin, which probably made me laugh a little bit again, being my first name.
Right, right. But in between those delimiters and the markers there, it was more random data,
but it almost looked like, okay,
if there are these boundaries surrounding it,
could that be some special, specific, interesting data?
And it absolutely was.
It was encoded in some way,
but the original autorun,
that file and strange application that we found first,
would pull in this Google document and carve out from the file name, those specific bytes and characters in between the limiters.
It would unravel this and extract out more code, execute and run. And okay, now we're starting to
peel back the layers. Now we're digging into the onion. And now we'll start to see some malicious activity unfold.
So how do you go about determining in what way is that string of text encrypted?
Or I'm sorry, encoded?
So truthfully, it's in twofold.
We're digging into the code in the application that we found in that auto run.
And I don't mean to get too nerdy here.
So stop me if I, I don't know, maybe go overboard, but it was a visual basic script script file, something that, Hey,
is human readable, at least plain text that we could make sense of without having to crack open
a debugger or disassembler really get into low level machine code. We could see the deobfuscation
routine. And honestly, just from doing some open source intelligence, some doing our,
doing our homework and our due diligence, we could see, hey, others had seen a similar sample that had the John begin
and John end strings. Looked like that was, oh, an indicator of baby shark malware known as a
malware strain out of DPRK that was targeting specifically like think tanks, national security
folks that are thinking about, okay, what are the world situations, wrong armistice weapons,
et cetera, peculiar stuff. But now because we could decode what that original encoded code was,
we could see, okay, what's next in the storyline here?
Well, let's go there. I mean, what was next? Oh, so this is where I think it gets a little
bit spicy and fun. Unraveling the next portion of code. Hey, maybe we could call that stage two,
if we were trying to, oh, stage one, stage two, et cetera. The next bit did some interesting stuff.
It would end up creating registry keys. So, hey, adding more
persistence mechanisms and being able to implant and hook into the victim computer. But probably
the most interesting thing was that before it staged all those hooks and implants, it would
check the current username of, hey, the individual using the computer at that time. And it would verify and check, hey, is this individual, is this username,
does it match the administrator?
Or does it match an individual that we'll call Bob?
Just for, hey, the sake of confidentiality, right?
We'll call that person Bob.
Sure.
And this happened to be Bob's laptop, Bob's computer.
And honestly, even the host name of the device matched the username.
And it would start to tell us and indicate,
okay, the malicious code will only execute and detonate
if the user happens to be Bob.
And just so I'm clear here, that's hard-coded into what they've done here.
Absolutely.
It was specifically targeting and looking for this individual
just based off of a username.
Wow.
So you have that piece of information.
It seems as though, if it were me,
they've got my attention now.
Where do you go next?
Well, hey, now, again, we are starting to
fall down the rabbit hole. With the other persistence mechanisms in place, we could kind of
dive into what those code samples were, see what activity and nefarious stuff they were up to.
And we started to see a whole lot of communication between what we would consider different command
and control servers. I won't, again, hey, get too far deep into the weeds of saying which was what,
but it seemed like there were different external endpoints
that this malware would reach out and try and talk to.
One for sort of staging and saying, hey, I've accomplished this much.
I've made this much progress in compromising the target. And the other, a second
command and control framework to receive new instructions to, okay, be tasked with something
that it might be wanting to do. All again, knowing that this has to happen if we are executing under
the Bob user. So if it is not that particular machine or that particular user or an administrator, it just aborts?
That's correct. And with that, we start to have an interesting sort of cast of characters. I mentioned, sure, Bob seems to be the real victim here, but there were other, of course, computers and devices and laptops and machines for the victim organization.
While we were tracking this down, we know, okay, sure, here's Bob's computer.
But there were other individuals we could just, hey, name, here's Alex or here's Charlie.
And all of these individuals seem to be top level, higher positioned people of authority and power within that organization.
So we thought, wow, this is starting to look a little bit spooky.
We have genuine advanced persistent threat activity
targeting a think tank,
going against specific people of power within that organization.
Diving through more of the code,
hey, we found evidence of remote access Trojan.
And I have to admit,
hey, maybe I'm going out of the edge
of my understanding here,
but I believe that was alluded to potentially Kim Jong-Rat,
another malware sample well-known along that strain.
Others that seem to track browser tabs,
like, oh, if you have Microsoft Edge open
or if you have Google Chrome open on the
computer, it's keeping track of the tabs that you're navigating to. It's just listening and
stealing whatever information it might be able to get its hands on. Obviously, maybe some cyber
espionage or some exfiltrating stuff for that victim organization. Now, you mentioned that,
you know, there were other folks who had
this on their machines, so we're going to call them Alex and Charlie. Was the code similarly
customized for them? Interestingly enough, there were sort of variants in a couple of the different
staging persistence mechanisms. But again, the core executing module, I guess we could call it, is still only focusing
and digging into strictly Bob. But it's interesting that we saw some tidbits of, again,
oh, the remote access Trojan or the key logger functionality and tracking Google Chrome tabs
and Microsoft Edge tabs on those other devices. We did our best, hey, doing the due diligence,
trying to see where all these other hooks and claws
and malicious code and where they could be.
And that was a wild ride for one thing,
just uncovering the pieces
and seeing how deep did the rabbit hole go.
But we had one last lingering question.
Okay, sure, we've found this malicious activity, but we found it
after the fact, right? Looking back at even the timestamps of these, this dates back to,
I think, March of 2021. We had uncovered this in March of 2022. So, oh goodness. Okay. That's been
sitting there for a year at this point. Previous sightings and other observance of this baby shark malware was actually previously in 2018 and 2019.
So we thought, okay, this is pretty interesting.
We're seeing new and current things, at least according to the previous security research.
But how did this all happen?
How did this original implant, how did this auto run,
how did these persistence mechanisms happen and start to become implanted on the machine
in the first place? Well, I mean, let's pull that thread. How did you go about
rewinding and figuring out where that point of initial infection was?
Thanks for asking. It's interesting because, sure, we were assuming and trying to uncover what machines were compromised out of the couple that we were investigating.
Again, our cast of characters, Alex, Bob, and Charlie. Alex seemed to be the one that we would have the best luck investigating.
And, hey, that seemed to be online, and we were able to retrieve and work with the data that we could actually investigate. Now, this individual, Alice, or excuse me, Alex, they had seemingly
been the first that was infected. Looking back at all the timestamps, okay, they are our patient
zero. And we were wondering, well, why didn't any of these security mechanisms, why didn't any of our preventive security efforts, antivirus or, hey, product XYZ, what have you, why didn't that stop this attack?
Presumably, it at least was tracking it.
So we thought, well, let's go look at the logs for, hey, that antivirus product. Is there anything that we might be able
to gain some insight from what happened when around the timestamps of the known persistence
mechanisms? That was a very cool thing is at least thankfully, well, if the antivirus product didn't
stop the intrusion and at least kept track of the logs of what was downloaded and when.
Right, right. To what degree is that you're searching for a needle in a haystack? How are
you able to narrow your search parameters? Super good question, because you're absolutely
right. It is a needle in a haystack. This individual, Alex, thankfully happened to not delete most of anything.
So the logs, for one thing, in their antivirus records were worthwhile and good because we could at least have all the, okay, notes and traces of things happening for the past year.
But we know, okay, this antivirus is even looking at and scanning things that are
downloaded onto that endpoint and the device. Interesting tidbit though, if we look across
what was also downloaded and retrieved from the other infected devices, Bob, Charlie, et cetera,
where's the commonality? What could we sink a key off of that all of
these individuals seem to download around the same timeframe? And that was kind of the hunch
we were cluing off of. Very clever. And then that paid off for you. It absolutely did. And I think
this might be some of the most interesting and cool parts of the story here is that we found this zip file.
We found this archive file, a compressed file. It was a VOA underscore Korea dot zip. And now I'm
not, Hey, pointing fingers and name of names or anything. That was the, that was the file name,
VOA underscore Korea dot zip. Right. VOA alluding to the voice of america and interestingly enough all of the infected
individuals had uh downloaded this file but when we tried to look we tried to see we wanted to go
explore oh can we retrieve this file can we get our hands on that because this could be
the smoking gun but it wasn't there it was a bummer man okay we couldn't track down where
that file might have been.
Was it deleted?
Did the malware clean up its tracks?
Did it just wipe its fingerprints?
It wasn't there.
So what next?
Here's a fun tidbit of, oh, leaning in on Alex.
They happened to download that file twice.
So you know on your computer when you download something a second
time and it has the same file name, it just adds sort of a parenthesis one or a parenthesis two
at the end of it. We saw, thankfully, there was a VOA Korea one wrapped in parenthesis dot zip file
and we thought, oh, we could still latch onto this. So perhaps whatever was looking to cover
its tracks and delete the file hadn't
accounted for this possibility. Right. There could very well have just, hey, happenstance,
maybe an accident, maybe something that user happened to download this file twice. And while
it opened up only one of those, sure, if the malware were to clean up its tracks, well, the other copy isn't the one that's executed,
so it didn't scrub and remove that.
Mm-hmm, mm-hmm.
So what did this file reveal?
Ooh, so our VOA Korea 1.zip
was a password-protected and encrypted zip file,
and we thought, dang it.
There's no way we could be able to figure out
what that password might be.
There's no way we could kind of unravel the pieces here and see how this all began because we just couldn't tell what that password is.
We couldn't ask the organization and say, hey, I'm sorry, infected individual.
Do you happen to remember, however much long ago, what this email could have been, how you got this, et cetera, what password it might have been?
We didn't go that far.
how you got this, et cetera, what password it might've been. We didn't go that far. We didn't ask those questions because it's a strange thing to ask, especially, hey, we're, you know, we're
looking at some of the other activity on the device, but we thought maybe we could switch
from our threat hunting mentality to a little bit more of our hacking mentality, put our hacker head
on for just a little bit. Can we brute force or crack
the password to the zip file? So for any listening in that might happen to be, oh,
pen testers or hackers or ethical hackers, et cetera, we were throwing John the Ripper.
We were throwing hash cat and we were using word lists and rules files and we couldn't get this
thing. But on, on a whim, just by luck, I think I was the one trying, hey, can we just use
a boring, basic brute force, test the letters in the alphabet and principal characters, A-A-A,
A-A-B, A-A-C, and go down the list. What's the password here? Eventually, we found the password VOA2021.
Of course it is.
Pretty silly, pretty boring, but hey, that gave us the keys to the kingdom.
Right, right. Whatever works.
I mean, how long of eventuality are we talking about here?
Do you have any sense for how long you were banging away at this?
I mean, it's not a whole lot of care.
It's five characters.
So,
well,
let's see,
that would have been probably four or five in the morning.
By the time we were that far down the rabbit hole,
uh,
it might've been maybe a half hour or an hour before we opted to,
Hey,
let's just let it brute force ad hoc.
Um,
and truthfully,
it would honestly maybe took us five or 10 minutes or less trying to
determine what that password might be.
But yeah,
inside of the zip file was VOA Korea dot doc.
And if folks happen to know that file extension,
Hey,
that is a Microsoft word or Microsoft office document.
And Ooh,
maybe this is where it all comes together
because our previous understanding was
that Baby Shark
malware would be implanted by
a phishing lure,
a phish trick.
An email was sent with a malicious
office document with macros
enabled that could run and detonate code
and this looked
like it was it.
So we used a utility OLE VBA, just a command line thing that would look for presence of macros. And this file,
the document lit up like a Christmas tree. It was firing. Hey, this thing is suspicious. This
thing is critical, dangerous. This thing is awful malicious. You could see functions and code that would run,
hey, shell commands or system commands
or calling out to other C2 frameworks, et cetera,
disabling registry values.
And it was wild to see,
and honestly, a little bit of adrenaline rush
when you're in the war room of,
hey, the Zoom call with all of our buddies,
like, this is it, we found it.
Now, a really interesting part of the story here is how you were able to track down the actual email that sort of kicked all of
this off. I guess I should say the email exchange because it was more than just one email. Oh,
you're absolutely right. Now that we thought we had the bigger picture, hey, we found the smoking gun, we found the phishing document, the malicious macro-enabled Word document that kick-started this whole thing, now we kind of want to go back to this organization and say, hey, here's the story, here's everything that we know, we've enriched as much data as we can for you. But we kind of have to ask, do you or your personnel remember this happening?
Do you have the email records with this attachment, with anything that could tell us about it?
So we could, again, understand more here for both of us, for both us, the analysts, and for them, for their understanding.
And they came back and they said, hey, we found the email.
We see the initial compromise from Alex and this original email. And I think it's a very, very cool example of social engineering and deception and deceit from a threat actor.
The victim is saying, hi, I am a reporter or some journalist with the Voice of America Korea, and we're just doing a new project and some understanding on Korea and its other things that might be happening.
Again, something that could be a news story worthy, but they wanted to get some other insights and resources from this think tank.
And this seems like an innocent enough ask because the victim comes back and just being friendly says, hey, absolutely. I'm more than willing to help.
I'll try and get together with my team and I'll give you some answers to your questions as quick as I can.
And at that point, there's nothing for that individual to really be concerned about.
They are offering a file or information to them rather than just
randomly receiving some oddball document off the cuff. Right. There's nothing that's saying,
click here or download this file at all. We're just in email right now exchanging information.
I think this is a great example for, I guess, reverse social engineering and that all of a
sudden, next Alex will go ahead and send a response
email that says, Hey, I've compiled answers and I have something ready for you to review. I hope
this helps, uh, happy to help provide anything more. And then our threat actor, the bad individual
comes back and says, thanks so much. This is great. I've made some slight changes. I'd just
like for you to have a final review before we work with this.
I've attached a file for you to look through.
And for security sake, this file is password protected.
Password VOA 2021.
Come in full circle here.
Of course, yes.
Now, here's the kicker.
While Alex, this individual, goes ahead and reads and downloads, of course, downloads twice. This document works with the password, extracts and opens up the document. They go ahead and there are two parts here that it might really be the kicker.
Send and forward this over to their coworkers, right?
Bob and Charlie, Bob being the alleged original victim and target.
Get their review, get their permission, and carbon copy them in the email response that says, this looks great.
Feel free to publish or do whatever you need to do.
All a ploy, all a scheme.
Obviously a trick, a mousetrap that our victim fell into. But if you look at the document,
if you look at the real Microsoft Office,
the voacorea.doc,
we have a screenshot included in our research and blog that shows it is just a blue banner that says,
hey, this file was created
in an earlier version of Microsoft Office.
You need to click enable content and enable editing
for you to be able
to see the true original document. Now, I don't know if you or others listening in happen to sit
through, Hey, some cybersecurity hygiene, one-on-one standard security training. But in my
mind, that's just the most vanilla cookie cutter and classic scam. That's the trick that says, hey, please click here
to view this document. And just as you alluded to, like, hey, that was the kicker, but it turns out
that's all it takes. That's all the advanced persistent threat needed to weasel their way in
and do some real damage and cyber espionage for a year.
Right. And, you know, as you say, through this social engineering of biding their time,
taking their time to establish a certain amount of rapport and trust with the victim,
not going at them right away, but, you know, even, I suppose, stroking their ego a little bit by saying, you know, we're reaching out to you
to share your expertise.
Apparently, doing a little bit more digging
and understanding of this whole thing,
I believe that threat actor family,
that whatever DPRK group,
I think some folks have alluded to Kamuski, Kamsuki,
I might be getting the pronunciation wrong,
but the folks that deploy and use this baby shark malware,
as it's been known to be, they're very good at that.
They're very good at setting the stage,
having a little pretense and doing a sort of bait and switch to be able to
fool the end user and deceive them. Hey, now that we've built up a,
what is the word repertoire, repertoire, something that says, you know,
you can trust me.
Yeah, report.
And then they trigger that clever malware detonation.
Well, help me understand the amount of time that they were in the system.
So if they're maintaining persistence for, let's just say, about a year or so,
what changed that all of a sudden at the one-year mark,
a warning went out, a flag went up, a flare went up that said,
hey, something needs to be examined here?
Did the victims change something in their security approach?
What happened there?
Well, I will be truthful and honest here,
and I don't mean to come across
like some sleazy sales guy, right? So please stop me if I ever get that semblance. But
they were a trialing partner with Huntress. Huntress is where I work. I'm a security
researcher there. And we do manage threat detection. And we look for the things that
slip past your preventative layers of security,
antivirus, other things you might have in place. It's meant to be a last layer of your security
stack to catch the things that just fall through the cracks. This partner, this organization was
running a trial, just kicking the tire, seeing, hey, would huntress fit well with what we do?
kicking the tires, seeing, hey, would huntress fit well with what we do? And we hunt for persistence.
We hunt for those hooks, those implants, those claws where a threat actor and adversary maintains access because we can key off of that and say definitively, there is evil here. Then we have
human analysts, myself, others, the others that were part of the story, understanding this thing,
digging into it and enrich the data. So we can come back to the partner and say,
this is what happened and this is how we can get rid of it.
So when we hear folks in the industry talking about threat hunting, I mean, this is it.
Here's a prime example of how it can pay off for you.
Absolutely. Absolutely. And thank you for kind of teeing that up. I'm a, of a strong
opinion. Hey, you can't just kind of put your feet up on the desk and wait for the alerts to roll in
from a sock or a seam solution. You have to go out hunting. You have to go, go beyond the dashboard
is kind of what I tend to say, where you're looking for evil, you're seeking it out. And
you're trying to see what
are these indicators of compromise? What is this weird oddball stuff that just isn't normal?
And having humans in the mix, having my eyes on it or your eyes on it or anyone else,
we're the ones that have the context. We know what's good, bad, and ugly. And that is how we
could pull back the pieces where the antivirus here was maybe just sleeping on the job.
You know, it seems to me like this is also a great example of how you can benefit from having defense in depth.
You know, in this case, we're not here to say that, you know, antivirus is worthless or that you shouldn't have it.
We're saying that because there were multiple layers of defenses there, when it slipped through one,
you had something else there to help catch it.
Oh, absolutely.
And I am super duper glad you mentioned that.
Thank you, thank you.
You're absolutely right.
And that it's all about layered security.
It is defense in depth.
I draw this analogy because I come from sort of a,
hey, a Coast Guard or Navy background.
In the Navy, there are submarines, right? Under underwater. And there's always water pressure surrounding them. One puncture,
one hole, one, something in the hull of the frame that could let water move into the submarine
that could sink the ship. Right. But that's why you have watertight bulkheads. That's why every single compartment space is compartmented out so that, hey, water moves
into one thing and there's danger and a threat.
It's not going to bleed and leak into the other components of the ship and do more damage.
It's contained.
It's restrained.
And that, I think, is part of the allure and benefit of defense in depth is that you've
got this maintained.
So what are the take-homes here? I mean, in terms of what you'd like our listeners to come away with
of how to approach their own systems. I mean, is that really the bottom line that,
you know, defense in depth is where you need to be?
There are a lot of things to take away, truthfully. Yes, we know defense
in depth is in the mix. We know, hey, prevention may fail. We know, hey, humans should be part of
the equation. And while I can say and kind of ride on the soapbox all too long, hey, you know,
that's why we threat hunt. Cybersecurity is a constant thing. It's a heartbeat. We have to earn it. But I would honestly heart back to
the phishing email and the malicious documents because I think there's a really, really strong
takeaway there that is a little painful. Hey, when we saw that Microsoft Word document and it's just
right out in front of us, please click here. I wince and I cringe because wasn't this supposed to be an advanced persistent
threat and we're still getting fooled by the small stuff. Hey, I know a security practitioners
on a professional say, use strong passwords, enable multi-factor authentication, be careful
of the links you click on yada, yada, yada. It sounds so trite and overused and oversaturated, but we need to keep driving that education home because that's where a lot of these risks come
from. And that I think is something that we'll never get away from. I know it sucks when you
hear me or anyone else get up on the soapbox and say, hey, the cybersecurity basics,
the bare bone essentials of security hygiene,
that still needs to be said.
Our thanks to John Hammond from Huntress for joining us.
The research is titled Targeted APT Activity,
Baby Shark is Out for Blood. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company teams and technologies. Our amazing CyberWire team is Liz Ervin, Elliot
Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week.