Podcast Detail

SANS Stormcast Tuesday, July 8th, 2025: Detecting Filename (Windows); Atomic Stealer now with Backdoor; SEO Scams

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9516.mp3

previous
Podcast Logo
Detecting Filename (Windows); Atomic Stealer now with Backdoor; SEO Scams
00:00

What’s My File Name
Malware may use the GetModuleFileName API to detect if it was renamed to a name typical for analysis, like sample.exe or malware.exe
https://isc.sans.edu/diary/What%27s%20My%20%28File%29Name%3F/32084

Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
https://moonlock.com/amos-backdoor-persistent-access

HOUKEN SEEKING A PATH BY LIVING ON THE EDGE WITH ZERO-DAYS
At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices.
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf

SEO Scams Targeting Putty, WinSCP, and AI Tools
Paid Google ads are advertising trojaned versions of popuplar tools like ssh and winscp
https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools/

Podcast Transcript

 Hello and welcome to the Tuesday, July 8, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and this episode brought to you by the
 SANS.edu Undergraduate Certificate Program in
 Cybersecurity Fundamentals is recorded in Jacksonville,
 Florida. And hackers have a pretty impressive arsenal in
 tools and tricks that they're using to figure out if malware
 they wrote is running in some kind of artificial environment
 used to analyze that malware. One trick that Xavier is
 talking about is, well, detecting whether or not the
 binary was renamed. Quite often when analysts are
 running malicious code in some kind of sandbox, a virtual
 machine or the like, they're renaming it. And I actually
 often recommend you rename it in order to accidentally run
 it on a real system. So quite often it's being renamed into
 something like sample.exe or malware.exe. Well, Xavier is
 talking today about how an attacker may detect if their
 script was renamed, in particular on Windows. Windows
 offers a specific API for this, the get module filename.
 If you leave the first of the three parameters set to null,
 then it will return the name of the current program. And
 that, of course, can easily then be compared to a block
 list or, well, maybe attackers like sometimes allow lists too
 and will only allow the software to run if it has a
 very specific name that the attacker assigned it. Of
 course, this could again lead to false positives where a
 user just renamed the file into something slightly
 different and then it wouldn't run. And talking about
 malware, we do have news for macOS users. Moonlock Labs did
 find a new version of the Atomic Stealer. Atomic
 Stealer, well known, has been around for a few years. It,
 well, was an Info Stealer, as the name implies, but it now
 also implemented a persistent backdoor, allowing the
 attacker more complete remote control than before. What I
 found sort of interesting reading over the Moonlock
 write-up is that apparently they're just connecting to the
 command control server by IP address. It's interestingly a
 Finnish IP address. So, not sure how long that'll last may
 already be taken down and also should be detectable with the
 standard detection rule where you're looking just for
 outbound connections to IP addresses that did not get
 returned as a result of a DNS lockup before you see the
 outbound connection to that IP. The French cert has
 released an interesting and very detailed report outlining
 some of the attacks that they have seen taking advantage of
 Ivanti vulnerabilities. Ivanti, of course, always a
 hot topic. I sort of call them friends of the show for all
 the vulnerabilities they supply us with. But this
 report also goes into, well, after they get into the
 system, what are their next steps? How are they moving
 forward after they breach a border device like an Ivanti
 gateway? So, in this particular case, for example,
 looking at the different PHP shells and such that are being
 deployed, they're calling this particular attack group HOKEN.
 I think that's how you would pronounce it. And it is
 associated with China. Now, an Arctic wolf is observing
 search engine optimization attacks that are advertising
 malicious tools. Nothing really too new about it. But,
 of course, these attacks are now often advertising AI
 tools. That's, of course, a hot topic. Lots of people are
 searching for them. In addition to that, also the
 good old sort of targets like SSH clients, like, for
 example, Putty, are being affected by these attacks. I
 think the SSH clients, like Putty, are in particular sort
 of an easy target in the sense that if you have a software
 that's called Putty, and they're actually just
 modifying the original software. So, it still has all
 the legitimate capabilities of Putty. But if a piece of
 software like this all of a sudden has some outbound
 network connectivity or such, it probably slips easier past
 some detection. Because, well, you think, hey, you know, it's
 Putty. It's meant to set up SSH connections. So, it's less
 suspicious if you all of a sudden see some odd SSH
 connections that originate from a tool like Putty. Well,
 and that's it for today. Only about a week to science fire.
 So, hope to see many of you there in Washington, D.C. Not
 too late to still register, in particular, if you plan on
 attending online. Some of the evening events, like the
 keynote, I believe on Tuesday, will be streamed online as
 well. So, you don't necessarily have to be there
 in person. But, of course, we also have a number of in
 -person only events, like, for example, our Honeypot Workshop
 and Giveaway. That's it for today. Thanks for listening
 and talk to you again tomorrow. Bye. Bye.