Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, July 8th, 2025: Detecting Filename (Windows); Atomic Stealer now with Backdoor; SEO Scams
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9516.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
What’s My File Name
Malware may use the GetModuleFileName API to detect if it was renamed to a name typical for analysis, like sample.exe or malware.exe
https://isc.sans.edu/diary/What%27s%20My%20%28File%29Name%3F/32084
Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
https://moonlock.com/amos-backdoor-persistent-access
HOUKEN SEEKING A PATH BY LIVING ON THE EDGE WITH ZERO-DAYS
At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices.
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
SEO Scams Targeting Putty, WinSCP, and AI Tools
Paid Google ads are advertising trojaned versions of popuplar tools like ssh and winscp
https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools/
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Tuesday, July 8, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Undergraduate Certificate Program in Cybersecurity Fundamentals is recorded in Jacksonville, Florida. And hackers have a pretty impressive arsenal in tools and tricks that they're using to figure out if malware they wrote is running in some kind of artificial environment used to analyze that malware. One trick that Xavier is talking about is, well, detecting whether or not the binary was renamed. Quite often when analysts are running malicious code in some kind of sandbox, a virtual machine or the like, they're renaming it. And I actually often recommend you rename it in order to accidentally run it on a real system. So quite often it's being renamed into something like sample.exe or malware.exe. Well, Xavier is talking today about how an attacker may detect if their script was renamed, in particular on Windows. Windows offers a specific API for this, the get module filename. If you leave the first of the three parameters set to null, then it will return the name of the current program. And that, of course, can easily then be compared to a block list or, well, maybe attackers like sometimes allow lists too and will only allow the software to run if it has a very specific name that the attacker assigned it. Of course, this could again lead to false positives where a user just renamed the file into something slightly different and then it wouldn't run. And talking about malware, we do have news for macOS users. Moonlock Labs did find a new version of the Atomic Stealer. Atomic Stealer, well known, has been around for a few years. It, well, was an Info Stealer, as the name implies, but it now also implemented a persistent backdoor, allowing the attacker more complete remote control than before. What I found sort of interesting reading over the Moonlock write-up is that apparently they're just connecting to the command control server by IP address. It's interestingly a Finnish IP address. So, not sure how long that'll last may already be taken down and also should be detectable with the standard detection rule where you're looking just for outbound connections to IP addresses that did not get returned as a result of a DNS lockup before you see the outbound connection to that IP. The French cert has released an interesting and very detailed report outlining some of the attacks that they have seen taking advantage of Ivanti vulnerabilities. Ivanti, of course, always a hot topic. I sort of call them friends of the show for all the vulnerabilities they supply us with. But this report also goes into, well, after they get into the system, what are their next steps? How are they moving forward after they breach a border device like an Ivanti gateway? So, in this particular case, for example, looking at the different PHP shells and such that are being deployed, they're calling this particular attack group HOKEN. I think that's how you would pronounce it. And it is associated with China. Now, an Arctic wolf is observing search engine optimization attacks that are advertising malicious tools. Nothing really too new about it. But, of course, these attacks are now often advertising AI tools. That's, of course, a hot topic. Lots of people are searching for them. In addition to that, also the good old sort of targets like SSH clients, like, for example, Putty, are being affected by these attacks. I think the SSH clients, like Putty, are in particular sort of an easy target in the sense that if you have a software that's called Putty, and they're actually just modifying the original software. So, it still has all the legitimate capabilities of Putty. But if a piece of software like this all of a sudden has some outbound network connectivity or such, it probably slips easier past some detection. Because, well, you think, hey, you know, it's Putty. It's meant to set up SSH connections. So, it's less suspicious if you all of a sudden see some odd SSH connections that originate from a tool like Putty. Well, and that's it for today. Only about a week to science fire. So, hope to see many of you there in Washington, D.C. Not too late to still register, in particular, if you plan on attending online. Some of the evening events, like the keynote, I believe on Tuesday, will be streamed online as well. So, you don't necessarily have to be there in person. But, of course, we also have a number of in -person only events, like, for example, our Honeypot Workshop and Giveaway. That's it for today. Thanks for listening and talk to you again tomorrow. Bye. Bye.