Podcast Detail

SANS Stormcast Thursday Mar 27th: Classifying Malware with ML; Malicious NPM Packages; Google Chrome 0-day

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9382.mp3

previous
next
Podcast Logo
Classifying Malware with ML; Malicious NPM Packages; Google Chrome 0-day
00:00

Leveraging CNNs and Entropy-Based Feature Selection to Identify Potential Malware Artifacts of Interest
This diary explores a novel methodology for classifying malware by integrating entropy-driven feature selection with a specialized Convolutional Neural Network (CNN). Motivated by the increasing obfuscation tactics used by modern malware authors, we will focus on capturing high-entropy segments within files, regions most likely to harbor malicious functionality, and feeding these distinct byte patterns into our model.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Leveraging%20CNNs%20and%20Entropy-Based%20Feature%20Selection%20to%20Identify%20Potential%20Malware%20Artifacts%20of%20Interest/31790

Malware found on npm infecting local package with reverse shell
Researchers at Reversinglabs found two malicious NPM packages, ethers-provider2, and ethers-providerz that patch the well known (and not malicious) ethers package to add a reverse shell and downloader.
https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell

Google Patched Google Chrome 0-day
Google patched a vulnerability in Chrome that was already exploited in attacks against media and educational organizations in Russia
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html

Podcast Transcript

 Hello and welcome to the Thursday, March 27th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. It's always great when students are
 able to apply what they're learning in their classes and
 we have a great example here from one of our undergraduate
 interns, Wee Ki Joon, and Wee did write about how to
 classify malware using machine learning. And it's, I think, a
 pretty interesting novel way. Also, the diary itself that Wee
 wrote is in lots of details. So really also enables you to
 apply some of these techniques to samples and such that you
 may have in your environment. The goal of this particular
 work was to classify malware. So not to figure out is it
 malicious or not so much as to what type of malware it is.
 And that's, of course, with these undergraduate interns.
 As part of the internship, they're looking at honeypot
 data. You end up with a ton of malware there. And the
 difficult part is sometimes how to sort of triage it and
 deal just with the sheer volume of data. So this
 particular model was then able to distinguish between, like,
 you know, simple troppers, downloaders, backdoors,
 ransomware, trojans, viruses, and worms. Also, information
 stealers was another category that Wee looked at. And, well,
 it worked actually really well with detection sort of in the
 90% correct range. Of course, there's always a piece of
 malware that may be somewhat in between. And, well, again,
 lots of details here in the diary if you're interested in
 these type of techniques. I think a really educational
 piece and very thorough the work being done here. And
 imagine that we still have malicious packages, NPM
 packages in particular. And there is a good new blog post
 by Lucija Valentich with Reversing Labs. She looked
 into the Ethers provider 2 packages, which was recently
 published and turned out to be malicious. What's a little bit
 different here about this is, so, again, you know, we have
 attacks against crypto coin developers. Ethers refers to
 Ethereum. And that's sort of what the package is supposed
 to help with. The actual Ethers package was not
 compromised here. But the tricky part was that these
 additional Ethers provider 2 packages, they were then
 actually patching the already installed Ethers package with
 malicious payload to then lead to an execution in the code.
 So, yes, you know, they realize that you probably
 already have Ethers installed. That's the package. They
 really wanted to compromise, but not being able to
 compromise it directly, they sort of went this detour to
 first trick you into installing that second package
 that was supposedly related. And then have it update the
 main target that they were after. What they ended up with
 then was a downloader, which basically would allow
 additional malware to be installed. Most of the time,
 as Loggia here points out in the blog post, this type of
 malware is an info stealer. They're trying to steal your
 crypto coins. Here in this case, well, again, the
 attacker went a slightly different route via the
 downloader first. And something else that's not
 going away is Saturday vulnerabilities in Google
 Chrome. Google just released a new update for Google Chrome,
 apparently only affecting Windows. This particular
 vulnerability was found by Kaspersky after it had been
 used to compromise various Russian media and educational
 institutions, according to Kaspersky. Well, and that's it
 for today. If I missed the story, let me know. Let me
 know if there is any story I should have covered. There
 were a couple other vulnerabilities that crush
 FTP, for example, that I don't really think is noteworthy
 enough. But let me know if it is, and I'll definitely
 include vulnerabilities like that. And as always, I like it
 if you like this podcast. And any feedback is welcome. And
 if you like it even more, then leave a good comment or let
 someone that sends know that you like this podcast. Thanks,
 and talk to you again tomorrow. Bye.