Podcast Detail

SANS Stormcast Friday, May 2nd: More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9434.mp3

Podcast Logo
More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments
00:00

Steganography Analysis With pngdump.py: Bitstreams
More details from Didiear as to how to extract binary content hidden inside images
https://isc.sans.edu/diary/Steganography%20Analysis%20With%20pngdump.py%3A%20Bitstreams/31904

Using Trusted Protocols Against You: Gmail as a C2 Mechanism
Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use GMail as a command and control channel by sending email to hard coded GMail accounts
https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism

Security Brief: French BEC Threat Actor Targets Property Payments
A French business email compromise threat actor is targeting property management firms to send emails to tenents tricking them into sending rent payments to fake bank accounts
https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments

SANS.edu Research Journal
https://isc.sans.edu/j/research


Podcast Transcript

 Hello and welcome to the Friday, May 2nd, 2025 edition
 of the SANS and NET Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from Jacksonville,
 Florida. And we have another steganography diary from
 Didier further figuring out, well, how to analyze some
 messages or in this case binaries that are embedded in
 images. PNG dump.py, Didier's tool that he used in last
 weekend's diary, is able to take a compressed PNG image
 and basically expand it and display the uncompressed pixel
 values for the particular image. PNG is compressed, it's
 lossless compression and actually lossy compression
 wouldn't work with steganography because they
 exactly sort of do these one -bit changes that are often
 lost when it comes to compression that loses sort of
 some of the detail of the image. So once you have the
 actual byte values, the one thing that PNG dump doesn't
 do, it actually doesn't sort of help you extract individual
 bits. But, well, of course, Didier has a tool just for that.
 It's called Format Bytes. So what Didier did in today's
 diary was look at two images. One is with message, one
 without message. It uses that least significant bit
 methodology, which basically results in identical, at least
 visually, images. And then using Format Bytes, Didier
 extracted the executable from the bitstream that you get
 from PNG dump. Format Bytes is the instrument tool. If you
 look at the example, it sort of allows you very flexibly to
 define the actual format being used, how many bits, a little
 engine, big engine, all of these details, and then
 extract respective data, which is really useful here. And
 Didier also promises, well, a little challenge for Saturday.
 And Olivia Brown with Socket, a company that specializes in
 software security, in particular malicious
 dependencies, is talking in a blog post about a couple of
 malicious Python modules that they ran into. Now, the nice
 thing I like about this particular post is, of course,
 there have been many malicious Python modules that they sort
 of show a little bit the evolution of these modules
 over the years, but also the kind of command control
 channel being implemented here. I've seen it before, but
 not really sort of in a malicious Python module like
 this. In this particular case, these malicious Python modules
 are actually using Gmail to send email and then
 essentially start up a command and control channel. The
 script itself connects to the submit port at Gmail and then
 uses its own credentials that are, of course, hard-coded
 here into the malicious library to send email to some
 other Gmail address. That's a little bit odd, actually,
 because a more, well, I would say, stealthy way to implement
 sort of these Gmail command control channels is often just
 by drafting the email and then the attacker would just log in
 and check the email. But maybe by having to add their
 credentials to the script, they felt better in sort of
 separating those two roles. Of course, they could have used
 something like OAuth and such for some better authentication
 here as well, which I guess they figured wasn't quite
 necessary. And given that these particular libraries
 have been around in various versions since, I believe,
 2022, if I remember correctly from the blog post, it seems
 reasonable that, well, it works for them. From a
 defensive point of view, of course, it's a little bit
 tricky. Yes, you know, make sure you're not using any
 malicious libraries. You're probably not going to detect
 this on the network. That's one of the suggestions here in
 the blog post, given that they're using the normal Gmail
 submit port here. If you do allow Gmail, you will see
 traffic like this and are probably not going to be able
 to detect this necessarily as malicious. On the other hand,
 if this comes from servers or network segments that usually
 don't send email to Gmail like this, you may be able to
 detect it on the network. Yeah, and then something I
 don't really talk enough about probably because I'm sticking
 usually a little bit more to the technical side, but
 Proofpoint has a good post about scam they have recently
 seen where attackers are using business email compromise. So
 they're actually getting into involved parties' email
 systems to then send out emails asking tenants of a
 particular property management company that they breached to
 update their banking information and, well, send
 rent to the wrong account. This type of account update
 fraud in general is something that has been happening for
 years using a business email compromise and definitely
 something that only really can be addressed via business
 rules, where you're basically telling people you're not
 going to use an email in order to update banking information
 and that you're going to do this via a written letter in
 the mail, via voice confirmation, or even by
 basically being able to stop by an office or something like
 this to confirm the correct account information. This has
 been happening in real estate, not just with rents. So
 something to keep in mind as you are dealing with issues
 like this. Try to set up business rules that don't just
 rely on email for critical information like this. Well,
 then a quick reminder that our science research journal has
 been released for this year. We always release it during
 RSA week. This is the fifth time we're doing so. So the
 fifth volume, fifth year of our research journal. Great
 articles in there. Great article about QUIC, for
 example. One of my sort of favorite topics these days,
 the new transport protocol, kind of transport protocol. So
 definitely take a look. And that's it for today. Next
 week, I'll be in San Diego. So hope to run into some of you
 there. And I'll have some stickers with me. So thanks,
 everybody. And talk to you again on Monday. Bye.