Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Friday, May 2nd: More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9434.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Steganography Analysis With pngdump.py: Bitstreams
More details from Didiear as to how to extract binary content hidden inside images
https://isc.sans.edu/diary/Steganography%20Analysis%20With%20pngdump.py%3A%20Bitstreams/31904
Using Trusted Protocols Against You: Gmail as a C2 Mechanism
Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use GMail as a command and control channel by sending email to hard coded GMail accounts
https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism
Security Brief: French BEC Threat Actor Targets Property Payments
A French business email compromise threat actor is targeting property management firms to send emails to tenents tricking them into sending rent payments to fake bank accounts
https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments
SANS.edu Research Journal
https://isc.sans.edu/j/research
Discussion
I have seen similar Malicious Python Packages even on dictionary websites like https://poreklorecnik.rs/
Posted by ProfRec on Fri May 02 2025, 06:54
Login here to join the discussion.
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Podcast Transcript
Hello and welcome to the Friday, May 2nd, 2025 edition of the SANS and NET Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. And we have another steganography diary from Didier further figuring out, well, how to analyze some messages or in this case binaries that are embedded in images. PNG dump.py, Didier's tool that he used in last weekend's diary, is able to take a compressed PNG image and basically expand it and display the uncompressed pixel values for the particular image. PNG is compressed, it's lossless compression and actually lossy compression wouldn't work with steganography because they exactly sort of do these one -bit changes that are often lost when it comes to compression that loses sort of some of the detail of the image. So once you have the actual byte values, the one thing that PNG dump doesn't do, it actually doesn't sort of help you extract individual bits. But, well, of course, Didier has a tool just for that. It's called Format Bytes. So what Didier did in today's diary was look at two images. One is with message, one without message. It uses that least significant bit methodology, which basically results in identical, at least visually, images. And then using Format Bytes, Didier extracted the executable from the bitstream that you get from PNG dump. Format Bytes is the instrument tool. If you look at the example, it sort of allows you very flexibly to define the actual format being used, how many bits, a little engine, big engine, all of these details, and then extract respective data, which is really useful here. And Didier also promises, well, a little challenge for Saturday. And Olivia Brown with Socket, a company that specializes in software security, in particular malicious dependencies, is talking in a blog post about a couple of malicious Python modules that they ran into. Now, the nice thing I like about this particular post is, of course, there have been many malicious Python modules that they sort of show a little bit the evolution of these modules over the years, but also the kind of command control channel being implemented here. I've seen it before, but not really sort of in a malicious Python module like this. In this particular case, these malicious Python modules are actually using Gmail to send email and then essentially start up a command and control channel. The script itself connects to the submit port at Gmail and then uses its own credentials that are, of course, hard-coded here into the malicious library to send email to some other Gmail address. That's a little bit odd, actually, because a more, well, I would say, stealthy way to implement sort of these Gmail command control channels is often just by drafting the email and then the attacker would just log in and check the email. But maybe by having to add their credentials to the script, they felt better in sort of separating those two roles. Of course, they could have used something like OAuth and such for some better authentication here as well, which I guess they figured wasn't quite necessary. And given that these particular libraries have been around in various versions since, I believe, 2022, if I remember correctly from the blog post, it seems reasonable that, well, it works for them. From a defensive point of view, of course, it's a little bit tricky. Yes, you know, make sure you're not using any malicious libraries. You're probably not going to detect this on the network. That's one of the suggestions here in the blog post, given that they're using the normal Gmail submit port here. If you do allow Gmail, you will see traffic like this and are probably not going to be able to detect this necessarily as malicious. On the other hand, if this comes from servers or network segments that usually don't send email to Gmail like this, you may be able to detect it on the network. Yeah, and then something I don't really talk enough about probably because I'm sticking usually a little bit more to the technical side, but Proofpoint has a good post about scam they have recently seen where attackers are using business email compromise. So they're actually getting into involved parties' email systems to then send out emails asking tenants of a particular property management company that they breached to update their banking information and, well, send rent to the wrong account. This type of account update fraud in general is something that has been happening for years using a business email compromise and definitely something that only really can be addressed via business rules, where you're basically telling people you're not going to use an email in order to update banking information and that you're going to do this via a written letter in the mail, via voice confirmation, or even by basically being able to stop by an office or something like this to confirm the correct account information. This has been happening in real estate, not just with rents. So something to keep in mind as you are dealing with issues like this. Try to set up business rules that don't just rely on email for critical information like this. Well, then a quick reminder that our science research journal has been released for this year. We always release it during RSA week. This is the fifth time we're doing so. So the fifth volume, fifth year of our research journal. Great articles in there. Great article about QUIC, for example. One of my sort of favorite topics these days, the new transport protocol, kind of transport protocol. So definitely take a look. And that's it for today. Next week, I'll be in San Diego. So hope to run into some of you there. And I'll have some stickers with me. So thanks, everybody. And talk to you again on Monday. Bye.