SANS Stormcast Tuesday, May 20th 2025: AutoIT Code RAT; Fake Keepass Download; Procolored Printer Software Compromise

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9458.mp3

previous

AutoIT Code RAT; Fake Keepass Download; Procolored Printer Software Compromise

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Tuesday, May 20th, 2025
 edition of the SANS Internet its Storm Center's Stormcast. My
 name is Johannes Ulrich and this episode brought to you by
 the SANS EDU Graduate Certificate Program in
 Cybersecurity Leadership was recorded in Jacksonville,
 Florida. In today's diary, we got Xavier taking apart a
 remote access tool. This remote access tool starts out
 with scripts written in AutoIT. This is something that
 keeps coming up. It's not a new technique at all, but
 something I think that's often overlooked, AutoIT is a
 language designed to, well, roll out configurations,
 remote managed machines. And that's exactly what the bad
 guys take advantage of here. In particular, since these
 scripts can also be compiled into self-contained
 executables, not requiring the victim to already have AutoIT
 installed. In the past, of course, we have seen a couple
 examples where the actor would also install AutoIT on the
 system for the victim. But that's not the case here with
 what Xavier saw. It also enables some simple
 persistence by adding itself as a startup item and then
 essentially connects to a remote control server, some
 command control server that luckily is no longer
 accessible. From a defensive point of view, you probably
 don't want to outright block AutoIT because it is a useful
 tool unless you're not using it in your environment. And
 other than that, well, it comes back to downloading
 executables, letting users execute random executables.
 Never a good idea. And last week, I talked about the
 unfortunate incident around RVTools, the VMware analysis
 tool set. Well, there was some confusion whether or not it
 was actually just a malicious version downloaded from some
 other random site or whether the actual RVTools website was
 compromised. We now got confirmation from rawware.net,
 the entity behind RVTools, that yes, their website was
 compromised and the website is currently shut down. Now, in
 different news, we have a similar incident around
 KeePass. But in this case, it's not that KeePass itself
 was compromised. This appears to be a pure search engine
 optimization attack. The news about KeePass comes from
 researchers at WithSecure Labs. And the news actually
 broke about a week ago. Thanks for listeners to actually
 alert me of this news. The problem here was that someone
 essentially took the KeePass source code, which is open
 source, so nothing leaked here, and recompiled it with
 additional add-ons, in particular InfoSteelers and
 Cobalt Strike Beacon. This apparently happened several
 times back to sort of mid 2024. So almost like six
 months ago when all of this started, there were several
 iterations where only the last iteration then had all the
 goodies sort of being integrated into KeePass. With
 KeePass being a password store, that, of course, makes
 it sort of a prime target. Now, yes, this was solely a
 search engine optimization attack. So there was no
 compromise of the website or any built infrastructure. So
 off KeePass. And one of the pointers that, well, this was
 the case, was that the certificate used to sign the
 KeePass binary, the malicious one, was from an unrelated
 company, apparently stolen from a random Chinese company
 that was then used to sign this binary. So that's
 something, if the attacker would have had access to the
 built infrastructure or anything like this around
 KeePass, they probably would have signed that with the
 proper KeePass signature. This is, again, be careful, very
 download your software, in particular things like
 password managers. This could happen to any software, not
 just the password managers, but, of course, being able to
 get into someone's password managers makes that sort of a
 prime target. And I guess today I have sort of a supply
 chain theme here to the podcast. The next example is
 this UV printer by Procolored. Well, this is
 not a cheap device. It's, I guess, called Prosumer. It's
 sort of a few thousand dollars. And if you purchased
 this particular printer, the software was delivered with
 the printer, well, apparently contained multiple viruses.
 This was first found here by the blog post on this website,
 hackster.io. This is more supposed to be a product
 review of this particular printer. But, well, the review
 kind of stalled because the initial downloads of the
 software and the install was blocked by Microsoft Defender
 and also the browsers built in protections. Later analysis of
 the software by Carsten Hahn here did show that, yes, it
 was indeed malicious what was being offered here by the
 vendor. It took a while to get a response out of the vendor.
 And overall, it appears that this malicious software was
 included for about half a year. So if you own any of
 these printers, definitely be careful. Double check your
 systems. And if you ever download a software and
 antivirus goes off, I know it's hard, but it may not be a
 false positive. So better pay attention. Double check. And,
 yeah, sadly, of course, the truth is sometimes there are
 false positives. As I'm recording this podcast, I'm
 sure when I'm saving my show notes that Microsoft Defender
 will flag the file as suspicious just because of
 some of the links in the file. At least that's what I
 suspect. Well, and this is it for today. So thanks for
 listening and talk to you again tomorrow. Bye.