Handler on Duty: Russ McRee
Threat Level: green
Podcast Detail
SANS Stormcast June, June 9th, 2025: Extracting PNG Data; GlueStack Packages Backdoor; MacOS targeted by Clickfix; INETPUB restore script
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9484.mp3

Extracting PNG Data; GlueStack Packages Backdoor; MacOS targeted by Clickfix; INETPUB restore script
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Extracting With pngdump.py
Didier extended his pngdump.py script to make it easier to extract additional data appended to the end of the image file.
https://isc.sans.edu/diary/Extracting%20With%20pngdump.py/32022
16 React Native Packages for GlueStack Backdoored Overnight
16 npm packages with over a million weekly downloads between them were compromised. The compromised packages include a remote admin tool that was seen before in similar attacks.
https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem
Atomic MacOS Stealer Exploits Clickfix
MacOS users are now also targeted by fake captchas, tricking users into running exploit code.
https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers
Microsoft INETPUB Script
Microsoft published a simple PowerShell script to restore the inetpub folder in case you removed it by mistake.
https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Monday, June 9th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Graduate Certificate Program in Purple Team Operations is recorded in Jacksonville, Florida. Well, and in diaries this weekend, we had an update to pngdump.py by Didier. This update was, well, as so often prompted by some malware that Xavier was looking at a few days ago. In that particular example, we had a png file with some additional data appended to the end. Now, this data followed the IEND marker in the png and pngdump will display a list of all the sections in the png, including the IEND marker. So then it's easy to spot, hey, there's some unexpected data here following that IEND marker. And that's the data that you can then save into a separate file. So this is helpful for people and makes malware analysis a little bit simpler. Well, and then we do have yet another significant compromise of the NPM ecosystem. This time, it particularly targeted some React native packages for Cluestack. Cluestack delivers user interface components and a number of them were compromised last week. This attack happened June 6th, June 7th. So just Friday, Saturday, I guess. Also difficult there for people to pay attention. And the attack did deliver a backdoor to the systems. Now, the write-up I'm going by here comes from Aikido. They actually detected a similar compromise back in May. Very similar malware deployed back then with only minor changes being deployed here. But for the last month, they were fairly not very active, but now apparently sort of hit the big jackpot with these NPM packages that have aggregated about a million downloads a week. One interesting thing here is that you actually don't see the compromised code easily. They use, well, white spaces to basically push it off the screen. And that way, again, sort of escape some cursory detection. That's something where some simple signature-based detection techniques probably could help along. Well, other than that, again, be careful as always with NPM PIP, with all these packages. I don't think there is a couple days or so where I don't see a story like this. I don't cover them all. Try to sort of limit myself to the ones that are a little bit more special or that have a bigger impact like this one. Well, and I guess if I'm talking about sort of hopeless issues in information security, you may as well also include the latest news about the Mirai botnet. This version now has found yet another DVR to exploit and take advantage of. The exploit here is a little bit more complex than some of the prior exploits we have seen. Kaspersky here has a pretty good write-up about it, but I don't really think it's going to make a significant change other than, well, yet more Mirai bots and yet more exploited DVRs that probably shouldn't have been exposed to the internet in the first place. And according to a blog post by Kusik Pal with CloudSek, the AMOS malware, which stands for Atom Mac OS Stealer, is now taking advantage of the click fix trick. This is where the user is presented with a fake captcha and then is being asked to essentially run a script on the command line in order to bypass that captcha. Well, that of course works on Mac OS just like it does on Windows. It just depends on getting the user actually to follow the instructions. And if the user does follow the instructions here, then of course they will be hit with malware. This particular malware is actually kind of good enough where it tries to figure out if you are running a Mac or if you're on a Windows system and so based on user agent, may display different prompts here. It also then, once installed, steals credentials. And on the Mac will keep popping up a dialog asking for your system password. Well, until you relent and actually enter the password. So pretty nifty malware. Not super technical really, but sort of definitely going after some very typical user weaknesses. I don't remember the hoopla we had with the recent Microsoft update regarding the inetpub folder. Well, Microsoft now made available a little PowerShell script to recreate the folder in case you deleted it by mistake. This was that patch at Microsoft release that created this folder that's usually really only needed for IIS. But in this particular case, well, helps them mitigate some vulnerability. So recreate the folder if you haven't already done so. This is probably a little bit easier. But really all you do is create a folder and apply the correct permissions to it. Well, and this is it for today. So thanks for listening and talk to you again tomorrow. Bye. Bye.