Podcast Detail

SANS Stormcast June, June 9th, 2025: Extracting PNG Data; GlueStack Packages Backdoor; MacOS targeted by Clickfix; INETPUB restore script

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9484.mp3

previous
next
Podcast Logo
Extracting PNG Data; GlueStack Packages Backdoor; MacOS targeted by Clickfix; INETPUB restore script
00:00

Extracting With pngdump.py
Didier extended his pngdump.py script to make it easier to extract additional data appended to the end of the image file.
https://isc.sans.edu/diary/Extracting%20With%20pngdump.py/32022

16 React Native Packages for GlueStack Backdoored Overnight
16 npm packages with over a million weekly downloads between them were compromised. The compromised packages include a remote admin tool that was seen before in similar attacks.
https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem

Atomic MacOS Stealer Exploits Clickfix
MacOS users are now also targeted by fake captchas, tricking users into running exploit code.
https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers


Microsoft INETPUB Script
Microsoft published a simple PowerShell script to restore the inetpub folder in case you removed it by mistake.
https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0


Podcast Transcript

 Hello and welcome to the Monday, June 9th, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and this episode brought to you by the
 SANS.edu Graduate Certificate Program in Purple Team
 Operations is recorded in Jacksonville, Florida. Well,
 and in diaries this weekend, we had an update to pngdump.py
 by Didier. This update was, well, as so often prompted by some
 malware that Xavier was looking at a few days ago. In
 that particular example, we had a png file with some
 additional data appended to the end. Now, this data
 followed the IEND marker in the png and pngdump will
 display a list of all the sections in the png, including
 the IEND marker. So then it's easy to spot, hey, there's
 some unexpected data here following that IEND marker.
 And that's the data that you can then save into a separate
 file. So this is helpful for people and makes malware
 analysis a little bit simpler. Well, and then we do have yet
 another significant compromise of the NPM ecosystem. This
 time, it particularly targeted some React native packages for
 Cluestack. Cluestack delivers user interface components and
 a number of them were compromised last week. This
 attack happened June 6th, June 7th. So just Friday, Saturday,
 I guess. Also difficult there for people to pay attention.
 And the attack did deliver a backdoor to the systems. Now,
 the write-up I'm going by here comes from Aikido. They
 actually detected a similar compromise back in May. Very
 similar malware deployed back then with only minor changes
 being deployed here. But for the last month, they were
 fairly not very active, but now apparently sort of hit the
 big jackpot with these NPM packages that have aggregated
 about a million downloads a week. One interesting thing
 here is that you actually don't see the compromised code
 easily. They use, well, white spaces to basically push it
 off the screen. And that way, again, sort of escape some
 cursory detection. That's something where some simple
 signature-based detection techniques probably could help
 along. Well, other than that, again, be careful as always
 with NPM PIP, with all these packages. I don't think there
 is a couple days or so where I don't see a story like this. I
 don't cover them all. Try to sort of limit myself to the
 ones that are a little bit more special or that have a
 bigger impact like this one. Well, and I guess if I'm
 talking about sort of hopeless issues in information
 security, you may as well also include the latest news about
 the Mirai botnet. This version now has found yet another DVR
 to exploit and take advantage of. The exploit here is a
 little bit more complex than some of the prior exploits we
 have seen. Kaspersky here has a pretty good write-up about
 it, but I don't really think it's going to make a
 significant change other than, well, yet more Mirai bots and
 yet more exploited DVRs that probably shouldn't have been
 exposed to the internet in the first place. And according to
 a blog post by Kusik Pal with CloudSek, the AMOS malware,
 which stands for Atom Mac OS Stealer, is now taking
 advantage of the click fix trick. This is where the user
 is presented with a fake captcha and then is being
 asked to essentially run a script on the command line in
 order to bypass that captcha. Well, that of course works on
 Mac OS just like it does on Windows. It just depends on
 getting the user actually to follow the instructions. And
 if the user does follow the instructions here, then of
 course they will be hit with malware. This particular
 malware is actually kind of good enough where it tries to
 figure out if you are running a Mac or if you're on a
 Windows system and so based on user agent, may display
 different prompts here. It also then, once installed,
 steals credentials. And on the Mac will keep popping up a
 dialog asking for your system password. Well, until you
 relent and actually enter the password. So pretty nifty
 malware. Not super technical really, but sort of definitely
 going after some very typical user weaknesses. I don't
 remember the hoopla we had with the recent Microsoft
 update regarding the inetpub folder. Well, Microsoft now
 made available a little PowerShell script to recreate
 the folder in case you deleted it by mistake. This was that
 patch at Microsoft release that created this folder
 that's usually really only needed for IIS. But in this
 particular case, well, helps them mitigate some
 vulnerability. So recreate the folder if you haven't already
 done so. This is probably a little bit easier. But really
 all you do is create a folder and apply the correct
 permissions to it. Well, and this is it for today. So
 thanks for listening and talk to you again tomorrow. Bye.
 Bye.