Handler on Duty: Jesse La Grew
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, June 12th, 2025: Quasar RAT; Windows 11 24H2 Delay; SMB Client Vuln PoC; Connectwise Signing Keys; KDE Telnet code exec
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9490.mp3
Quasar RAT; Windows 11 24H2 Delay; SMB Client Vuln PoC; Connectwise Signing Keys; KDE Telnet code exec
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Quasar RAT Delivered Through Bat Files
Xavier is walking you through a quick reverse analysis of a script that will injection code extracted from a PNG image to implement a Quasar RAT.
https://isc.sans.edu/diary/Quasar%20RAT%20Delivered%20Through%20Bat%20Files/32036
Delayed Windows 11 24H2 Rollout
Microsoft slightly throttled the rollout of windows 11 24H2 due to issues stemming from the patch Tuesday fixes.
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3570
An In-Depth Analysis of CVE-2025-33073
Patch Tuesday fixed an already exploited SMB client vulnerability. A blog by Synacktiv explains the nature of the issue and how to exploit it.
https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
Connectwise Rotating Signing Certificates
Connectwise is rotating signing certificates after a recent compromise, and will release a new version of its Screen share software soon to harden its configuration.
https://www.connectwise.com/company/trust/advisories
KDE Telnet URL Vulnerablity
The Konsole delivered as part of KDE may be abused to execute arbitrary code via “telnet” URLs.
https://kde.org/info/security/advisory-20250609-1.txt
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Thursday, June 12, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu undergraduate certificate program in applied cybersecurity is recorded in Jacksonville, Florida. Well in diaries today we have Xavier looking like yet another image. This time it actually leads to the install of a Quasar remote admin tool. Now it all starts pretty innocuous with a little bad file. That file will download the actual installer, injector. It'll also load a normal Word document and that's typically done because the user just clicked on something that looked like a Word document. So after starting the malicious code the malware loads an actual Word document. So the user really thinks nothing bad happened. Well the second stage then will download this kind of noisy looking image. This is actually an encrypted code that will then be injected into the running process here by the batch file that was downloaded. Also interesting that the second stage being downloaded relies on environment variables defined by the first stage. That way if someone would just reverse analyze the second stage without having access to the first stage then of course that wouldn't execute, wouldn't actually do anything bad. For example like if you would just quickly load that script into sandbox or such by itself. Well it wouldn't really show up as malicious. VirusTotal doesn't do a good job here. I should say the antivirus tools being sort of represented by VirusTotal do a pretty lousy job in recognizing any of this as malicious. Which probably is also due to this not sort of being a very widely spread threat but something that's a little bit more boutique. Which is well like Savvy was interested in this particular sample. Then we got a couple of follow-on items here to patch Tuesday this week. First of all if you're running Windows 11 the 24H2 update was rolled out gradually as Microsoft posted. Apparently they had some issues with certain hardware configurations initially that have now been resolved. And everybody should now be able to download Windows 11 24H2. And one of the highlights of course of this week's patch Tuesday was a patch for an already exploited vulnerability in the SMB client. Well we have now more details about including proof of concept exploit. I liked the Synactive write-up about this particular vulnerability. It goes in depth into the actual root cause of the vulnerability. Microsoft described it as a privileged escalation vulnerability. And that's really sort of the nature of the vulnerability in allowing basically users access as a system. However it's really as synactive also described as block more sort of a code execution vulnerability then. Because you can then actually execute arbitrary commands on the system as system. And ConnectWise published an advisory noting that it rotated its signing certificate for its software in particular Screen Connect. If you remember we had a couple weeks ago an incident at ConnectWise that affected some Screen Connect customers. Since then they published a couple of details about this particular compromise. But really not a lot what the actual nature of the breach was. So there's some concern that maybe there was more than initially stated. However this update appears to be also related to a software update going to be released shortly. If it hasn't already been released. That will further tighten up the Screen Connect configuration. Apparently what has been happening is that scammers did send users legitimate copies of Screen Connect. With their own configuration. And basically tricking the victim to connecting to the attacker's server. And that way by sort of including these configurations in the signed content. They hopefully will make it more obvious if an attacker is sending their own configuration. Instead of one provided by ConnectWise. Well then we got an interesting vulnerability in KDE. Actually really in the console the terminal it comes with KDE. The reason I cover this is not because I think desktop Linux is sort of such a big deal. But I think it's an interesting issue that people often forget there is more than HTTP and HTTPS URLs. Well there is a number of different protocols. They often then start commands. For example telnet colon slash slash will typically start telnet. However in this particular case. If you are not. If you don't have telnet installed on the system. Which a lot of modern Linux systems don't have installed anymore. Then the argument which is the URL. Is just directly passed to bash. Leading to a very simple command execution. Exploitability is a little bit tricky. Because typically on the console you would see the URL in the clear. So it's a little bit more difficult to hide here in this particular context. But certainly something that you definitely should patch. And yeah be aware that it's not just HTTP and HTTPS. And that's it for today. So thanks for listening. And thanks for liking and subscribing. And whatever you do to promote this podcast. And talk to you again tomorrow. Bye.
Have you seen our swag? Buy SANS ISC Gear
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 