SANS Stormcast Monday, June 16th, 2025: Katz Stealer in JPG; JavaScript Attacks; Reviving expired Discord Invites for Evil

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9494.mp3

previous

Katz Stealer in JPG; JavaScript Attacks; Reviving expired Discord Invites for Evil

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, June 16th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu graduate certificate program in cloud
 security is recorded in Jacksonville, Florida. In
 diaries this weekend, we had a diary by Xavier looking at yet
 another malware sample that uses images to hide
 executables. This one starts out as well your usual
 Microsoft Excel macro. So nothing really all that
 excited here and Oledump does a good job in actually then
 extracting the relevant data from this particular Excel
 spreadsheet. Now where it gets more interesting then is the
 second stage here. There is an HTML application that's being
 loaded that, well, again, sort of you use at least a filename
 kind of to obfuscate what it's doing. And it is loading a bad
 file and this bad file then does download an image. Now
 quite a bit of interesting sort of simple obfuscation
 happening here. But Xavier will walk you through how to
 actually figure out what's happening until you end up
 with this particular image. This is a JPEG image. Now we
 had in the last couple examples PNG images. In PNG
 images we have that end indicator and then we can just
 add any data after this indicator. In this particular
 case it works a little bit different. There is this in-co
 and then fem indicator here. These tags basically enclose
 the executable so you don't actually necessarily have to
 add it to the end. It's a base64 encoded piece of data
 here. And as Xavier points out this tvqqadad part that really
 then basically does decode to your standard PE file header.
 And well that's then just the actual payload DLL that is
 being loaded and executed. So interesting walk through here
 how to very quickly analyze a piece of malware like this.
 Even though it went through a couple different stages and
 yes some obfuscation here. Well and Palo Alto has a real
 nice write up about a campaign that they are calling JS Fire
 Truck. This particular campaign apparently has
 affected tens of thousands of vulnerable websites injecting
 JavaScript. That uses a not uncommon but fairly easy to
 spot actually obfuscation technique. I have to admit
 it's a little bit sort of my favorite JavaScript
 obfuscation technique. Because well how messed up in some
 ways the code looks like after it's being obfuscated here.
 Essentially what you end up with is JavaScript code that
 really just considers consists of well braces brackets and
 plus signs and explanation marks. So fairly tricky
 obfuscation scheme here. Which in my opinion also makes it
 actually a little bit easier to spot than some of the other
 schemes. But nevertheless something that is not trivial
 to necessarily then decode. And Palo Alto does in its blog
 a great job walking you through this code. Typically
 once decoded the code will then redirect you to some kind
 of malware site. That sort of tends to be the main objective
 of this type of JavaScript. From a web application
 security perspective of course. No website is kind of
 too unimportant to be compromised. Quite often you
 see stuff like this on more or less brochure sites. WordPress
 websites that don't consider themselves really all that
 important. But what they still have is users that trust the
 website. And essentially the attacker here is stealing that
 trust to redirect the victim to some kind of malware. And
 Checkpoint did publish a blog post showing how this concept
 of stealing trust is actually also being applied to Discord.
 In Discord you often find invite links that will
 basically allow you to easily join a particular Discord
 server. These invite links by default are random and they
 are typically again by default time limited. So a particular
 link is only good for a certain amount of time. After
 which time when you click on the link well you basically
 just get an error message. Well the tricky part is that
 in addition to these sort of randomly generated default
 links. There are also vanity links. A vanity link basically
 is a string that the user determines. And typically of
 course the idea is that you would have some kind of
 branded invite link. That's easier to remember. Easier to
 communicate. But what attackers apparently are doing
 is that they are registering vanity links that actually
 match already released and expired temporary links that
 were created for other Discord servers. The problem they are
 exploiting here is that often well these links are sticking
 around. They are being exchanged and the users may
 click on them long after they already have expired. But now
 they actually will be pointing to these vanity links which
 will then direct the user to a malicious website. It's a
 really interesting and tricky approach. I'm not a big
 Discord user myself. But I know for our Slack that we are
 using here for the Shield. I obviously have to make sure
 that the link that we have on our homepage is still up to
 date. And actually probably after recording this podcast
 I'll have to double check again. Well and this is it for
 today. So thanks again for listening. Thanks for
 recommending the podcast. Thanks for subscribing to this
 podcast and talk to you again tomorrow. But remember there
 will be no podcast on Wednesday and Thursday this
 week.