Podcast Detail

SANS Stormcast Wednesday, June 17th, 2026: VHDX to Remocs RAT; Fake Job Offer; OpenBSD Vuln; Copilot M365 Leakage

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9976.mp3

previous
Podcast Logo
VHDX to Remocs RAT; Fake Job Offer; OpenBSD Vuln; Copilot M365 Leakage
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Wednesday, June 17, 2026
 edition of the SANS Internet Storm Center's
 Stormcast. My name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the sans.edu graduate certificate program in cloud
 security. One thing we really like is when readers actually
 send us malware samples, we love malware samples on our
 website. You can actually download malware samples via
 our contact form. And Xavier took a look at a sample we
 received yesterday from a user. First of all, this
 sample arrives as a VHDX file. These are disk images. So once
 you download the file, it in Windows will actually
 typically automatically mount itself. And with that, start
 off some JavaScript. Now the JavaScript is not only
 obfuscated also the way it starts the PowerShell script
 then that will actually, well, load additional malware is
 interesting in that it goes via WMI. WMI typically more
 used sort of for remote access to other systems. But here
 using the chain JavaScript, WMI, and then PowerShell,
 well, makes this less suspicious to some endpoint
 protection systems than going JavaScript to PowerShell
 directly. So that's what the attacker is trying to
 accomplish here. They're trying to further obfuscate
 not just the malware itself, but also the behavior that
 it's being exhibited by the malware. And that of course
 goes straight against some of these more modern endpoint
 protection systems. There are a couple more stages, but in
 the end, the victim ends up with Remco's RAT, good old
 remote access tool, have talked about this for years.
 Antivirus endpoint protection still appears to be having a
 hard time with it. But anyway, the behavior here is quite
 telling and definitely something that you want to
 check your endpoint protection systems for to check if they
 are actually alerting on some of these more obfuscated
 execution paths. And there's hardly been a podcast where I
 haven't talked about some kind of supply chain issue. Today,
 a little bit of different perspective of it. And that's
 a little more defensive side. Roman Imankulov, a Python
 developer, documented how an attack attempt to get access
 to their profile and their code base, well, by
 essentially disguising as a job interview. And that's a
 very, very common attack against developers, where
 developers are being tricked into executing arbitrary code
 under disguise that this is possibly a test for a job
 interview. And of course, a test like this, like code
 reviews and such, aren't really all that terribly
 uncommon for developer interviews. So Roman here was
 luckily somewhat careful and didn't quite like the
 interaction with this particular recruiter or
 company. And as a result, well, was careful and launched
 the particular code they gave them in a virtual machine. And
 with that, of course, was able to isolate what happened and
 also prevented infection of any other repositories and
 systems on their main computer. And this is actually
 a technique that I think should be used more and more,
 where you do have sort of a separate development
 environment on a remote virtual machine that doesn't
 have access to your main computer that you're using.
 And as a result, well, if you execute some malicious code in
 that virtual machine, you may lose credentials and such that
 are related to the particular project that you're working on
 here. But you're not losing sort of, you know, everything
 as a as what would happen if the particular code would
 actually execute on your main workstation. So that's, I
 think, an important strategy that should probably be used
 more and more going forward, given all the problems that we
 had with malicious libraries, these type of sort of
 malicious interviews and the like. And then, of course, I
 think this particular story also makes a good read because
 it was very well documented, first of all, for developers
 so developers don't fall for these kind of tricks
 themselves, but also for security teams and such to see
 what kind of indicators and such you may be able to
 identify if one of your developers is falling for
 these tricks. And something I love to talk about almost as
 much as user-supplied malware is old vulnerabilities that
 remained undiscovered for many, many years. This example
 is a 27-year-old vulnerability in OpenBSD. And it's not
 necessarily sort of in an unused part of code. It
 affects the password authentication protocol, PAP.
 Well, it's often used in point -to-point protocol links like,
 for example, PPP over Ethernet. You may have seen
 that, for example, used in DSL connections and the like. And
 the problem here is that the user supplies, well, a
 password. And with the password, the user also
 supplies a password length. The trick here is that if the
 user supplies a password length of zero, then there's
 nothing to compare. So the authentication succeeds
 automatically. So essentially a user-supplied password
 length is being accepted by the system to then bypass
 authentication altogether. A pretty straightforward
 vulnerability in hindsight, of course. But yes, hidden in
 some fairly simple but still not necessarily easy to read
 sort of comparisons that were used in this particular
 module. And Microsoft fixed an interesting vulnerability in
 Copilot. It was discovered by researchers with Varonis. This
 vulnerability sort of has everything in it that we sort
 of keep teaching in our classes that nobody really
 takes because, well, they're kind of boring and old stuff.
 But that's also why these vulnerabilities keep
 happening. In this particular case, first of all, when
 you're using Copilot, the enterprise version, you can
 add a query to a URL. What this means is that if a user
 clicks on a link, well, you may actually start a query in
 Microsoft Copilot. Now, when the results come back,
 Microsoft is actually wrapping them in code tags. That way
 any HTML would not get parsed. So an attacker cannot easily
 sort of use cross-site scripting essentially to
 exfiltrate data. But this wrapping happens after the
 thinking part of Copilot is done. So there's a time while
 Copilot creates the response where the text is not yet
 wrapped in code tags. And as a result, well, you can
 basically use the cross-site scripting and then use tricks
 like the image search that you have access to in order to
 basically attach sensitive data that Copilot found in
 your M365 or Microsoft 365 tenant and then exfiltrate
 them as part of an image URL. Pretty interesting
 vulnerability. Microsoft patched it on Monday. Well,
 and this is it for today. Thanks for liking. Thanks for
 subscribing. Thanks for recommending this podcast.
 There will be no podcast on Friday because of the June
 19th holiday. But till then, I'll talk to you again
 tomorrow. Bye.