SANS Stormcast Monday, December 15th, 2025: DLL Entry Points; ClickFix and Finger; Apple Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9738.mp3

previous

DLL Entry Points; ClickFix and Finger; Apple Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, December 15th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in Applied
 Cybersecurity. Well, this Monday we have a number of
 diaries to talk about. The first one comes from Xavier
 and as typical for Xavier, is of interest to anybody reverse
 analyzing malware. Xavier is taking a closer look at DLLs.
 Now DLLs, libraries of course in Windows, are loaded by
 software in order to provide additional functionality. As
 any kind of library of course, there are certain features
 that are being exposed by the library. But one thing that's
 often overlooked here is the entry point. And what's
 happening here is that a developer can define an entry
 point that's being executed as the library is being loaded.
 There are a couple different options how it can be executed
 and Xavier is explaining this. The reason it's important for
 malware analysis is that you may see a library being
 loaded, a DLL being loaded, but then actually no function
 in that DLL is being ever executed. Well, then you have
 to take a look at the entry point to see if it contains
 any code of interest because that was executed just as the
 DLL was loaded without any specific function actually
 being called. And the next diary comes from Brad. Brad
 wrote about, well, two particular examples of a
 recent click fix campaign. Click fix again is where you
 have the CAPTCHA that tricks you into copy pasting
 PowerShell commands into a command prompt. And the part
 that Brad looked at it is something that we have talked
 about recently and that's the use of the finger command in
 these scripts. So in order to obfuscate what's actually
 happening here, the attacker is tricking the victim into
 posting a command that uses the finger command. And the
 finger command is, well, basically just a very simple
 TCP server that you just open a connection to and then
 retrieve ASCII data. That's really all it does. In this
 case, data coming back is a PowerShell script. That's of
 course, then just piped to CMD on your Windows host. So a
 very simple technique and provides for some additional
 obfuscation. Of course, the traffic here goes over port
 79, which I don't think is used for anything but this no
 longer really used finger command. So definitely a port
 that you should investigate blocking outbound from your
 network, just like 445 and other ports like this that you
 probably shouldn't allow outbound and well, maybe even
 better come up with a list of ports that should be allowed
 outbound. And then on Friday, we also got a little surprise
 from Apple and that's updates to all of Apple's operating
 system fixing a number of different vulnerabilities. I
 counted 48 vulnerabilities being addressed here. Now,
 most interesting were two vulnerabilities in WebKit that
 likely can lead to code execution and have already
 been exploited in the wild before the patch was released
 as usual in targeted attacks. So definitely something that
 you probably want to apply over the next week. And
 hopefully not too many people sort of just missed it because
 of the Friday release. Of course, patching stuff on
 Friday is always a little bit discouraged and there wasn't
 anything here that should have sort of really prioritized the
 patch beyond your regular patch cycle. These already
 exploited vulnerabilities, like I said, are only
 exploited in limited attacks. And there is no public exploit
 as far as I'm aware of. Now, there was also an interesting
 one that was being addressed in the compressor utility.
 That's not part of the operating system. That was
 sort of a separate update that Apple released. I believe it's
 part of Apple's video editing suite, at least that's sort of
 how I originally downloaded it. The tricky part here is
 that the compressor actually listens for network traffic
 and in receiving traffic, you can execute arbitrary code
 here. Now, the advisory states that the network traffic is
 only working if it's on the same local network. And of
 course, you have the utility up and running. It's not a
 utility that you sort of constantly keep running in the
 background. So it's not like other service in that sense.
 But you don't miss this particular update. Other than
 that, nothing really too terribly exciting. Well, and
 React Server Components keep on giving. This time, it's two
 denial of service vulnerability and a third
 vulnerability that, in my opinion, is actually more
 interesting, even though it has a lower CVSS score. And
 that third vulnerability may potentially leak source code.
 The third vulnerability only applies to certain
 circumstances where you are stringifying user submitted
 data. And essentially what's happening then is that the
 function code itself gets stringified and possibly
 returned as part of the response to the request.
 Again, this affects React Server Components, just like
 the React to shell vulnerability. So if your
 application was vulnerable to React to shell, it's probably
 vulnerable to these new issues as well. Well, that's it for
 today. Just a quick note. This coming week, I'll be teaching
 while I'll be staying here at home. I'll be teaching on a
 European schedule. So podcast publishing may be affected by
 this and the podcast may be released a little bit earlier
 than normal. That's it for today. Thanks for listening.
 Thanks for liking. Thanks for subscribing and talk to you
 again tomorrow. Bye.