SANS Stormcast Tuesday, December 2nd, 2025: Analyzing ToolShell from Packdets; Android Update; Long Game Malicious Browser Ext.

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9720.mp3

previous

Analyzing ToolShell from Packdets; Android Update; Long Game Malicious Browser Ext.

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Tuesday, December 2nd, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Dallas,
 Texas. This episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cybersecurity Leadership.
 Well, today's diary is yet another contribution by our
 underrated interns. This time, James Woodworth is talking
 about analyzing ToolShell payloads. This is the
 SharePoint vulnerability that came out a month or two months
 ago and has been quite busy since then. There are still
 plenty of scans for this vulnerability. And James is
 explaining a little bit how to analyze the payloads that you
 can extract from packet captures. James is going over
 all the details here, how to extract the required PCAP
 files from seek, and then how to get the payloads from those
 PCAP files, and then later analyzing the deserialization
 payloads from these extracts. There are a couple interesting
 newer exploits or variations of this exploit that James
 found. For example, one that actually delivers a Nuclea
 scanner template, and then a second one that includes
 encoded PowerShell commands. And of course, James will show
 how to decode these PowerShell commands and get to the bottom
 of what this particular payload is trying to
 accomplish. Very nice technical deep dive into the
 analysis of this vulnerability, and hopefully
 something that can be used by others in order to discover
 what's going on currently with this ToolShell vulnerability.
 And Google today announced its security update for Android
 for December 2025. This update as usual fixes a large number
 of different vulnerabilities. Noteworthy are two
 vulnerabilities in framework that are already being
 exploited in limited attacks in the wild. One of them is
 information disclosure vulnerability, the other an
 elevation of privilege of vulnerability. Framework tends
 to be one of those components that does have numerous
 vulnerabilities. Just this month, about 35 different
 vulnerabilities are being addressed in framework. And
 again, two of them are already being exploited. So as this
 update becomes available for your particular Android phone,
 apply it as quickly as possible. And Koi Security
 came across a pretty scary browser extension campaign.
 This campaign that they are calling ShadyPanda went over
 seven years. And what makes it so scary is that the attacker
 here apparently was playing the long game, where they
 first published an extension and the extension worked just
 fine and provided a more or less useful service to the
 user that worked as advertised. But after a few
 years and accumulating in some cases several hundred
 thousands of users, the developer was then publishing
 a malicious version of that extension that in some cases
 allowed remote code execution or in some of the more
 successful larger cases just installed some spyware that
 essentially was then weaponizing the extension that
 the user had installed in order to track their browsing
 habits. They call it ShadyPanda because it is
 apparently linked to a Chinese group or individual that
 created these extensions. The ultimate purpose here I don't
 think is quite that clear. I wouldn't really say that this
 is something like nation state or such. It in some ways,
 particularly looking at the spyware, almost looks to me
 like this is a very skilled developer who may have
 originally developed these extensions, maybe just out of
 interest and trying to provide some useful service, but maybe
 then got a little bit disappointed, wanted to
 monetize these extensions and well then fell down the trap
 of using some malicious user tracking. And so to accomplish
 that, at least that's I think one explanation what's going
 on here. In particular, when you look at the spyware, I
 don't think there is really much else that the attacker
 could have really done here with this data, but sell it
 for some advertising first as such. They also did some
 search injection where essentially they injected
 banner ads, which also sort of fits that particular money
 making scheme. We'll see if there's any more to it. But
 Coy does a pretty good job in analyzing what these
 extensions do and also pointing out the similarities,
 why these extensions are created by the same individual
 or group and how they are sharing some of their
 infrastructure, how they are sharing some of the code
 features. The big problem is how do you protect yourself
 from this? I don't think turning off auto update is the
 solution here because you probably would not have
 spotted these changes as malicious as sort of just an
 average user trying to review the code. Well, that's it for
 today. So thanks for listening. Thanks for liking
 and thanks for subscribing to this podcast and talk to you
 again tomorrow. Bye.