Hello and welcome to the Friday, May 2nd, 2025 edition
of the SANS and NET Storm Center's Stormcast. My name is
Johannes Ullrich and today I'm recording from Jacksonville,
Florida. And we have another steganography diary from
Didier further figuring out, well, how to analyze some
messages or in this case binaries that are embedded in
images. PNG dump.py, Didier's tool that he used in last
weekend's diary, is able to take a compressed PNG image
and basically expand it and display the uncompressed pixel
values for the particular image. PNG is compressed, it's
lossless compression and actually lossy compression
wouldn't work with steganography because they
exactly sort of do these one -bit changes that are often
lost when it comes to compression that loses sort of
some of the detail of the image. So once you have the
actual byte values, the one thing that PNG dump doesn't
do, it actually doesn't sort of help you extract individual
bits. But, well, of course, Didier has a tool just for that.
It's called Format Bytes. So what Didier did in today's
diary was look at two images. One is with message, one
without message. It uses that least significant bit
methodology, which basically results in identical, at least
visually, images. And then using Format Bytes, Didier
extracted the executable from the bitstream that you get
from PNG dump. Format Bytes is the instrument tool. If you
look at the example, it sort of allows you very flexibly to
define the actual format being used, how many bits, a little
engine, big engine, all of these details, and then
extract respective data, which is really useful here. And
Didier also promises, well, a little challenge for Saturday.
And Olivia Brown with Socket, a company that specializes in
software security, in particular malicious
dependencies, is talking in a blog post about a couple of
malicious Python modules that they ran into. Now, the nice
thing I like about this particular post is, of course,
there have been many malicious Python modules that they sort
of show a little bit the evolution of these modules
over the years, but also the kind of command control
channel being implemented here. I've seen it before, but
not really sort of in a malicious Python module like
this. In this particular case, these malicious Python modules
are actually using Gmail to send email and then
essentially start up a command and control channel. The
script itself connects to the submit port at Gmail and then
uses its own credentials that are, of course, hard-coded
here into the malicious library to send email to some
other Gmail address. That's a little bit odd, actually,
because a more, well, I would say, stealthy way to implement
sort of these Gmail command control channels is often just
by drafting the email and then the attacker would just log in
and check the email. But maybe by having to add their
credentials to the script, they felt better in sort of
separating those two roles. Of course, they could have used
something like OAuth and such for some better authentication
here as well, which I guess they figured wasn't quite
necessary. And given that these particular libraries
have been around in various versions since, I believe,
2022, if I remember correctly from the blog post, it seems
reasonable that, well, it works for them. From a
defensive point of view, of course, it's a little bit
tricky. Yes, you know, make sure you're not using any
malicious libraries. You're probably not going to detect
this on the network. That's one of the suggestions here in
the blog post, given that they're using the normal Gmail
submit port here. If you do allow Gmail, you will see
traffic like this and are probably not going to be able
to detect this necessarily as malicious. On the other hand,
if this comes from servers or network segments that usually
don't send email to Gmail like this, you may be able to
detect it on the network. Yeah, and then something I
don't really talk enough about probably because I'm sticking
usually a little bit more to the technical side, but
Proofpoint has a good post about scam they have recently
seen where attackers are using business email compromise. So
they're actually getting into involved parties' email
systems to then send out emails asking tenants of a
particular property management company that they breached to
update their banking information and, well, send
rent to the wrong account. This type of account update
fraud in general is something that has been happening for
years using a business email compromise and definitely
something that only really can be addressed via business
rules, where you're basically telling people you're not
going to use an email in order to update banking information
and that you're going to do this via a written letter in
the mail, via voice confirmation, or even by
basically being able to stop by an office or something like
this to confirm the correct account information. This has
been happening in real estate, not just with rents. So
something to keep in mind as you are dealing with issues
like this. Try to set up business rules that don't just
rely on email for critical information like this. Well,
then a quick reminder that our science research journal has
been released for this year. We always release it during
RSA week. This is the fifth time we're doing so. So the
fifth volume, fifth year of our research journal. Great
articles in there. Great article about QUIC, for
example. One of my sort of favorite topics these days,
the new transport protocol, kind of transport protocol. So
definitely take a look. And that's it for today. Next
week, I'll be in San Diego. So hope to run into some of you
there. And I'll have some stickers with me. So thanks,
everybody. And talk to you again on Monday. Bye.
