Hello and welcome to the Thursday, March 27th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. It's always great when students are
able to apply what they're learning in their classes and
we have a great example here from one of our undergraduate
interns, Wee Ki Joon, and Wee did write about how to
classify malware using machine learning. And it's, I think, a
pretty interesting novel way. Also, the diary itself that Wee
wrote is in lots of details. So really also enables you to
apply some of these techniques to samples and such that you
may have in your environment. The goal of this particular
work was to classify malware. So not to figure out is it
malicious or not so much as to what type of malware it is.
And that's, of course, with these undergraduate interns.
As part of the internship, they're looking at honeypot
data. You end up with a ton of malware there. And the
difficult part is sometimes how to sort of triage it and
deal just with the sheer volume of data. So this
particular model was then able to distinguish between, like,
you know, simple troppers, downloaders, backdoors,
ransomware, trojans, viruses, and worms. Also, information
stealers was another category that Wee looked at. And, well,
it worked actually really well with detection sort of in the
90% correct range. Of course, there's always a piece of
malware that may be somewhat in between. And, well, again,
lots of details here in the diary if you're interested in
these type of techniques. I think a really educational
piece and very thorough the work being done here. And
imagine that we still have malicious packages, NPM
packages in particular. And there is a good new blog post
by Lucija Valentich with Reversing Labs. She looked
into the Ethers provider 2 packages, which was recently
published and turned out to be malicious. What's a little bit
different here about this is, so, again, you know, we have
attacks against crypto coin developers. Ethers refers to
Ethereum. And that's sort of what the package is supposed
to help with. The actual Ethers package was not
compromised here. But the tricky part was that these
additional Ethers provider 2 packages, they were then
actually patching the already installed Ethers package with
malicious payload to then lead to an execution in the code.
So, yes, you know, they realize that you probably
already have Ethers installed. That's the package. They
really wanted to compromise, but not being able to
compromise it directly, they sort of went this detour to
first trick you into installing that second package
that was supposedly related. And then have it update the
main target that they were after. What they ended up with
then was a downloader, which basically would allow
additional malware to be installed. Most of the time,
as Loggia here points out in the blog post, this type of
malware is an info stealer. They're trying to steal your
crypto coins. Here in this case, well, again, the
attacker went a slightly different route via the
downloader first. And something else that's not
going away is Saturday vulnerabilities in Google
Chrome. Google just released a new update for Google Chrome,
apparently only affecting Windows. This particular
vulnerability was found by Kaspersky after it had been
used to compromise various Russian media and educational
institutions, according to Kaspersky. Well, and that's it
for today. If I missed the story, let me know. Let me
know if there is any story I should have covered. There
were a couple other vulnerabilities that crush
FTP, for example, that I don't really think is noteworthy
enough. But let me know if it is, and I'll definitely
include vulnerabilities like that. And as always, I like it
if you like this podcast. And any feedback is welcome. And
if you like it even more, then leave a good comment or let
someone that sends know that you like this podcast. Thanks,
and talk to you again tomorrow. Bye.
