Hello and welcome to the Monday, June 9th, 2025 edition
of the SANS Internet Storm Center's Stormcast. My name is
Johannes Ullrich and this episode brought to you by the
SANS.edu Graduate Certificate Program in Purple Team
Operations is recorded in Jacksonville, Florida. Well,
and in diaries this weekend, we had an update to pngdump.py
by Didier. This update was, well, as so often prompted by some
malware that Xavier was looking at a few days ago. In
that particular example, we had a png file with some
additional data appended to the end. Now, this data
followed the IEND marker in the png and pngdump will
display a list of all the sections in the png, including
the IEND marker. So then it's easy to spot, hey, there's
some unexpected data here following that IEND marker.
And that's the data that you can then save into a separate
file. So this is helpful for people and makes malware
analysis a little bit simpler. Well, and then we do have yet
another significant compromise of the NPM ecosystem. This
time, it particularly targeted some React native packages for
Cluestack. Cluestack delivers user interface components and
a number of them were compromised last week. This
attack happened June 6th, June 7th. So just Friday, Saturday,
I guess. Also difficult there for people to pay attention.
And the attack did deliver a backdoor to the systems. Now,
the write-up I'm going by here comes from Aikido. They
actually detected a similar compromise back in May. Very
similar malware deployed back then with only minor changes
being deployed here. But for the last month, they were
fairly not very active, but now apparently sort of hit the
big jackpot with these NPM packages that have aggregated
about a million downloads a week. One interesting thing
here is that you actually don't see the compromised code
easily. They use, well, white spaces to basically push it
off the screen. And that way, again, sort of escape some
cursory detection. That's something where some simple
signature-based detection techniques probably could help
along. Well, other than that, again, be careful as always
with NPM PIP, with all these packages. I don't think there
is a couple days or so where I don't see a story like this. I
don't cover them all. Try to sort of limit myself to the
ones that are a little bit more special or that have a
bigger impact like this one. Well, and I guess if I'm
talking about sort of hopeless issues in information
security, you may as well also include the latest news about
the Mirai botnet. This version now has found yet another DVR
to exploit and take advantage of. The exploit here is a
little bit more complex than some of the prior exploits we
have seen. Kaspersky here has a pretty good write-up about
it, but I don't really think it's going to make a
significant change other than, well, yet more Mirai bots and
yet more exploited DVRs that probably shouldn't have been
exposed to the internet in the first place. And according to
a blog post by Kusik Pal with CloudSek, the AMOS malware,
which stands for Atom Mac OS Stealer, is now taking
advantage of the click fix trick. This is where the user
is presented with a fake captcha and then is being
asked to essentially run a script on the command line in
order to bypass that captcha. Well, that of course works on
Mac OS just like it does on Windows. It just depends on
getting the user actually to follow the instructions. And
if the user does follow the instructions here, then of
course they will be hit with malware. This particular
malware is actually kind of good enough where it tries to
figure out if you are running a Mac or if you're on a
Windows system and so based on user agent, may display
different prompts here. It also then, once installed,
steals credentials. And on the Mac will keep popping up a
dialog asking for your system password. Well, until you
relent and actually enter the password. So pretty nifty
malware. Not super technical really, but sort of definitely
going after some very typical user weaknesses. I don't
remember the hoopla we had with the recent Microsoft
update regarding the inetpub folder. Well, Microsoft now
made available a little PowerShell script to recreate
the folder in case you deleted it by mistake. This was that
patch at Microsoft release that created this folder
that's usually really only needed for IIS. But in this
particular case, well, helps them mitigate some
vulnerability. So recreate the folder if you haven't already
done so. This is probably a little bit easier. But really
all you do is create a folder and apply the correct
permissions to it. Well, and this is it for today. So
thanks for listening and talk to you again tomorrow. Bye.
Bye.
