SANS Stormcast Tuesday April 15th: xorsearch Update; Short Lived Certificates; New USB Malware

April 14, 2025

SANS Stormcast Tuesday April 15th: xorsearch Update; Short Lived Certificates; New USB Malware

Episode Transcript

xorsearch Update
Diedier updated his "xorsearch" tool. It is now a python script, not a compiled binary, and supports Yara signatures. With Yara support also comes support for regular expressions.
https://isc.sans.edu/diary/xorsearch.py%3A%20Searching%20With%20Regexes/31854
Shorter Lived Certificates
The CA/Brower Forum passed an update to reduce the maximum livetime of
certificates. The reduction will be implemented over the next four years. EFF also released an update to certbot introducing profiles that can be used to request shorter lived certificates.
https://www.eff.org/deeplinks/2025/04/certbot-40-long-live-short-lived-certs
https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI
New Malware Harvesting Data from USB drives and infecting them.
Kaspersky is reporting that they identified new malware that not only harvests data from USB drives, but also spread via USB drives by replacing existing documents with malicious files.
https://securelist.com/goffee-apt-new-attacks/116139/

News Tech News Technology

Show Transcript

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Tuesday, April 15th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Orlando, Florida. Well, I think it was only a week ago that Diddy promised to expand his tool xorsearch with the ability to actually search for regular expressions. This promise has now been fulfilled. Actually, there's more to it. The original xorsearch was a compiled executable. The new one is now a Python script, typical for Diddy, of course. And with that comes the ability to not just specify regular expressions, but actually Yara rules that you can use to search the result file for various strings. And Yara supports regular expressions. So with that also comes regular expression support. Pretty neat update to the tool. Let Didier know if you like it. And of course, there are plenty of examples how to use the tool, what the different output formats are for the strings that you are finding in Didier's diary today. And we have more news for users of TLS certificates. The Certificate Authority Browser Forum finally finalized their decision on shortening certificate lifetimes. First of all, it'll start with reducing the certificate lifetime to 200 days. That'll start on March 15th next year. Next, we'll have again March 15th, 2027. It'll go down 200 days. And finally, March 15th, 2029. It'll go down all the way to 47 days. In order to support that, of course, you will need better automation. Certbot or the Electronic Frontier Foundation actually also just released Certbot 4.0, which also is supporting shorter certificate lifetimes. What they introduce now is profiles. And the way this works is currently you do have the option to use the standard profile, which is basically the way it already works with 90-day certificate lifetimes via Let's Encrypt. And then you also have more short-timed certificates that are going down to six days. So the way you select this is after you install Certbot 4.0 is that you basically specify which profile you would like to use. And then you get either the longer 90-day certificates or the shorter six-day certificates. The default will remain 90 days for Certbot. And of course, most users will continue to use whatever Certbot version that comes with your operating system, with your Unix distribution. And that is usually an older one. I just checked the recent Ubuntu version actually uses Certbot 2.7. And Kaspersky has a write-up about some new malware that they discovered they attribute to a threat actor that they're calling GOFFEE. Given Kaspersky's line of business, this particular malware was found to target organizations in Russia. What's sort of interesting here is not the initial infection vector. That's pretty straightforward and kind of old stuff. It's a malicious PDF document or Word document that then activates a downloader. And after it's finished doing so, it will actually unload a benign document in order to fool the user into believing that they opened the document they believed to want to have opened. What's interesting about it is how it's targeting removable devices. It not only copies files from removable devices inserted into an infected system, but it will then also attempt to copy itself to the removable device. And the way it sort of tricks a victim into executing the malware is by essentially replacing an existing document on the removable device with the malware. And then just basically renaming the original document. Once the malware is started, the device then is restored and the original document flipped back and opened. So again, the user doesn't necessarily see anything wrong here. They thought they opened the document that they had on the device before. And well, that document appears to open. What they don't notice is that the malware is also being executed. Interesting trick here. And definitely there seems to be a little bit of a resurgence in USB devices spreading malware. There have also been some other sort of nation state style attacks that I've seen reports about lately. Where basically just USB sticks were dropped outside of government buildings. Well, and this is it for today. So if you like this podcast, please, of course, subscribe and recommend it to others. And well, if you're here in Orlando, say hi. And like I said, I do have some stickers still left with me. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich