Hello and welcome to the Tuesday, July 8, 2025 edition
of the SANS Internet Storm Center's Stormcast. My name is
Johannes Ullrich and this episode brought to you by the
SANS.edu Undergraduate Certificate Program in
Cybersecurity Fundamentals is recorded in Jacksonville,
Florida. And hackers have a pretty impressive arsenal in
tools and tricks that they're using to figure out if malware
they wrote is running in some kind of artificial environment
used to analyze that malware. One trick that Xavier is
talking about is, well, detecting whether or not the
binary was renamed. Quite often when analysts are
running malicious code in some kind of sandbox, a virtual
machine or the like, they're renaming it. And I actually
often recommend you rename it in order to accidentally run
it on a real system. So quite often it's being renamed into
something like sample.exe or malware.exe. Well, Xavier is
talking today about how an attacker may detect if their
script was renamed, in particular on Windows. Windows
offers a specific API for this, the get module filename.
If you leave the first of the three parameters set to null,
then it will return the name of the current program. And
that, of course, can easily then be compared to a block
list or, well, maybe attackers like sometimes allow lists too
and will only allow the software to run if it has a
very specific name that the attacker assigned it. Of
course, this could again lead to false positives where a
user just renamed the file into something slightly
different and then it wouldn't run. And talking about
malware, we do have news for macOS users. Moonlock Labs did
find a new version of the Atomic Stealer. Atomic
Stealer, well known, has been around for a few years. It,
well, was an Info Stealer, as the name implies, but it now
also implemented a persistent backdoor, allowing the
attacker more complete remote control than before. What I
found sort of interesting reading over the Moonlock
write-up is that apparently they're just connecting to the
command control server by IP address. It's interestingly a
Finnish IP address. So, not sure how long that'll last may
already be taken down and also should be detectable with the
standard detection rule where you're looking just for
outbound connections to IP addresses that did not get
returned as a result of a DNS lockup before you see the
outbound connection to that IP. The French cert has
released an interesting and very detailed report outlining
some of the attacks that they have seen taking advantage of
Ivanti vulnerabilities. Ivanti, of course, always a
hot topic. I sort of call them friends of the show for all
the vulnerabilities they supply us with. But this
report also goes into, well, after they get into the
system, what are their next steps? How are they moving
forward after they breach a border device like an Ivanti
gateway? So, in this particular case, for example,
looking at the different PHP shells and such that are being
deployed, they're calling this particular attack group HOKEN.
I think that's how you would pronounce it. And it is
associated with China. Now, an Arctic wolf is observing
search engine optimization attacks that are advertising
malicious tools. Nothing really too new about it. But,
of course, these attacks are now often advertising AI
tools. That's, of course, a hot topic. Lots of people are
searching for them. In addition to that, also the
good old sort of targets like SSH clients, like, for
example, Putty, are being affected by these attacks. I
think the SSH clients, like Putty, are in particular sort
of an easy target in the sense that if you have a software
that's called Putty, and they're actually just
modifying the original software. So, it still has all
the legitimate capabilities of Putty. But if a piece of
software like this all of a sudden has some outbound
network connectivity or such, it probably slips easier past
some detection. Because, well, you think, hey, you know, it's
Putty. It's meant to set up SSH connections. So, it's less
suspicious if you all of a sudden see some odd SSH
connections that originate from a tool like Putty. Well,
and that's it for today. Only about a week to science fire.
So, hope to see many of you there in Washington, D.C. Not
too late to still register, in particular, if you plan on
attending online. Some of the evening events, like the
keynote, I believe on Tuesday, will be streamed online as
well. So, you don't necessarily have to be there
in person. But, of course, we also have a number of in
-person only events, like, for example, our Honeypot Workshop
and Giveaway. That's it for today. Thanks for listening
and talk to you again tomorrow. Bye. Bye.
