Hello and welcome to the Tuesday, May 20th, 2025
edition of the SANS Internet its Storm Center's Stormcast. My
name is Johannes Ulrich and this episode brought to you by
the SANS EDU Graduate Certificate Program in
Cybersecurity Leadership was recorded in Jacksonville,
Florida. In today's diary, we got Xavier taking apart a
remote access tool. This remote access tool starts out
with scripts written in AutoIT. This is something that
keeps coming up. It's not a new technique at all, but
something I think that's often overlooked, AutoIT is a
language designed to, well, roll out configurations,
remote managed machines. And that's exactly what the bad
guys take advantage of here. In particular, since these
scripts can also be compiled into self-contained
executables, not requiring the victim to already have AutoIT
installed. In the past, of course, we have seen a couple
examples where the actor would also install AutoIT on the
system for the victim. But that's not the case here with
what Xavier saw. It also enables some simple
persistence by adding itself as a startup item and then
essentially connects to a remote control server, some
command control server that luckily is no longer
accessible. From a defensive point of view, you probably
don't want to outright block AutoIT because it is a useful
tool unless you're not using it in your environment. And
other than that, well, it comes back to downloading
executables, letting users execute random executables.
Never a good idea. And last week, I talked about the
unfortunate incident around RVTools, the VMware analysis
tool set. Well, there was some confusion whether or not it
was actually just a malicious version downloaded from some
other random site or whether the actual RVTools website was
compromised. We now got confirmation from rawware.net,
the entity behind RVTools, that yes, their website was
compromised and the website is currently shut down. Now, in
different news, we have a similar incident around
KeePass. But in this case, it's not that KeePass itself
was compromised. This appears to be a pure search engine
optimization attack. The news about KeePass comes from
researchers at WithSecure Labs. And the news actually
broke about a week ago. Thanks for listeners to actually
alert me of this news. The problem here was that someone
essentially took the KeePass source code, which is open
source, so nothing leaked here, and recompiled it with
additional add-ons, in particular InfoSteelers and
Cobalt Strike Beacon. This apparently happened several
times back to sort of mid 2024. So almost like six
months ago when all of this started, there were several
iterations where only the last iteration then had all the
goodies sort of being integrated into KeePass. With
KeePass being a password store, that, of course, makes
it sort of a prime target. Now, yes, this was solely a
search engine optimization attack. So there was no
compromise of the website or any built infrastructure. So
off KeePass. And one of the pointers that, well, this was
the case, was that the certificate used to sign the
KeePass binary, the malicious one, was from an unrelated
company, apparently stolen from a random Chinese company
that was then used to sign this binary. So that's
something, if the attacker would have had access to the
built infrastructure or anything like this around
KeePass, they probably would have signed that with the
proper KeePass signature. This is, again, be careful, very
download your software, in particular things like
password managers. This could happen to any software, not
just the password managers, but, of course, being able to
get into someone's password managers makes that sort of a
prime target. And I guess today I have sort of a supply
chain theme here to the podcast. The next example is
this UV printer by Procolored. Well, this is
not a cheap device. It's, I guess, called Prosumer. It's
sort of a few thousand dollars. And if you purchased
this particular printer, the software was delivered with
the printer, well, apparently contained multiple viruses.
This was first found here by the blog post on this website,
hackster.io. This is more supposed to be a product
review of this particular printer. But, well, the review
kind of stalled because the initial downloads of the
software and the install was blocked by Microsoft Defender
and also the browsers built in protections. Later analysis of
the software by Carsten Hahn here did show that, yes, it
was indeed malicious what was being offered here by the
vendor. It took a while to get a response out of the vendor.
And overall, it appears that this malicious software was
included for about half a year. So if you own any of
these printers, definitely be careful. Double check your
systems. And if you ever download a software and
antivirus goes off, I know it's hard, but it may not be a
false positive. So better pay attention. Double check. And,
yeah, sadly, of course, the truth is sometimes there are
false positives. As I'm recording this podcast, I'm
sure when I'm saving my show notes that Microsoft Defender
will flag the file as suspicious just because of
some of the links in the file. At least that's what I
suspect. Well, and this is it for today. So thanks for
listening and talk to you again tomorrow. Bye.
