Hello, welcome to the Monday, April 12, 2021 edition of the Sanct Storm Center's Stormcast. My name is Johannes. Ulrich,

and I'm recording from Jacksonville, Florida. This weekend, Xavier wrote about a new remote access

tool that was written in Python and targeting Windows. Now, of course,

the problem with Windows is that it doesn't come with Python re-installed. So the little installer

script that came with this particular backdoor does just download a complete Python environment to the system.

Another approach, of course, if you have seen in the past, is where the Python code is just

compiled into an executable. It doesn't look like this approach did any good for the attacker.

It has a pretty good virus total score. So evasion didn't really

work here, but then again, it's also fairly straightforward code. And it looks like that Mozilla's

public suffix list did get in the middle of a sort of a spat between Apple and Facebook on tracking users.

So first of all, what is the public suffix list? It's something that's maintained by Mozilla,

but used by many other browsers and internet-related products. And it's essentially a list of domains that behave like

top-level domains. Technically, a top-level domain is the last label in a host name, but there are

certain top-level domains that split up further and that have suffixes that really behave like

top-level domains.

So, for example, for dot UK, the United Kingdom, top-level domain, we have dot-CO, dot-uk,

dot-ac-ac, dot-UK, that really behave like top-level domains, and the public suffix list does track

those domains.

Apple comes in here with a change the announced for iOS 14.5

that will require applications to ask users for permission if they are trying to track users.

Now, Apple has, in recent releases of iOS iOS added more and more sort of of these restrictions

on user tracking, and this is sort of the latest expression of this new policy.

...