Hello, welcome to the Thursday, August 17th, 2017 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

PayPal fishing, nothing really new happens for a long time now, but Xavier came across an actual fishing kit, the software being used to set

up and run fishing sites for PayPal. In addition to the code that's really needed to run a fishing

site like HTML images to impersonate the respective websites, There was also a list of user actions and IP address ranges that will be blocked from this site,

probably in order to prevent researchers and others from actually finding the fishing site easily.

Now, quite often fishing sites will accept whatever credentials you give them,

but in this case, they actually appear to try to validate the information they received

by connecting to PayPal.

Also interesting list of banks that they're looking for credentials for and the

actual data being written to the file on the fishing server. Overall this particular fishing

kit included 300 distinct files and the SIP file had a total size of 1.8 megabyte.

And Kasperski came across an interesting backdoor that it called ShadowPad.

Now this backdoor was implemented in X Manager 5, which is produced by the Korean company

Net Serang.

X manager is typically used to gain secure remote access to servers via S.H or SFTP.

Now, in this particular case, it looks like someone was able to implement a malicious

backdoor in this ex-manager software summer in July and this particular backdoor is

triggered via specific DNS requests. The DNS requests keep changing once a month. So for each month you have a

particular DNS host name that has to be looked up. Once that text record is looked up and

X manager sees that look up, then it will enable the back door, which gives attackers control

over the system. Pretty sophisticated software

...