ISC StormCast for Thursday, July 28th, 2022
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 28 July 2022
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, July 28, 2022 edition of the Sands and the Storm Center's |
| 0:07.0 | Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:14.1 | Brad today posted another one of his Malver analysis diaries. This time he's going over an iced ID sample, and this particular |
| 0:25.5 | sample either installs a dark VNC or Cobalt Strike. As so often, the attack starts with a good |
| 0:33.0 | old email and a password-protected SIPD iso file. |
| 0:38.3 | Password of course is pretty easy and can typically be found in the email, but is of course intended |
| 0:45.3 | to make analysis, in particular automated analysis, a little bit more difficult. |
| 0:50.3 | Now once the user opens this SIP file and then exposes the ISO file that's included, there is the old link file trick that's then being used to load a DLL and then Iced ID is installed. Now Iced ID is fairly flexible and of course has been around for a while after the malware is completely installed |
| 1:12.7 | that's then when dark vnc or cobalt strike will be installed to obtain persistent access |
| 1:19.9 | to the victim's system as usual with pratt's diaries you'll find links to the malware on |
| 1:27.3 | virus dutal as well as packet captures. |
| 1:31.1 | So great learning opportunity here again to learn how to figure out what's happening based on network traffic. |
| 1:40.9 | And WebAssembly is back in the news and with that crypto jacking. WebAssembly is code that runs in browsers. A little bit like JavaScript, but unlike JavaScript, it comes in a binary sort of compiled format. Now, it's not assembly language as WebInsInSemply implies it's more bytecode, but the |
| 2:04.0 | idea is that you can run it in the browser, it's platform independent, and it's faster than |
| 2:10.1 | normal JavaScript. So with it running faster and more efficient, it of course makes a great tool for attackers to run crypto miners in users' browsers. |
| 2:24.1 | That's something, of course, that we've heard of before, typically implemented in JavaScript way back in a day. |
| 2:30.5 | There was good old Coin Hive service that made that really easy. But with Coin Hive shutting down |
| 2:37.9 | and also browsers implemented actually some features in JavaScript that made it more difficult |
| 2:44.5 | to sort of abuse the crypto functions in JavaScript. That pretty much has sort of put the traditional JavaScript-based |
| 2:52.7 | cryptojacking at a halt. Now, Sukhuri security has found an attack affecting multiple |
| 3:01.8 | websites that essentially resurrects that old cryptojacking idea. Now it's implemented in WebAssembly, |
| 3:09.3 | so some of the countermeasures that browsers implemented don't actually work here. And Securea |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.