ISC StormCast for Wednesday, February 21st, 2024
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 21 February 2024
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, February 21st, 2004 edition of the Sands and Storms oners Stormcast. |
| 0:09.0 | My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. |
| 0:14.7 | Xavier today wrote up a new interesting infestiler written in Python. |
| 0:20.8 | One of the problems Malbert always is trying to cope with is that sometimes, well, |
| 0:26.8 | a malware is examined by researchers like Xavier and they try to prevent researchers from running |
| 0:35.2 | the malware inside a sandbox. |
| 0:44.5 | The sandbox are often virtual machines, so detecting sandboxes often comes down to detecting if the system is running inside a virtual machine. |
| 0:48.3 | The tricky part here is that researchers, of course, sometimes try to evade these detections by modifying |
| 0:55.4 | what values their virtual machines return for things like Mac adders or such that are often |
| 1:01.8 | being used. The trick that's being deployed by this latest Infostela Malver that Xavier ran into |
| 1:09.0 | is that they keep a list of these indicators online |
| 1:13.0 | on a website called Our Entry.C.O. |
| 1:16.7 | It's sort of a pastebin-like website. |
| 1:19.9 | And then the malware will check specific URLs on the website for the latest and greatest list of indicators, sort of a very typical signature update approach. |
| 1:32.0 | This particular list that Xaviya ran into was last updated on January 27th doesn't appear to be actively used at this point because this Rentry.C.O. website also nicely offers a view |
| 1:49.2 | counter telling you how often a particular file has been downloaded. And I think the lesson here |
| 1:56.3 | to any researchers that are using virtual machines is number one, and that shouldn't be new, |
| 2:01.2 | that attackers are trying to recognize them. |
| 2:04.6 | And number two, try to stay flexible, adjust your settings ever so often to evade these different evasion techniques. |
| 2:14.1 | And if you're using ConnectWise's screen connect in order to remote access desktops, well, it's time for you to update in particular if you're running the on-premise version of the software. |
| 2:29.0 | Cloud-based instances are already being taken care of by Connectwise, but on premise you have to update it |
| 2:35.8 | to fix two vulnerabilities, one with a CFSS score of 10, and that's an authentication bypass, using |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.