SANS Stormcast Thursday, June 12th, 2025: Quasar RAT; Windows 11 24H2 Delay; SMB Client Vuln PoC; Connectwise Signing Keys; KDE Telnet code exec
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 12 June 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
Quasar RAT Delivered Through Bat Files
Xavier is walking you through a quick reverse analysis of a script that will injection code extracted from a PNG image to implement a Quasar RAT.
https://isc.sans.edu/diary/Quasar%20RAT%20Delivered%20Through%20Bat%20Files/32036
Delayed Windows 11 24H2 Rollout
Microsoft slightly throttled the rollout of windows 11 24H2 due to issues stemming from the patch Tuesday fixes.
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3570
An In-Depth Analysis of CVE-2025-33073
Patch Tuesday fixed an already exploited SMB client vulnerability. A blog by Synacktiv explains the nature of the issue and how to exploit it.
https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
Connectwise Rotating Signing Certificates
Connectwise is rotating signing certificates after a recent compromise, and will release a new version of its Screen share software soon to harden its configuration.
https://www.connectwise.com/company/trust/advisories
KDE Telnet URL Vulnerablity
The Konsole delivered as part of KDE may be abused to execute arbitrary code via telnet URLs.
https://kde.org/info/security/advisory-20250609-1.txt
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Thursday, June 12, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:08.5 | My name is Johannes Ulrich, and this episode brought you by the Sands.edu undergraduate certificate program in Applied Cybersecurity is recorded in Jacksonville, Florida. |
| 0:20.8 | Well, in diaries today, we have Xavier looking at yet another image. |
| 0:25.4 | This time, it actually leads to the install of a Quasar Remote Admin tool. |
| 0:32.1 | Now, it all starts pretty innocuous with a little bad file. |
| 0:36.6 | That file will download the actual installer, injector. |
| 0:41.6 | It'll also load a normal Word document. |
| 0:45.2 | And that's typically done because the user just clicked on something that looked like a |
| 0:50.0 | word document. |
| 0:51.0 | So after starting the malicious code, the malware loads an actual Word document. |
| 0:56.7 | So the user really thinks nothing bad happened. |
| 1:00.0 | Well, the second stage then will download this kind of noisy looking image. |
| 1:08.4 | This is actually an encrypted, codeable then be injected into the running process |
| 1:14.6 | here by the batch file that was downloaded. Also interesting that the second stage being downloaded |
| 1:21.3 | relies on environment variables defined by the first stage. That way, if someone would just reverse analyze the second stage without having access |
| 1:32.1 | to the first stage, then of course that wouldn't execute, wouldn't actually do anything bad. |
| 1:37.7 | For example, like if you would just quickly load that script into sandbox or such by itself, well, it wouldn't |
| 1:45.9 | really show up as malicious. |
| 1:49.3 | VirusTotal doesn't do |
| 1:51.5 | a good job here. I should say |
| 1:53.9 | the antivirus tools |
| 1:55.8 | beings of represented by |
... |
Transcript will be available on the free plan in 23 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.