Hello and welcome to the Thursday, May 8th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from San Diego, California.

Today's diary comes from Xavier, and Xavier takes a look at an interesting piece of matter.

This matter is written in dot net, not Python, for a change,

and it is thinked itself by being very modular. Now, the way the modularity is implemented is

if a particular feature is needed, the particular module a DLL file is loaded from GitHub, and then installed on the system.

Some of these modules, for example, can install a root kit. There is a token grabber module.

There also is a password stealer, and then the one module that Xadri looks at a little bit closer

is implementing some webcam functionality.

The advantage of malware like this is that the initial download, first of all, is smaller and is also less likely going to trigger alerts because it doesn't contain any code that indicates that it may act malicious.

That's only then added again later on demand.

And since this malware is reasonably simple built, it's not obvious gated,

it makes it a great sort of little learning tool in order to better understand how malware works.

Let me have an interesting vulnerability to talk about again from sort of friends of the show

Watchtower. This vulnerability affects CIS aid. CIS aid is an IT service management platform,

so it allows you to let help desk tickets, inventory, and various other sort of IT management tasks.

Of course, software like this is always in the crosshairs of ransomware gangs,

given that they're also often used by outsourced IT management companies

that would give an actor access to multiple entities using one compromised

CIS aid instance.

Now the vulnerabilities here start out with XML external entity vulnerabilities.

It's a little bit weird vulnerability if you're not familiar with XML.

...