Hello and welcome to the Thursday, October 9th, 2025 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Ulrich, recording today from Denver, Colorado.

And this episode is brought you by the Sands.edu master's degree program in information security

engineering. Xavier again went out hunting for a malware on virus total and came across an

interesting Python script. That's actually polymorphic. Polymorphic code modifies itself

as it runs. The intent here is usually to evade signatures that may otherwise detect the malware.

Well, this turned out to be a remote access tool, a rat, and it took advantage of the Python Inspect module.

That module allows you to read the code from various functions and then, of course,

modified, and it's then being executed using the exec function in Python that will execute

the resulting string. It not only modifies code by, for example, exoring it and then decoding

it, but it also injects random junk code,

which will again mostly be used to full detection algorithms to not detect this particular malware.

So far, that seems to be somewhat successful with only two antivirus tools detecting it on virus total. Otherwise, this is your

standard rat. It has the standard functionality like keystroke loggers, reporting, retrieving

files, and the like. So it's certainly possibly dangerous malware. Whether or not this was

actually used in attack or is really sort of

a proof of concept, of course, is open at this point. And in vulnerabilities, we have a little bit

an odd vulnerability to start out with. It's not very severe, but I still decide to include it

because it's interesting how the vulnerability is being exploited

and also it affects SSH, which of course is a very widely used tool for secure remote access.

The problem with this vulnerability is the proxy command directive in SSH.

The intent of the proxy command directive is to, well, execute code before the connection is established.

...