SANS Stormcast Tuesday, July 8th, 2025: Detecting Filename (Windows); Atomic Stealer now with Backdoor; SEO Scams
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 8 July 2025
⏱️ 5 minutes
🧾️ Download transcript
Summary
What s My File Name
Malware may use the GetModuleFileName API to detect if it was renamed to a name typical for analysis, like sample.exe or malware.exe
https://isc.sans.edu/diary/What%27s%20My%20%28File%29Name%3F/32084
Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
https://moonlock.com/amos-backdoor-persistent-access
HOUKEN SEEKING A PATH BY LIVING ON THE EDGE WITH ZERO-DAYS
At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices.
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
SEO Scams Targeting Putty, WinSCP, and AI Tools
Paid Google ads are advertising trojaned versions of popuplar tools like ssh and winscp
https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools/
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Tuesday, July 8, 2025 edition of the Sands and then at Storm Centers. |
| 0:07.3 | Stormcast, my name is Johannes Ulrich, and this episode brought you by the Sands.edu undergraduate certificate program in cybersecurity fundamentals is recorded in Jacksonville, Florida. |
| 0:20.8 | At hackers have a pretty impressive arsenal in tools and tricks that they're using to figure |
| 0:26.1 | out if Malver they wrote is running in some kind of artificial environment used to |
| 0:32.8 | analyze that Malbert. |
| 0:34.5 | One trick that Xavier is talking about is, well, detecting whether or not the |
| 0:39.2 | binary was renamed. Quite often when analysts are running malicious code in some kind of |
| 0:46.7 | sandbox, a virtual machine or the like, they're renaming it. I actually often recommend |
| 0:51.8 | you rename it in order to accidentally run it on a real system. |
| 0:57.3 | So quite often it's being renamed into something like sample.ex or malware.ex. Well, Xavier is |
| 1:05.3 | talking today about how an attacker may detect if their script was renamed in particular on Windows. Windows offers a specific |
| 1:15.8 | API for this, the get module file name. If you leave the first of the three parameters set to |
| 1:23.8 | null, then it will return the name of the current program. |
| 1:28.9 | And that, of course, can easily then be compared to a block list, or, well, maybe attackers |
| 1:34.7 | like sometimes allow lists to, and will only allow the software to run if it has a very |
| 1:41.3 | specific name that the attacker assigned it. |
| 1:44.1 | Of course, this could again lead to false positives |
| 1:46.9 | where a user just renamed the file into something slightly different |
| 1:51.5 | and then it wouldn't run. |
| 1:54.9 | And talking about Malvary, we do have news for macOS users. |
| 2:00.2 | Moonlock Labs did find a new version of the atomic stealer atomic stealer |
| 2:06.5 | well known has been around for a few years it well was an info stealer as the name implies |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.