SANS Stormcast Tuesday, October 21st, 2025: Syscall() Obfuscation; AWS down; Beijing Time Attack
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 20 October 2025
⏱️ 9 minutes
🧾️ Download transcript
Summary
Using Syscall() for Obfuscation/Fileless Activity
Fileless malware written in Python can uses syscall() to create file descriptors in memory, evading signatures.
https://isc.sans.edu/diary/Using%20Syscall%28%29%20for%20Obfuscation%20Fileless%20Activity/32384
AWS Outages
AWS has had issues most of the day on Monday, affecting numerous services.
https://health.aws.amazon.com/health/status
Time Server Hack
China reports a compromise of its time standard servers.
https://thehackernews.com/2025/10/mss-claims-nsa-used-42-cyber-tools-in.html
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Tuesday, October 21st, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:13.1 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:18.3 | And this episode is brought you by the sands.edu graduate certificate program in |
| 0:22.8 | cyber defense operations. In diaries today, we have Xavier talk about Python malware. Well, that's |
| 0:30.4 | of course Xavier's thing. And this time, Xavier ran into interesting Python malware that uses |
| 0:37.1 | Cisco. Syscall, of course, can be used to call. Saville ran into interesting Python malware that uses SisCall. |
| 0:38.5 | Sis call, of course, can be used to call operating system functions. |
| 0:44.1 | In this particular case, it calls a function that will create a file handle in memory, |
| 0:50.4 | allowing for the malware itself to write then into memory, creating fileless |
| 0:56.1 | matter. Now, the malver itself is not really that remarkable, as Sadi points out, it appears |
| 1:02.4 | to be more of a proof of concept. It implements sort of some pseudo-ransomware in the sense that |
| 1:08.5 | it encrypts files with a one-byte x or key, so something that would be |
| 1:13.3 | rather easy to prude-force and then to decrypt, which probably could, of course, then |
| 1:20.5 | after they sort of got that file as part working right be replaced with a more sophisticated |
| 1:26.3 | encryption feature. This particular malware is |
| 1:30.7 | somewhat recognized by various scanners according to a virus total, but still not a great |
| 1:38.0 | sort of detection rate here, even though that call to Cisco should be somewhat suspicious the way it's being used here. |
| 1:47.1 | And of course, the big news today was another outage at AWS, apparently affecting the U.S. East |
| 1:54.1 | one region, which usually tends to be one of those crucial regions if it fails. |
| 1:59.8 | Well, many other things fail as well. |
| 2:03.4 | There are a number of different sites and services that were affected by this outage. |
| 2:09.4 | And if you had problems going to any number of different websites or using services and the like, you probably ran into some |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.