SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 7 May 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
Python InfoStealer with Embedded Phishing Webserver
Didier found an interesting infostealer that, in addition to implementing typical infostealer functionality, includes a web server suitable to create local phishing sites.
https://isc.sans.edu/diary/Python%20InfoStealer%20with%20Embedded%20Phishing%20Webserver/31924
Android Update Fixes Freetype 0-Day
Google released its monthly Android update. As part of the update, it patched a vulnerability in Freetype that is already being exploited. Android is not alone in using Freetype. Freetype is a very commonly used library to parse fonts like Truetype fonts.
https://source.android.com/docs/security/bulletin/2025-05-01
CISA Warns of Unsophistacted Cyber Actors
CISA released an interesting title report warning operators of operational technology networks of ubiquitous attacks by unsophisticated actors. It emphasizes how important it is to not forget basic security measures to defend against these attacks.
https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, May 7, 2025 edition of the Sands and at Storm Center's Stormcast. |
| 0:08.3 | My name is Johannes Ulrich and today I'm recording from San Diego, California. |
| 0:13.8 | Savier today wrote about a Python InfoSteeler. |
| 0:17.3 | Now, at first it looks like any other info stealer. |
| 0:20.4 | It, well, does's info stealer things. |
| 0:22.0 | Like it checks if it's running a debugger. |
| 0:24.9 | It has some anti-VM features. |
| 0:28.0 | It of course steals your information and then exfiltrates it via telegram as encrypted files. |
| 0:34.8 | And that's some of the usual add-ons like for example the ability to take screen |
| 0:40.2 | captures what's a little bit different about this particular info stealer is that it also includes |
| 0:46.3 | a web server and the intent of this web server appears to be to emulate different login pages |
| 0:53.0 | like for example google's By doing so via the |
| 0:57.6 | loopback interface, they may be trying to evade some block lists and such that are often being |
| 1:04.1 | used to control access to phishing websites. Overall, this particular infestiler appears to be also a little bit incomplete. |
| 1:14.2 | And there are no certificates for the web server that Xavi was able to recover. |
| 1:20.1 | And that's likely then part of the more complete package that's going to be delivered to the victim. |
| 1:28.9 | And Google today had its monthly patch Tuesday for Android. |
| 1:32.8 | There was one particular vulnerability, a remote code execution vulnerability in the free type |
| 1:39.4 | library that's already being exploited. |
| 1:43.1 | Now, what's sort of all's interesting here is that this free type library is not unique to Android. |
| 1:49.5 | It's used in multiple open source project. |
| 1:53.7 | It's a very commonly used library. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.