Stormcast Discusses Steganography, Malicious Python Modules, and Email Fraud

In this May 2, 2025 edition of the Stormcast from SANS and Storm Center, Johannes Ullrich, recording from Jacksonville, Florida, addresses several critical topics in cybersecurity. The first topic is steganography, a technique for hiding messages or binaries within images. Ullrich discusses a tool called pngdump.py, developed by DDA, which allows for decompressing a PNG image and displaying the uncompressed pixel values. This technique is particularly useful for steganography as it enables the manipulation of individual bits without visually altering the image. Ullrich explains that the lossless compression used by PNG images is essential for steganography because it preserves the small bit modifications that would be lost with lossy compression. DDA has also developed another tool, formatbytes, which allows for extracting individual bits and reconstructing data, such as executables, from the bitstream obtained with pngdump.py. This method is illustrated by comparing two images, one containing a hidden message and the other not, using the least significant bit method. Next, Ullrich talks about a blog post by Olivia Brown from Socket, a company specializing in software security, which discusses malicious Python modules. These modules use Gmail to establish a command and control channel, an unusual technique for malicious Python modules. The modules connect to Gmail's submission port and use hardcoded credentials to send emails to another Gmail address. Although this method is less discreet than others, such as drafting emails, it has been effective for several years. From a defensive standpoint, detecting these malicious modules is difficult because they use standard Gmail submission ports. However, increased monitoring of network segments that do not typically send emails to Gmail could help identify them. Ullrich emphasizes the importance of checking the libraries used and monitoring abnormal network behaviors. Another topic discussed is business email compromise fraud, where attackers infiltrate email systems to send fraudulent requests for updating banking information. Although this technique has been known for years, it remains effective and requires strict business rules to counter, such as using written or verbal confirmations for critical information. Finally, Ullrich reminds listeners of the annual SANS research journal, published during RSA week, which contains interesting articles on topics such as QUIC, a new transport protocol. He invites listeners to consult this journal to deepen their knowledge of cybersecurity. In conclusion, this edition of the Stormcast provides a detailed overview of steganography techniques, the threats posed by malicious Python modules, and business email compromise fraud, while emphasizing the importance of vigilance and best practices in cybersecurity.