SANS Internet Storm Center Podcast Discusses Advanced Malware Techniques
In the June 16, 2025 edition of the SANS Internet Storm Center's Stormcast podcast, Johannes Ullrich delves into several critical topics in cybersecurity. The podcast begins with a detailed analysis of a malware sample that uses images to hide executables. This malware starts with a Microsoft Excel macro, a common but effective method for concealing malicious activities. OllyDbg, a debugging tool, is used to extract relevant data from the Excel spreadsheet. The second stage of this malware is particularly interesting. An HTML application is loaded, using a file name to obscure its actions. This application then loads a batch file, which downloads a JPEG image. Unlike previous examples using PNG images, this malware uses specific tags to enclose the executable within the image. The file is encoded in Base64, and once decoded, it reveals a DLL file that is then executed. This obfuscation method, though complex, can be deciphered with the right tools and knowledge. Johannes Ullrich also mentions a malware campaign called "JS Firetruck" by Palo Alto. This campaign affected tens of thousands of vulnerable websites by injecting obfuscated JavaScript. The obfuscation technique used here is particularly interesting because it makes the JavaScript code difficult to read but paradoxically easier to detect. Once decoded, this JavaScript redirects users to malicious sites, exploiting users' trust in seemingly harmless websites. Another point discussed is the exploitation of user trust via Discord invitation links. Checkpoint published a blog post showing how attackers use customized invitation links to redirect users to malicious Discord servers. These links, often shared and clicked long after their expiration, are exploited to redirect users to malicious sites. This technique shows how even popular communication platforms can be used for malicious activities. In conclusion, Johannes Ullrich emphasizes the importance of vigilance and regularly updating invitation links to avoid such attacks. He also reminds listeners of the importance of web application security, even for seemingly unimportant sites. The podcast ends with a reminder of the broadcast days and a thank you to listeners for their loyalty. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=0SBZIyvP0I4