SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, October 21st, 2025: Syscall() Obfuscation; AWS down; Beijing Time Attack
Oct 20, 2025
Discover how Python fileless malware cleverly uses syscall() to evade detection by creating in-memory file handles. AWS recently faced significant outages, causing disruptions across various services. Meanwhile, concerns rise over compromised time servers in Beijing, pointing to potential vulnerabilities in time integrity. Tune in for insights into these pressing cyber security issues!
AI Snips
Chapters
Transcript
Episode notes
Syscall-Based Fileless Malware
- Python malware can call syscall() to create file handles entirely in memory, enabling fileless payloads.
- This technique evades traditional file-based signatures and increases stealth even for simple proof-of-concept samples.
Proof-Of-Concept Python Ransomware
- Xavier examined a Python proof-of-concept that implemented pseudo-ransomware with a one-byte XOR key.
- Johannes notes the sample is simplistic and easily brute-forced but highlights the fileless mechanism's potential.
Detection Gaps With Fileless Techniques
- Even simple syscall usage can be suspicious but detection remains inconsistent across scanners.
- Fileless techniques widen the gap between malicious capability and signature-based detection reliability.