SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, July 8th, 2025: Detecting Filename (Windows); Atomic Stealer now with Backdoor; SEO Scams
4 snips
Jul 8, 2025 Discover how malware can cleverly detect its environment through filename tricks, making analysis difficult. A new version of the Atomic macOS info-stealer, equipped with a backdoor, enables attackers to maintain persistent access to compromised systems. The podcast also dives into alarming SEO scams promoting trojaned versions of popular tools, showcasing the dangers of malvertising. Learn about vulnerabilities exploited by attackers that could lead to remote code execution on cloud services.
AI Snips
Chapters
Transcript
Episode notes
Detect Malware Renaming in Windows
- Use the Windows API GetModuleFileName to detect if a malware executable has been renamed.
- Compare the filename with a blocklist or allowlist to control malware execution.
Malware Detects Filename Tricks to Outsmart Sandboxes on Windows
Malware authors use the Windows GetModuleFileName API to check if their binary was renamed, a common analyst tactic to detect malware. By leaving the first parameter null, malware can retrieve its own executable name and compare it against suspicious names like sample.exe or malware.exe.
This technique helps malware avoid running in analysis environments where the file is typically renamed, thus evading detection. However, this method risks false positives if a user innocently renames the file.
Understanding this anti-analysis trick is crucial to developing better sandbox evasion countermeasures and analysis strategies.
Atomic Stealer Gains Backdoor
- The Atomic Stealer for macOS now includes a persistent backdoor for attackers.
- This escalation allows more complete remote control over compromised Macs than before.