A

Hello and welcome to the Tuesday, February 24, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich recording today from Jacksonville, Florida and this episode is brought to you by the Sans Edu Bachelor's degree program in Applied Cybersecurity. Well in diaries today we have a malware analysis diary from Jan Yann looked at well as he calls it yet another malicious JPEG file. An image in this case. But what actually arrived initially and Jan focus a little bit more on the downloader here was well a good old compressed zip compressed JavaScript file. Once decompressed there was over a megabyte of data. However most of the data was garbage. So first obfuscation technique here where the attacker is just adding some random garbage to the file in order to extend its size, make it a little bit more difficult to sort of analyze it and sometimes also fool then anti malware engines into not actually looking at the file. Well once all of that was removed there were only a couple kilobytes left. Actually in the end only about a dozen or so lines left that Jan actually had to deobuscate further. And well that's where he ended up with your standard downloader that would then download an image with attached scripts that would then in the end end up installing the Remco rat well remote access tool. So overall fairly standard malware. A couple lessons here from this one. The from was actually faked and would not make it pass properly configured dmarc, DKIM SPF so those techniques are definitely very useful. Often even simple stuff like this gets missed by some anti malware engines. So having that extra layer of basically fairly straightforward and simple defenses like DMARC certainly can make a difference here. And if you're using calibre in order to read ebooks, well pay attention. There are two critical vulnerabilities that were patched a couple days ago that allow for arbitrary path transversal and with that also for code execution. The way this would be exploited is by someone tricking you into opening a crafted malicious ebook and that would then save files in ARPDRA directories as you're opening it. And with that of course you easily then have arbitrary code execution if these files are then being saved in the right directories. This is a very common issue we've talked about is a lot with sort of various compressed formats. Of course ebooks are often distributed in these compressed formats that then extract into multiple files. And that's exactly sort of what's here happening where caliper isn't careful enough as to where it actually extracts those files and then you have sort of a standard path traversal. Again there are two distinct vulnerabilities, but they're very similar and both same css score of 9.3. Then we have well, a little bit ebook related to a vulnerability in JSPDF. JSPDF is a JavaScript library to create, read, parse PDFs. Of course the problem with PDFs is that they may include JavaScript and that's sort of where you have that good old problem, bad data code being mixed, not properly sort of separated from each other. And yes, If a particular JavaScript segment is open but they're not properly closed, you may have this execution of the JavaScript happening. This vulnerability is a little bit tricky in the sense that yes, it's something patch available exploit is available as well for it, but whether or not this is a problem for you depends a little bit on how you're using JSPDF, like what kind of PDFs you're rendering, what PDFs you're creating with it, where the data is coming from. So lots of dependencies here. So how risky this is in your particular use case. Of course all depends then on what untrusted data is really being fed here to jspdf. I would still plead with you to just get it updated. Next vulnerability that I was a little bit contemplating whether I should cover it and the reason I do cover it is that, well, it's in a webmail system and I have the utmost respect for people who dare to create webmail systems. I think it's a very difficult thing to do securely given the complexities and of course the attack surface of email. But most people don't really use webmail systems that much that they created themselves or that are open source. So many people are going cloud these days for email and with that also for their webmail. The problem is that these systems are often used by people that deal with more sensitive data that they don't just want to put in possibly an adversary's cloud. So that's why I think this probably these kind of vulnerabilities are more important than one would sort of think offhand. Latest example here is Roundcube. There was a PHP deceleration vulnerability that was patched last June. It's now actively being exploited. We also had a couple of weeks ago, and I didn't cover it back then, probably should have in Smarter Mail, another sort of open source and commercial webmail system that also is actively being exploited. Actually a more recent vulnerability that got hit there. So if if you're running your own webmail system on prem, make sure it's up to date. These vulnerabilities are often exploited fairly soon after they have been made public. Well, and this is it for today. So thanks for listening, thanks for liking, and thanks for subscribing to this podcast. And just a reminder, if you're interested in any classes, the next class I'll be teaching is in April in Orlando and then end of April in Amsterdam. So take a look on the United Storm Center's website just below the show notes for the podcast. Thanks and talk to you again tomorrow. Bye.