Podcast Detail

SANS Stormcast Monday, March 2nd, 2026: Reversing Fake Fedex; Abusing .ARPA; MSFT Authenticator Update; Apex One Vuln; Special AirSnitch Webcast

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9830.mp3

previous
Podcast Logo
Reversing Fake Fedex; Abusing .ARPA; MSFT Authenticator Update; Apex One Vuln; Special AirSnitch Webcast
00:00

Fake Fedex Email Delivers Donuts!
https://isc.sans.edu/diary/Fake%20Fedex%20Email%20Delivers%20Donuts!/32754

Abusing .ARPA: The TLD that isn’t supposed to host anything
https://www.infoblox.com/blog/threat-intelligence/abusing-arpa-the-tld-that-isnt-supposed-to-host-anything/

MC1179154 - Microsoft Authenticator app: Upcoming changes to jailbreak and root detection
https://mc.merill.net/message/MC1179154

SECURITY BULLETIN: Apex One and Apex One (Mac) - February 2026
https://success.trendmicro.com/en-US/solution/KA-0022458

Special Webcast: AirSnitch – How Worried Should You Be?
https://www.sans.org/webcasts/airsnitch-how-worried-should-you-be

Podcast Transcript

 Hello and welcome to the Monday, March 2nd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. This episode is brought to you by
 the SANS.edu undergraduate certificate program in Applied
 Cybersecurity. In Diaries this weekend we had one by Xavier
 about a fake FedEx email. The problem with these FedEx
 emails are to many of us they're kind of old news and
 it's easy to recognize but think about it from
 perspective. That's sort of how I've seen these emails
 work of someone that receives a lot of a reasonable number
 of these FedEx emails. They're dealing a lot with shipping,
 they're sort of a little bit desensitized to that and then
 maybe tricked like in this case to opening an attachment
 that is actually a 7-zip file. Xavier walks you through the
 analysis of this particular malicious email. It starts out
 with a simple batch file and also usual sort of persistent
 mechanisms then a decode it powershell script. In the end
 it's actually an AES encrypted script. Of course the
 credentials here, keys and IVs are in the binary so in that
 zip file. So definitely something that you can then
 extract in order to decrypt it and that's sort of what Xavier
 walks you through here. The decryption part is probably
 sort of more interesting and dangerous part in some ways
 too because you in this case like the easiest way to do it
 is just run the powershell script but then you put the
 right breakpoints in place so it really just decrypts it and
 doesn't actually execute it. And the next stage is a script
 which in this case well turns out to be a script called
 donut loader. It's of a basic malware loader that in this
 particular case does then load and execute X-SWARM. Just one
 note here you know with all of these emails the virus total
 rates are usually not that great because of the exact
 hashes and such are not necessarily already recognized
 but there are often some simpler things to look for
 like here for example outbound connections in the 7000 range
 you know it's a port number of 7030 here I think that's
 probably a better signature if you want to call it that way
 than looking for specific hashes and the like that would
 identify this malware. Now talking about phishing
 campaigns InfoBlogs has the blog post outlining an
 interesting twist to how domains are being used for
 phishing campaigns. Of course you know that's sort of one of
 the tricky things you have to come up with the lookalike
 domain name or something like that in order to then
 basically direct victims to your particular website. Now
 in this case they're not actually using lookalike
 domains instead they're using domains within the .arpa top
 level domains and you probably have seen .arpa like ip6.arpa
 that's what they're using here that is being used to reverse
 resolve IPv6 addresses but what they're doing here is
 they're first going to Hurricane Electric. Hurricane
 Electric not sure you're familiar with it they have a
 very nice and well-performing service where you can get IPv6
 address space for free and the necessary tunnels in order to
 use that address space and they also allow you to
 basically then register your own reverse resolution using
 the respective ip6.arpa domain. Now that domain really
 behaves like any other domain so what you can do now is you
 can then once you are basically now once this domain
 is delegated to you and you are able to set up a name
 server for it you just point it to the Cloudflare name
 server since you own that particular subdomain you're
 able then to get TLS certificates for it and well
 use it just like any other domain name. What you often do
 in this case is like have a random letter prefix
 personally i would actually use that for example to
 impersonate another site but that's not really what they're
 after in this case and then they sort of have a basic
 simple free infrastructure in order to bootstrap their
 phishing site. This of course is also intended to sort of
 fly below the radar because a lot of these .arpa DNS lookups
 are kind of overlooked not really analyzed very closely
 because they're often used for reverse lookups in this case
 you should see an A record lookup for or an A6 or a quad
 A record lookup for these domains so that may be a
 little bit more an indicator here that something is wrong
 it's not a pointer lookup for that particular ARPA domain
 but either way yes it works and yes it's being used so
 double check your DNS logs and again this comes from
 infoblocks. And a quick note in case you didn't have that
 sort of on your radar but if you're relying on the
 Microsoft authenticator application it will no longer
 work on rooted android devices. On jailbroken iOS
 devices it'll stop working in April they originally thought
 about basically also breaking them in March but they pushed
 that back for some reason so you'll have a little bit more
 time if you're using iOS but android already shouldn't be
 working if the device is rooted. The reasoning behind
 this is that if you have a rooted or jailbroken device
 then of course there's always a chance that someone is
 messing with the application because some of the security
 guard rails around sort of applications are weakened and
 an attacker could for example steal secrets or the like so
 that's why they enforce that you can only run it on non
 jailbreaking non-rooted devices. And Trend Micro
 released the critical update for its Apex One application
 that affects the Windows and the Mac version. These are
 directory traversal vulnerabilities that can lead
 to remote code execution so definitely keep them updated
 given that this is the type of application that you intend to
 be exposed to malicious software so definitely get it
 updated. And then we also have a special webcast today on
 Monday that webcast is about the air snitch vulnerability
 that I covered on Friday. It's being led by you know two of
 our greatest instructors here Larry Pesky and James Light
 -Vidal. One of them doing a lot of our wi-fi stuff the
 other one a lot of the pen testing parts so definitely
 some great content here and it's running at 4 pm eastern
 so that's about 10 pm on the in Europe or 1 pm in
 California. Well that's it for today thanks for listening
 thanks for liking thanks for subscribing to this podcast
 the links to the special webcast also in the show notes
 and talk to you again tomorrow bye
 in T sentiments