Complex Delivery Chains: Navigating the Evolving Tactics of Malware and Phishing Threats - VMRay

Navigating the Evolving Tactics of Malware and Phishing Threats:  
Complex Delivery Chain Strategies

Q4 – 2023

Discover evolving malware and phishing threats, from intricate LNK file exploitation to innovative Command and Control methods.

Table of Contents

In Q4 attackers persisted in employing LNK files for email-based assaults, amplifying the complexity in the linked executable path to heighten the challenge of analysis. Simultaneously, supply chain attacks, directed at IT professionals and business servers, gained prominence, featuring instances such as the deployment of malicious GitHub Gists, enticing developers to install nefarious extensions.

Beyond the Inbox: New Attack Vectors for Adversaries

Expanding their reach beyond conventional emails, cyber adversaries explored fresh attack vectors, leveraging communication platforms like Microsoft Teams, Skype, and Facebook Messenger.

 Furthermore, a notable trend emerged as threat actors increasingly adopted Microsoft Excel Add-Ins (XLL), presenting a deceptive facade resembling Excel files while harboring native executable code akin to DLL files.

The Surge in UNC/MUP Paths in Malicious LNK Files

A noteworthy shift surfaced with the heightened utilization of UNC/MUP paths particularly in LNK files. Multiple UNC Paths (MUP) is a feature in Windows that allows UNC paths to represent various protocols, such as WebDAV. When processing a MUP, Windows attempts to identify the correct protocol by iterating through options like TS Client, SMB, and WebDAV in a specific order.

This behavior poses a challenge for automated analysis because it involves interacting with multiple protocols, potentially complicating the process.

Innovations in Command and Control (C2)

Malware authors showcased inventiveness in their Command and Control (C2) implementations, where a resurgence in leveraging DNS for C2 communications emerged, introducing a method that poses increased difficulty in detection and blocking.

Notably inventive was a case where a malware author experimented with using GitHub commit messages as a conduit for relaying executable code to infected devices. This method represents a creative twist in malware communication, exploiting the ubiquity and trust associated with popular development platforms.

Home: 
VMRay Malware & Phishing Threat Landscape – Q4/2023

Next Chapter: 
Linux’s Evolving Threat Landscape

See VMRay in action.
Secure your organization against the most evasive threats.

Further resources

WEBINAR

Key forces shaping the future of security automation

Watch the full recording from the our webinar featuring Forrester

INTEGRATIONS

Explore VMRay’s seamless integrations

Explore all security automation use cases that help you can benefit.

SOLUTION BRIEF

VMRay Professional Services

Learn how VMRay supports deployment, configurations, integrations & more.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator