Detection & Signature updates - VMRay

Detection & Signature updates

Aug 16th 2023

Latest from VMRay:

Signature and detection updates

16.08.2023

Table of Contents

Introduction

The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cybersecurity landscape.

Recently, the VMRay Labs team has been specifically focused on the following areas:

  • Linux malware
  • Smart Link Detonation
  • Complex Delivery Chains
  • Malware Families supported with configuration extraction
  • New VTIs (VMRay Threat Identifiers)
  • YARA rules & Web Engine Auto UI

Now, let’s delve into each topic for a more comprehensive understanding.

On the Lookout for Linux Malware

With the latest VMRay release, we were thrilled to introduce Linux ELF dynamic analysis, expanding our support to a new operating system. This addition significantly impacts our Signature & Detection updates, requiring us to be extra vigilant about threats in the Linux realm.

As Linux serves as a major operating system on the hosting side, threat actors are increasingly targeting it to gain access and cause damage to services. Therefore, addressing Linux-related threats has become a top priority for us.

Ransomware, miners & bots

Recently, we have observed a significant increase in malicious activity, particularly involving ransomware, miners, and bots. Interestingly, most of these attacks initiate with attempts to brute-force or guess telnet or SSH login credentials, followed by infecting the system with cryptocurrency miners like XMRig, ransomware such as RTM Locker, or Remote Administration Tools like BPFDoor and PingPull.

Notably, Linux users are generally more knowledgeable about IT security, making attackers less likely to use common attack vectors like malicious email attachments. Instead, they opt for manual, targeted attacks that demand considerable effort, showcasing their persistence and creativity.

A notable example involves North Korean hackers, who reportedly employed phony job interviews and convincingly crafted PDF files to target specific Linux developers. This serves as a striking illustration of the extent to which these threat actors will go to breach systems.

 

Zero-day threats

Sophisticated attackers continue to exploit zero-day vulnerabilities in Linux systems. While not new, this approach remains a significant concern as multiple such attempts have been observed recently. In one case, a botnet consisting of 40 000 compromised home routers remained undetected for two years.

Additionally, a new form of attack known as ‘proxyjacking’ has emerged, where attackers capitalize on the unused bandwidth of infected devices, creating an entirely novel method of illicit gain.

 

The diversity of Linux

While Linux malware infections have been relatively rare, the landscape is shifting with the increasing use of embedded devices running on Linux. We are actively developing new VTIs to detect malicious behavior on Linux devices to address this evolving threat. Additionally, we are creating new YARA rules specifically targeting common threats like Mirai and its variants. Given the diversity of platforms and architectures that run Linux-based systems (e.g., bash scripts, 32-bit, ARM, etc.), the importance of supporting different sample types is growing. 

We are actively engaged in exploration of the Linux threat landscape to identify the most optimal solutions for enhancing our product’s security.

Linux executables cna be analysed through VMRay platform's dynamic analysis capabilities.
Linux Dynamic Analysis in VMRay Platform

Smart Link Detonation (SLD)

Before diving into the unique aspects of the SLD feature, let’s understand its significance. The SLD (Smart Link Detonation) feature enables dynamic analysis of URLs found in files, emails, and email attachments without requiring any manual user interaction. This means that the analysis process is fully automated, allowing for the determination of whether a link is malicious or not.

The SLD feature utilizes automatic evaluation and detonation of appropriate hyperlinks. When emails and documents are received, the VMRay Platform performs static and reputation analysis on all extracted links to determine if detonation is necessary. This approach ensures that links are safely detonated, avoiding any unintended adverse side effects, such as mistakenly unsubscribing a user from a mailing list.

SLD Shields against New Phishing Campaign 

In an emerging phishing operation, threat actors are adopting a new tactic of utilizing YouTube redirection, leveraging the trusted reputation of the platform to evade detection. During this phishing campaign, users are enticed to click on URLs provided in emails or PDF documents, which then lead to a webpage displaying a captcha. Once the captcha is verified, the user is redirected to the actual phishing page. This method has proven effective in bypassing standard email filters that typically scan for suspicious redirects. 

To combat this recent campaign, we took action by expanding the list of temporary webhosters to include Cloudflare pages. As a result, these URLs are now subjected to URL heuristics and are covered by our VTIs. Additionally, we introduced a new rule targeting ‘Suspicious redirections’ involving YouTube links with attribution_link path and URL query parameters. Now, when a potentially malicious URL is delivered via an EML message, it undergoes recursive analysis and is flagged as malicious.

We’ve also seen pages hosted on notion.site that try to mimic a document (e.g. PDF) which contains a link. Once the user clicks the link, the redirect to the actual phishing page happens. This is just another way to bypass email filters and reputation checks for URLs. To proactively address this issue, we have expanded our list of tracked temporary webhosters to include ‘notion.site’. This ensures that any future URLs originating from this domain will be effectively identified and subjected to Smart Link Detonation.

Complex Delivery Chains

While we are well-aware of the cybersecurity golden rules, such as being cautious with email attachments and avoiding providing authentication data to fake websites, cybercriminals are continuously finding ways to undermine this basic sense of trust. This raises a concerning question – what if the legitimate hardware or software we rely on has been compromised at the source (by the supplier or manufacturer)?

This deceitful practice can lead to significant losses and compromise the supplier’s network, affecting potentially thousands of victims. Recently, we have observed and successfully addressed several of such malicious movements.

Infected PDFs as Attachments

Alongside emails, we have observed a prevalent distribution of PDF documents as attachments. These documents are designed to appear simple, usually containing a single image aimed at deceiving the user into clicking an embedded URL that leads to downloading a malicious file. Currently, the most frequently downloaded file types are Windows Script Files and JScript files. QBot was one of the first families to utilize this delivery method, and other known families have since adopted it as well.

Additionally, we have encountered a small number of PDF documents that lead to the download of password-protected ZIP archives, with the password displayed in the PDF itself. Dealing with password-protected samples has posed a unique challenge, as it adds complexity to the analysis process, relying on the password found in either the email or the file containing instructions for downloading the next stage. While most of these challenges are resolved before analysis, attackers have started using password prompts during analysis to further complicate the process.

In our efforts to automate the analysis of PDF documents containing malicious links, a critical decision is whether an embedded URL should be recursively submitted or not. Taking this into account, we have enhanced the SLD mechanism to detonate the embedded link if the URL points to an archive file (zip, ISO, 7z, etc). This improvement enables a more effective analysis of potentially malicious links.

The figure below shows an example of a malicious PDF document that is frequently distributed via email.

Example of a malicious PDF document which is commonly attached to emails to download the next stage file
Example of a malicious PDF document which is commonly attached to emails to download the next stage file

Trigger SLD for URLs Masquerading as Different Host using ‘@’ Symbol

We have also come across a creative tactic that exploits the ‘@’ symbol in URLs to create the impression that links belong to a different domain. This strategy takes advantage of users’ unfamiliarity with the ‘@’ symbol’s functionality in URLs, which is typically used for providing login credentials to webpages protected with HTTP basic authentication.

This technique was observed being exploited in-the-wild as early as November 2022 by the Smoke Loader malware family. Additionally, attackers have combined this method with Google’s introduction of the ‘.zip’ domain and Unicode slash characters, allowing them to craft URLs that closely resemble legitimate links, making it challenging to distinguish them from malicious ones.

Recently, one of our customers reported an issue with a PDF containing a deceptive URL. The actual link: hxxps://gianttechmanufacturer.com@example.com attempted to masquerade as going to giant-tech-manufacturer.com, when in reality, it led to a malicious domain. In this case, the attackers exploited the HTTP basic authentication mechanism, utilizing the ‘@’ symbol to deceive our customer into believing that the URL pointed to a legitimate destination. 

Other researchers have pointed out the dangers of the new ‘.zip’ top-level domains in connection with the ‘@’ symbol. In their example, they even go a bit further and generate a whole URL inside the HTTP basic authentication username, replacing slashes with a similar looking Unicode alternative, i.e., the URL hxxps://github.com/kubernetes/kubernetes/archive/refs/tags/@v1271.zip strongly suggests that it leads to a file on github.com, when in reality it goes to the domain ‘v1271.zip’ using the github.com/kubernetes/etc part as a HTTP basic authentication username. 

It was, of course, worthy of our investigation as this is a compelling method and should be implemented as a new VTI as we might start seeing this more in the future. We implemented a new mechanism that triggers Smart Link Detonation for URLs masquerading as different host using ‘@’ symbol. Alternatively, if SLD triggers too often, we will parse the URL and determine if HTTP basic authentication is used, and if so, check if the username or password refers to a domain. We will also check if the destination host is one of our known trusted domains and increase the VTI in that case.

The '@' symbol along with Unicode characters used in URLs to masquerade as another domain
The '@' symbol along with Unicode characters used in URLs to masquerade as another domain

OneNote Status

While attacks through OneNote documents have significantly decreased and become increasingly rare, the threat from LNK files (Windows shortcuts) and PDF files remains relevant and shows no decline in significance.

Specifically, in the case of LNK files, we have identified attempts to use UNC and MUP paths for downloading payloads. Although these paths are supported by Windows by default, they often pose challenges for analysis engines due to their combination of multiple complex protocols.

Supported Malware Families

In the ever-evolving threat landscape, staying vigilant and monitoring the introduction of new malware families is crucial to the work of our Labs team. As new and dangerous malware families emerge, it is essential to be aware of shifts in the malware landscape. In July 2023, two malware families supported by our products, namely AgentTesla and Nanocore, have resurfaced in the Top 10 list. Additionally, we have recently added two more malware families that our products support, along with configuration extraction capabilities.

Amadey

Amadey is a downloader and bot, was first seen in the wild in 2018 and is written in C++. The main functionality of Amadey is to collect information about the infected host, steal data and download additional malware onto the system.

 

PikaBot

PikaBot (or Beep Loader) is a downloader that emerged in early 2023 with advanced evasion techniques and string obfuscation to make analysis harder.

New VTIs

In the previous blog post, we provided a general recap on what VTIs stand for. Now, let’s dive straight into the new VTIs we have added in response to the latest threats. Here are some of the additions from the broader changelog: 

1) VTI: Subvert Trust Controls

Category: Defense Evasion

MITRE ATT&CK® ID: T1153.006

Adversaries may modify code signing policies using commands that can modify the code signing policy of a system, including bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS. 

A new VTI detects any modifications made to the code signing policy of a system.

 

2) VTI: Query the Host’s Domain Name

Category: Discovery

MITRE ATT&CK® ID: N/A 

The malicious sample checks if the system is joined to a domain. If yes, it reveals its malicious behavior (seems to be used by Blister Loader), otherwise, it just terminates the process.

This VTI detects if a sample uses the above-mentioned API to query DNS-related data. 

 

3) VTI: Disable Controlled Folder Access

Category: Defense Evasion

MITRE ATT&CK® ID: T1562.001

This VTI detects Magniber ransomware that disables the ‘controlled folder access’, which protects, e.g., photos from being deleted/encrypted by ransomware. 

 

4) VTI: Hijack Execution Flow

Category: Defense Evasion

MITRE ATT&CK® ID: T1574.002

This VTI detects malicious abuse of system binaries by DLL side-loading. 

 

5) VTI: Masquerade URL Host

Category: Masquerade

MITRE ATT&CK® ID: T1036

This VTI detects domains masquerading via the ‘@’ symbol. 

 

6) VTI: Direct Volume Access

Category: Defense Evasion

MITRE ATT&CK® ID: T1006

This VTI monitors handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives.*

*Source: Direct Volume Access, accessed 2nd August 2023, https://attack.mitre.org/techniques/T1006/

 

7) VTI: Search for Available Drives

Category: Discovery

MITRE ATT&CK® ID: T1082

This VTI detects drive discovery. In a recent Magniber ransomware submission, we observed that it tries all possible drive letters to discover available drives on the host. 

 

8) VTI: Sudo Enumeration

Category: Discovery

MITRE ATT&CK® ID: T1087.001

This VTI detects common Sudo enumeration methods. This method is based on trying to list sudo users by reading sudoers file. 

 

9) VTI: Abuse Elevation Control Mechanism

Category: Privilege Escalation

MITRE ATT&CK® ID: T1548.003

This VTI detects common Sudo enumeration methods. This method is based on trying to modify the sudoers file. 

 

10) VTI: Modify System Files

Category: System Modification

MITRE ATT&CK® ID: N/A

This VTI detects files renaming by appending a new file extension. The VTI is vital to protect the systems from Hive ransomware.

Other Updates

Fresh Built-in YARA Rulesets

YARA is a powerful open-source tool used by malware researchers to identify and classify malware based on known binary patterns and strings. It works by applying rules to various elements of the analysis, such as files and registry keys, in order to flag potentially malicious files and processes by family.

In VMRay products, we have integrated several hundred built-in YARA rules, and we continuously expand this list to enhance detection efficacy. To strengthen our threat detection capabilities, our Threat Analysts have recently made the following updates:

 

Extended YARA coverage for:
  • Aurora Stealer – new YARA rule allowing to detect GPU evasion via DirectX
Improved YARA rules for:
  • BumbleBee Loader
  • Stealc Stealer
  • Amadey
  • AgentTesla
  • Phishkit.Prosecone
  • Changes to YARA rule for XMRig to supports Linux
  • YARA rule for generic ransom note detection has been improved to cover Hive ransomware
  • Improved YARA rule for webpages containing captcha

Improvements in the Web Engine Auto UI

We have also observed an increase in phishing attempts that exploit user engagement through deceptive button clicks, often using labels like ‘View’ or ‘Continue,’ to direct unsuspecting users to malicious phishing pages. These campaigns leverage suggestive words to lure users into believing they are accessing critical files, such as receipts or bank statements. Though not highly sophisticated, this tactic gains credibility and significantly increases the success rate in victim engagement.

In response to this evolving threat, we have fine-tuned our clicking logic to proactively detect and identify these keywords. As a result of these adjustments, hyperlinks and buttons with labels matching these suspicious keywords will now undergo checks by our Web Engine Auto UI, providing an additional layer of protection to our users.

Subscribe

Stay current on the threat landscape with industry-leading insights.

Izabela Komorowska

Technical Writer with over 8 years of experience in various tech companies ranging from small startups to large SaaS enterprises. Enthusiastic about writing easy-to-understand customer documentation that clarifies product's features and benefits.

See VMRay in action.
Solve your malware & phishing challenges.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator