Table of Contents
Recently, we have released the newest version of our platform, which you can check in the latest Release Highlights Blog. At the same time, our Labs team has been working on great signature and detection improvements covered in this article. In the past quarter, our Threat Researchers have focused on:
- VTI updates for Linux, macOS and Windows
- Smart Link Detonation (SLD) and QBot-related detection improvements
- Newest trends in phishing
- General upgrade of YARA rules and configuration extractors
Now, let’s delve into these interesting topics in more detail.
Detection Updates for Linux
In the 2023.3 release, we introduced analyzing Linux-based malware, and we hope you get the hang of the extended analysis capabilities. To stay ahead of emerging attack techniques, we make sure that Linux analysis is equipped with up-to-date VMRay Threat Identifiers (VTIs) and YARA rules, which greatly help determine which files and URLs are malicious, suspicious or benign.
New Linux VTIs
1. VTI: Detect process enumeration via /proc/<pid>
Process enumeration is a technique used by malware authors to gather information about running processes on a computer system. Threat actors use this technique for two main goals:
Information gathering – enumerating running processes to understand what is running on the infected system and how the attackers can use it.
Blocking unwanted systems – threat actors might check the output of process enumeration to identify software like antivirus or malware, subsequently blocking such programs.
Our new VTI will trigger if the analysis detects multiple attempts to access the /proc directory using an existing process ID.
2. VTI: Detect reading /etc/shadow and /etc/passwd
Category: Data Collection
MITRE ATT&CK® ID: T1003.008
In Unix and Unix-like operating systems, /etc/passwd and /etc/shadow are two essential files used for user account management, but they serve different purposes and store different types of information:
The /etc/passwd file stores essential information about user accounts
The /etc/shadow file stores encrypted password information for user accounts
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. To ensure more protection for your systems, our new VTI will trigger when /etc/shadow files are read.
3. VTI: Detect sniffing/hijacking traffic via http/ftp proxy environment variables
MITRE ATT&CK® ID: T1557
In cybersecurity, an Adversary-in-the-Middle attack attack refers to a situation where an attacker intercepts communication between two or more networked devices. The adversary secretly intercepts and possibly alters the communication between the devices, forcing a device to communicate via a system controlled by an adversary, allowing them to eavesdrop on sensitive information or impersonate one of the devices. All traffic from the infected device is then routed through a compromised proxy, allowing the attacker to monitor, modify, or redirect the traffic as they wish.
Recently, we have discovered a Mirai sample that modifies the .bashrc file to reroute the traffic of the device using the attack technique described above. With the new VTI, we detect attempts to redirect the http/https/ftp connections to use a malicious proxy server controlled by the attacker.
4. VTI: Detect persistence and delayed execution via rc.local
Persistence in malware refers to the ability of malicious software to maintain its presence on a compromised system even after the system is restarted. This is crucial for malware authors because it ensures that their malicious code continues to run, allowing them to maintain control, gather data, or carry out other malicious activities.
In Unix-based systems, including Linux, rc.local is a script used to execute commands at boot time. Malware authors can abuse this mechanism for delayed execution of their malicious code. Here’s how it works:
Malware placement – the malware places its execution command or a script in the rc.local file. This file is typically located in the /etc directory.
Delayed execution – the code added to rc.local will be executed every time the system is started. Malware authors might introduce a delay (using the sleep command) before executing malicious actions. This delay can help the malware evade immediate detection, making it harder for security tools to trace the malicious activity back to the initial system startup.
Our new VTI will trigger every time there’s an attempt to write into the /etc/rc.local directory.
5. VTI: Detect creating new users by writing to /etc/passwd
MITRE ATT&CK® ID: T1136.001
A backdoor attack refers to the insertion of malicious code into a computer system, allowing unauthorized access and control over the system. Essentially, a backdoor is a secret pathway that attackers use to gain entry to a compromised system or network, enabling them to bypass standard authentication.
We have discovered RapperBot malware, which creates a new root-user by writing to the/etc/passwd file. With the new VTI, our analysis will detect whenever file /etc/passwd is written to. This will trigger a malicious sample Verdict if it’s a new root user added, and a suspicious Verdict if it’s a non-root user or for any other modifications of the file.
New Linux YARA Rules
1. ELF support to XMRig YARA rule
XMRig is a commonly used open-source mining software. Due to its simplicity, threat actors often drop it to infected systems in order to abuse the hardware for mining purposes. As XMRig is quite frequently detected by our products, we extended the support to detect this family on Linux.
2. YARA rule for Linux Hive v5 ransomware
The Hive ransomware, firstly observed in 2021, is still taking its toll. Hive attackers usually use double extortion attacks, which is a type of ransomware attack in which cybercriminals not only encrypt victim’s files but also threaten to release sensitive or confidential data unless an additional ransom is paid. In a traditional ransomware attack, the attackers encrypt the victim’s files and demand a ransom in exchange for the decryption key. However, in a double extortion attack, the threat actors go a step further by stealing sensitive data before encrypting it. To make sure that Linux files are cross-checked against this malware family, we added a Linux YARA rule to cover Hive.
Unix VTI Updates
Unix-based operating systems have been influential in the development of modern computing and have served as the foundation for many other operating systems, including Linux and macOS. To broaden the analysis of macOS and Linux, we added the following Unix VTIs:
1. VTI: Detect sudo enumeration
MITRE ATT&CK® ID: T1087.001
Sudo is a command used in Unix and Unix-like operating systems that allows a permitted user to execute a command as the superuser or another user as specified in the sudoers file. Malicious software could exploit vulnerabilities in the operating system or applications to gain root privileges. Once the malware gains access to the system, it can execute sudo commands without the need for explicit enumeration. Additionally, attackers might attempt to read the sudoers configuration file to identify which users or groups have sudo privileges. This information helps threat actors understand potential targets for privilege escalation attacks. However, it’s important to clarify that sudo enumeration is not a method in malware delivery but rather a technique used in privilege escalation attacks by hackers or attackers once they have gained some level of access to a target system. To prevent from compromising the sudo command, we added a new VTI that will trigger when sudo enumeration methods are used.
2. VTI: Detect deletion of power management binaries
Category: System modification
An analysis of a Mirai sample revealed another malicious behavior – the sample deletes the executables to power off or reboot the system to keep the botnet operation running in case the IoT device needs to be turned off or rebooted. We added this VTI to trigger when there is an attempt to delete one of the files used to power off or reboot the system.
3. VTI: Detect clearing Linux/macOS system logs
Category: Defense Evasion
MITRE ATT&CK® ID: T1070.002
macOS and Linux both keep track of system or user-initiated actions via system logs. Adversaries may clear those logs to hide their evidence of an intrusion. By modifying the logs, they can erase any evidence of their presence on the compromised system. This makes it more challenging for cybersecurity professionals and system administrators to trace the origin of the attack, identify the attacker’s methods, and understand the extent of the compromise. To address this behavior, we’ve developed a VTI that detects file deletions, as well as file overwrites, which helps in identifying a potentially malicious sample.
4. VTI: Detect masquerading extensions by adding white space
MITRE ATT&CK® ID: T1036.006
Malware can attempt to evade detection by masquerading file extensions using various techniques, including adding white spaces within the file name or extension. This method can deceive users and some basic security mechanisms that rely on file extensions to identify file types. By adding extra spaces or invisible characters, malware can appear to be a harmless file type while actually being an executable program.
With certain file types, appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, and a user double clicks it, it will launch the Terminal.app and execute it. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (with a space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately, and the binary will be executed. We added this new VTI to trigger when there’s a malware attempt to create a new filename with a space at the end of its name, or to rename an existing file by appending a space at the end.
5. VTI: Detect attempts to connect to multiple hosts via telnet/ssh
Category: Network Connection
MITRE ATT&CK® ID: TA0008
Mirai gained significant notoriety for its involvement in launching massive Distributed Denial of Service (DDoS) attacks in late 2016. In a recently discovered malware attempt, the Mirai botnet tried to infect other hosts by connecting to random IP addresses with common usernames and passwords via telnet. We added a new VTI that will monitor and trigger if the analyzed sample tries to connect to multiple different IP addresses via port 23 (telnet) or 22 (SSH) and recognize this as a malicious attack.
6. VTI: Detect Unix shell configuration modification
Category: Persistence / System Modification
MITRE ATT&CK® ID: T1546.004
Shell configuration modification refers to the alteration of shell profiles, scripts, or configuration files on a system, enabling malware authors to execute malicious commands or achieve persistence. We added a new VTI that will trigger if there’s any attempt to write to the shell configuration files, such as, for example: /etc/profile, ~/.bash_login, /etc/zlogout, and others.
7. VTI: Detect /etc/motd file modification
Category: System Modification
“Message of the day” (motd) is a Unix-based file that is typically displayed to users when they log in, providing system-related information or announcements. Malware might modify the motd message to display misleading information or fake announcements. For example, it could provide instructions that trick users into taking actions that compromise security, like running malicious scripts or downloading infected files. In a recent analysis, we noticed a ransomware sample from the Hive family trying to modify the motd file, writing to it the malware’s ransomware note. The new VTI will trigger whenever the /etc/motd file is modified.
8. VTI: Detect scheduling tasks with cron
Category: Tasks Scheduling
MITRE ATT&CK® ID: T1053.003
Adversaries may abuse the cron utility to perform task scheduling for the initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Malware can create cron jobs to scan the local network for vulnerable systems and exploit them. These jobs can be scheduled to run at specific times, allowing the malware to spread across the network more efficiently. This new VTI will trigger when there is an attempt to modify or create any time-based scheduler files, such as/etc/cron.hourly.
Smart Link Detonation & QBot Delivery Chains
SLD is a mechanism of automatic evaluation and detonation of appropriate hyperlinks in document and email samples. It allows Security Analysts to assess the potential risk associated with hyperlinks without exposing their own systems or network to the potential threats. It’s essential, especially in email security, web filtering, and threat intelligence systems. It helps detect phishing attacks, drive-by downloads, and other web-based threats by examining the behavior of URLs in a safe and controlled environment. Recently, we added a few improvements to the SLD functioning in the following scenarios.
SLD now triggers on URLs pointing to a PHP script
QBot again switched its delivery methods. It has recently been using PDF documents with embedded links that are used to download a malicious archive. Users need to click on the PDF link that redirects to a malicious PHP script that loads QBot onto the victim’s machine by downloading the archive. In the past quarter, we extended the trigger for recursive submissions to detonate URLs if they point to a PHP script that has been extracted from a PDF document.
Example of a PDF file containing malicious redirect via the Open button
Recursive Submission of URLs with a certain pattern
When we were investigating PDF documents used by QBot to deliver malicious payloads, we discovered that they’re using URLs that mostly follow a specific URL pattern. Currently, we’ve found two patterns that are being used frequently. To address this threat, we enabled recursive submission of URLs that follow the patterns that we have tracked.
Detonation of a Malicious QBot Sample (suspicious (regex) patterns and .gifs)
Malicious .gif file extensions
While further looking at PDF documents used by QBot, we found that they’re using URLs pointing to a .gif file extension to let the malicious archive look like a benign file. Malicious websites hosting these files are configured to directly start the download when opening the URL and trigger automatic downloads of malware onto the visitor’s system. These drive-by downloads can occur without any user interaction, taking advantage of vulnerabilities in the browser or its plugins to install malware silently. To handle this hazard, we enabled recursive submission of URLs that end up with a .gif extension and have been extracted from PDF documents.
Detect logon forms hosted on IPFS
IPFS, or the InterPlanetary File System, is a protocol and network designed to create a more efficient and decentralized way of storing and sharing hypermedia in a distributed file system. It was developed to address some of the limitations and issues of the traditional web, such as centralized data storage, limited data availability, and reliance on specific servers or data centers.
During a regular phishing page analysis session, we have identified several phishing pages hosted on IPFS, often associated with Ethereum and NFTs. As only static websites can be hosted on IPFS (so no PHP or similar server-side languages), hosting a logon form on one of these should be highly suspicious. Especially sensitive data, such as a username, password, or personal details, should not be hosted on a distributed file system. Phishers may set up IPFS-hosted logon forms that record user inputs and send them to a remote server for later use in unauthorized access.
Based on that discovery, we added a new VMRay Threat Identifier that checks if the host URL is associated with IPFS. If the web page is identified as a logon form, and the host is IPFS, the webpage is scored as malicious (phishing).
If the IPFS-hosted login form is associated with a known and trusted domain and there’s a way for users to verify the authenticity of the domain, it’s less likely to be considered phishing. Domain verification can be done through mechanisms like SSL certificates or other trust indicators.
Detonate Google AMP links
Google AMP (Accelerated Mobile Pages) is an open-source project developed by Google with the goal of improving the performance and speed of webpages on mobile devices. In recent times, we observed a new phishing tactic utilizing Google (AMP) on websites hosted on Google.com or Google.co.uk, both of which are considered trusted domains to most users. Attackers often use social engineering tactics in phishing attacks – they may send phishing emails or messages that contain Google AMP links, claiming urgency or enticing offers to encourage users to click on them.
Phishers can create Google AMP pages that impersonate well-known and trusted websites or services. They might design these pages to closely resemble legitimate sites, including copying logos, layouts, and content. For example, https://www.google.com/amp/s/vmray.com would directly redirect you to vmray.com. These forms may appear legitimate but are designed to capture the entered data and send it to the attacker. To tackle this emerging technique, we will detonate all URLs using Google AMP in the domain name.
Improve images and screen background detection
Phishing campaigns can reuse legitimate image resources to make their page more trustworthy. For example, phishing actors might create a convincing replica of a login screen, incorporating a trusted service’s background image and/or logos and other image resources into the design. Unsuspecting users might be tricked into entering their credentials, thinking they are logging into a legitimate service.
We’ve observed more and more phishing pages that try to obfuscate the image resources in the page sources to hinder their extraction and processing. A recent campaign reported to us was using pages that masquerade as Microsoft logon forms. To address this threat, we improved our detection mechanism so that it evaluates the provided URL and correctly analyzes the loaded image resources.
An example of an MS phishing page that tried to load its hosted resources
Other Important Updates
New YARA Rules
- YARA for MalDoc in PDF
- JPCERT, an organization providing information on widespread, emerging information security threats, reported a new technique used to bypass detection for the delivery attempt of malicious files. Threat actors are using malicious documents with macros that are embedded inside PDF files. Whenever the PDF document has the .doc extension and will be opened via Word due to the default extension handler, the malicious macros are executed as soon as the content is enabled.
- YARA rule to detect Amadey samples
- YARA-based detection for Outlook branded phishing page
- YARA rule to detect disabling of keys (such as F12)
- Improved YARA rule to detect Follina vulnerability
- Follina represents a high-severity vulnerability found within Microsoft Office suite products, posing a significant risk for Remote Code Execution (RCE) attacks due to its ease of exploitation.
New Windows VTI: Detect registering password filters
Category: Defense Evasion
MITRE ATT&CK® ID: T1556.002
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs (Dynamic Link Library files) containing a method to validate potential passwords against password policies. DLLs filters can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. This new VTI will trigger whenever there’s an attempt to write to a DLL package controlled by LSA to prevent from possible credential harvesting during the password validation process.
Improved Config extractors for: