Recently, DFIR consultant & content creator/educator Steven from the YouTube channel MyDFIR released a new video showing how DFIR professionals can leverage the ANY.RUN Sandbox to efficiently analyze malware and extract actionable intelligence.  

The video provides a step-by-step guide on investigating real-world threats, including how to quickly identify and analyze Indicators of Compromise (IOCs) and uncover key behavioral insights. 

If you’re looking to improve your investigation workflows and see practical examples of malware analysis in action, we highly recommend watching the video to follow along with the expert’s process. 

Here’s our overview of the key highlights covered in the video. 

About ANY.RUN Sandbox 

The ANY.RUN Sandbox is an interactive malware analysis platform that enables security professionals to analyze malicious files in a live, user-driven environment. It allows DFIR professionals to: 

• Uncover the behaviors and tactics of malware. 
• Quickly gather critical Indicators of Compromise (IOCs). 
• Explore malware configurations and identify threats in real time. 

By providing detailed insights through features like process trees, network monitoring, and integrated ATT&CK mapping, ANY.RUN helps analysts stay ahead of emerging threats and streamline investigations. 

Use Case 1: Investigating Formbook Infostealer 

Formbook is a widespread infostealer that targets credentials, cookies, and other sensitive data. Here’s how DFIR professionals can use ANY.RUN to analyze it. 

Imagine you have received the following alert: malware detected and quarantined. 

The alert also provides details such as: 

• Hostname: SALESPC-01 
• User: Bobby  
• Filename: suchost.exe  
• Current Directory: C:UsersBobbyDownloads 
• SHA256: 472a703381c8fe89f83b0fe4d7960b0942c5694054ba94dd85c249c4c702e0cd 

Use this information to initiate your investigation. 

Check Previous Analyses 

The first thing you should do is check if ANY.RUN analyzed this file previously. Navigate to ANY.RUN’s Reports section, located on the left-hand side.  

Search for the hash of the flagged file. If the file has already been analyzed, review the existing reports. Otherwise, upload the file to initiate a fresh analysis. 

In our case, there are 2 analysis sessions found from October 2024. Let’s choose the first report and look closer at what’s inside.  

After clicking on the existing entry, you’ll be redirected to the ANY.RUN sandbox presented with a lot of useful information. 

Let’s use this analysis to see how the sandbox can help us. 

Examine Initial Results 

ANY.RUN provides an overview of the analysis, including malicious activity indicators, the operating system used for analysis (e.g., Windows 10 64-bit), and a suite of options, such as: 

• Get Sample: Download the file for deeper analysis. 
• IOC Tab: View all related IOCs. 
• MalConf: Explore indicators extracted from the malware’s configuration. 
• Restart: Re-run the analysis if needed. 
• Text Report: Get a detailed overview of findings. 
• Graph: Visualize the process tree and events. 
• ATT&CK Tab: Review associated tactics, techniques, and procedures (TTPs). 
• AI Summary: Summarize key findings. 
• Export Options: Save results in various formats like STIX or MISP JSON. 

Analyze the Process Tree 

Study the parent-child relationship in the process tree to understand how the file behaves.  

For example, Formbook may create a registry key to establish persistence. By clicking on the process, you can view command-line details and trace the registry key creation and file execution paths. 

Investigate Network Activity 

Use the network-related tabs to track events like HTTP requests and connections. ANY.RUN simplifies this by flagging requests with reputation icons: 

• Green checkmark: Known and safe. 
• Question mark: Unknown. 
• Fire icon: Malicious. Document any flagged IOCs, such as suspicious IP addresses or domains, and cross-check them within your environment. 

Leverage Threat Hunting Features 

Utilize tabs like MalConf and ATT&CK to uncover additional insights. For instance, MalConf may reveal hardcoded strings or configurations that can aid in threat hunting.  

The ATT&CK tab provides a breakdown of associated TTPs, helping analysts understand how the malware evades detection or escalates privileges. 

In the current analysis session, these are the TTPs the sandbox identified: 

AI Summary 

The AI-powered summary distills the technical findings into easy-to-understand insights. This is particularly beneficial for: 

• Quickly understanding the file’s behavior without diving into the technical minutiae. 
• Assisting junior analysts or teams new to malware analysis by providing clear explanations of what the file is doing. 

By leveraging these features, DFIR professionals can perform detailed, thorough, and efficient malware analysis, tailoring their investigations to the specific needs of their organization. 

Use Case 2: Analyzing Lumma Stealer with Advanced Features 

The next use case focuses on analyzing a file using the ANY.RUN sandbox, specifically targeting a different infostealer called Luma Stealer. The latter is another malware aimed at exfiltrating data. 

For this demonstration, the free plan is used, but comparisons to the paid plan capabilities will also be highlighted. 

Uploading a File to ANY.RUN 

To analyze a file in ANY.RUN, start by selecting Submit File option from the available 3 options.  

When uploading a file, keep in mind that as a free user Analysis will be public, meaning anyone can view it. Avoid uploading sensitive data. Always consult with your team if unsure. 

The free plan, however, offers privacy options to restrict access to your analysis. 

After selecting the file, you’ll see two key options: 

1. Deep analysis: Ideal for file-based malware investigations. 
2. Safebrowsing: Suitable for URL-based fast analysis. 

For this case, we’re performing Deep Analysis on the Luma Stealer sample.  

Explore the entire analysis session 

Configuration Options 

ANY.RUN allows you to customize execution and environment settings to simulate real-world scenarios. For instance, you can specify custom command-line arguments to trigger specific malware behaviors. 

• The free plan offers 60 seconds of analysis.  
• With the paid plan, you can extend to 10+ minutes for deeper analysis. 

You can also choose where you want to execute the file, for instance, temp directory, desktop, downloads directory, AppData, and more. 

For the network traffic the following options are available: 

• FakeNet: Simulates network traffic. 
• TOR Routing: Routes traffic through Tor for anonymity. 
• Residential Proxy: Assigns a residential IP to your VM. 

Then, choose the operating system, such as Windows 7 (32-bit), Windows 10 (64-bit), and Ubuntu 22.04. The paid plan also offers Windows 11. 

Running the Analysis 

Once configurations are set, click Run Analysis. If you decide to go with the Public mode, a warning will remind you that the analysis data will be publicly accessible. To make your analysis private, you will need to get a Hunter or Enterprise plan subscription. 

The sandbox begins dynamic analysis, executing the file and recording all processes, behaviors, and network activities. 

A timer (top-right) shows the remaining analysis duration. You can add time to capture extended malware behaviors. 

Observing Results in Real Time 

Once the analysis begins, you can interact with the sandbox environment. Have a look at the parent-child relationships of processes generated by the malware. 

On the right corner you can already see the sandbox identifies the processes as Lumma malware and possible phishing. 

Besides, we can note that the sandbox also detected a domain used for C2 connection: 

With the paid plan you can also see how this particular Suricata rule was generated: 

Extracting IOCs and Key Artifacts 

Once the analysis completes, go to the IOC tab to extract key indicators, including: 

• IP addresses 
• Domains 
• File hashes 
• URLs   

Why DFIR Professionals Rely on ANY.RUN 

ANY.RUN’s real-time, interactive capabilities make it a favorite among DFIR experts. Here’s why: 

• Speed: Analyze malware behavior and extract IOCs faster than ever. 
• Ease of use: Its intuitive interface works for both seasoned analysts and newcomers. 
• Flexibility: From free plans to enterprise solutions, ANY.RUN fits teams of all sizes. 
• Threat intelligence integration: Enrich your investigations with additional context to ensure thorough results. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Get 14-day free trial of ANY.RUN’s Interactive Sandbox →

The post How DFIR Analysts Use ANY.RUN Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview

The Australian Cyber Security Center (ACSC) has alerted organizations about a severe vulnerability in the Apache Struts2 Framework. The vulnerability, CVE-2024-53677, has been identified in the Framework, posing a critical risk to organizations that use, develop, or support Java-based applications built on this widely adopted framework. 

This vulnerability primarily affects versions of Apache Struts2 before 6.4.0 and can lead to severe security breaches, including remote code execution (RCE). Australian organizations using these versions must take immediate action to mitigate the risks posed by this flaw.

CVE-2024-53677 is a critical file upload vulnerability in the Apache Struts2 Framework. It allows attackers to exploit path traversal flaws and manipulate file upload parameters. The flaw is found in the deprecated File Upload Interceptor component.

Under certain circumstances, this can lead to the uploading of malicious files that could be executed remotely, potentially giving attackers full control over the affected system. The issue is particularly concerning for enterprise Java applications that rely on Apache Struts2.

Details of Apache Struts2 Framework Vulnerability (CVE-2024-53677)

According to the Apache advisory, the affected versions of Struts include Struts 2.0.0 through 2.3.37 (end-of-life versions), Struts 2.5.0 through 2.5.33, and Struts 6.0.0 through 6.3.0.2. The vulnerability has been classified as “critical,” with a CVSSv3 score of 9.8, reflecting its potential for exploitation. 

This issue is not isolated; Apache Struts vulnerabilities have been popular targets for threat actors, with two major incidents occurring in 2017 and 2023. As such, CVE-2024-53677 must be taken seriously by organizations that continue to use older versions of Struts.

Organizations using Java applications that leverage the affected versions of Apache Struts2 are at high risk of exploitation. This includes various industries such as government, telecommunications, finance, and e-commerce, where the framework remains integral to business operations.

The critical nature of CVE-2024-53677 lies in its ability to facilitate remote code execution. Once an attacker successfully uploads a malicious file—often a web shell—through the vulnerable file upload mechanism, they can execute arbitrary commands, steal sensitive data, and further compromise the system.

Recommendations for securing your systems

Organizations are strongly advised to take the following steps to mitigate the risks associated with CVE-2024-53677:

• The most effective way to address the vulnerability is to upgrade to Apache Struts 6.4.0 or a later version. This version replaces the deprecated File Upload Interceptor with the more secure Action File Upload Interceptor, which significantly reduces the risk of exploitation. However, migrating to this new file upload mechanism requires modifications to the existing code, as the old File Upload Interceptor is no longer secure.
• If upgrading to Struts 6.4.0 is not immediately feasible, organizations should apply any available patches for affected versions of Struts. Additionally, continuous monitoring of systems for suspicious activity is crucial. Logs should be reviewed regularly for any indications of attempts to exploit the vulnerability.
• Organizations should audit their Java-based applications to determine whether they are using the affected versions of Apache Struts. They should also verify whether the vulnerable File Upload Interceptor component is being used. Applications that do not rely on this component are not affected by CVE-2024-53677.
• Given the critical nature of this vulnerability, organizations must stay updated on vendor advisories and any new patches or security releases. Apache’s security bulletins should be regularly checked to ensure that any new information or mitigation strategies are quickly applied.

Conclusion 

CVE-2024-53677 presents a critical risk of remote code execution (RCE), allowing attackers to exploit file upload vulnerabilities and gain unauthorized control over systems. Organizations using Struts2 versions prior to 6.4.0 must upgrade immediately and migrate to the new Action File Upload Interceptor.

Prompt patching and monitoring are essential to prevent exploitation. To strengthen defenses, businesses can turn to Cyble’s AI-powered cybersecurity solutions like Cyble Vision, which offer advanced threat intelligence, dark web monitoring, and proactive risk detection. Discover how Cyble Vision can enhance your cybersecurity strategy by booking a free demo today.

References:

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-security-vulnerability-affecting-apache-struts2-below-6-4-0

The post ACSC Warns of Remote Code Execution Risk in Apache Struts2 appeared first on Cyble.

Blog – Cyble – ​Read More