Editor’s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X and LinkedIn.

In this malware analysis report, we take an in-depth look at how an undocumented loader called PhantomLoader has been used by attackers to distribute a rust-based malware known as SSLoad.

Overview

The PhantomLoader usually masquerades as a legitimate 32-bit DLL written in C/C++ for an antivirus software called 360 Security Total.

However, in this case, it was found disguising itself as “PatchUp.exe,” which is still a legitimate module of 360 Total Security. This loader has been used in recent attacks to deliver a new rust-based malware called SSLoad.

What makes PhantomLoader unique is that it was added to be part of a legitimate DLL or executable of a well-known software by binary patching the DLL or executable and adding a self-modifying technique. The latter decrypts an embedded code stub, which then decrypts and loads “SSLoad” into memory.

PatchUp.exe and legitimate module of 360 Total Security

Technical analysis

After analyzing the SSLoad sample in ANY.RUN’s sandbox, we observed that one distribution method for this malware involves phishing emails containing malicious Office documents. These documents initiate the infection chain.

The analysis session shows how the drop and execution of PhantomLoader occurs, after which it decrypts and runs SSLoad.

View the analysis session

Execution of Malicious Word document

After executing the malicious Word document, it became clear that a new process, “app.com,” was launched by “WINWORD.exe,” indicating that an embedded malicious macro had been executed. This resulted in the creation of the suspicious process. 

To better understand the infection chain, the macro was extracted and analyzed further.

Execution of Decoded XML String

In the ANY.RUN Script Tracer, it was observed that the malware loads an encoded XML string, which appears to be obfuscated using JScript. This encoding is used to disguise the malicious intent, making it more difficult to detect. 

Once loaded, the XML string is executed, triggering the next stage in the malware’s infection process.

Upon further investigation of the document’s macros, an Autoclose macro was found that reads an XML string from an XML file named “UserForm1.”

After analyzing the referenced form file, it became clear that the loaded XML string is encoded in JavaScript. This encoding serves as a protection measure designed by Microsoft to prevent unauthorized copying or alteration of VBScript or JavaScript code.

Using CyberChef, the JavaScript was decoded, revealing the underlying code used by the malware to continue the infection process. This provides clear insights into the next steps of the attack.

The JavaScript code decodes the next stage, PhantomLoader, using base64. It then places the decoded file in the user’s %TEMP% directory with the name “app.com” and starts it. 

First Loader: PhantomLoader

PhantomLoader disguises itself as a legitimate DLL module for the antivirus software 360 Total Security. This tactic allows it to remain undetected by both the system and users.

This is one of the rare cases where the malicious code runs before the main function is reached. This strongly suggests that the legitimate DLL module has been modified. A malicious routine is inserted before the main function, along with an encrypted stub. 

The malicious routine embedded within the DLL module first calculates the address of the encrypted code stub, which is hidden within the file. It then decrypts this stub using a XOR operation with a hardcoded key.

The encrypted code is located in the .text section of the DLL. It was disassembled by IDA, but the disassembled output appeared nonsensical, indicating that the code is indeed encrypted.

To further analyze the encrypted code in IDA, an IDAPython script was created to decrypt and patch the code in place.

The decrypted code stub begins by fetching the base address of “kernel32”, a core Windows system DLL that provides essential system functions. It then uses this base address to resolve the following function addresses by hash:

VirtualAlloc – Responsible for memory allocation.

LoadLibraryA – Loads libraries (DLLs) into memory.

GetProcAddress – Retrieves the address of functions or variables from the loaded DLLs.

The resolved functions are then used to load the decrypted next-stage loader, SSLoad, directly into memory.

Using the same key as before, it XOR decrypts the encrypted SSLoad, which is stored in the “.rsrc” section of the DLL. This method keeps the actual payload concealed within the DLL until it’s ready to be executed.

Interestingly, it doesn’t use the common API sequence FindResourceA and LockResource to locate and extract the encrypted resource. Instead, an offset to the encrypted resource is passed to the function that points to the decrypted stub.

Second Loader: SSLoad

The final payload decrypted by PhantomLoader is SSLoad, a rust-based loader known for its evasive and stealthy nature.

It employs various anti-analysis techniques, including anti-debugging and anti-emulation methods. SSLoad also uses multiple layers of string decryption to conceal its Command-and-Control (C2) URLs and IP addresses, making detection and analysis more challenging.

When executed, SSLoad begins by creating a mutex object with a hardcoded name. This object ensures that only one instance of SSLoad can run on the host at any given time. This is a common technique used to avoid resource conflicts or redundant infections on a single host.

It uses a common anti-debugging technique by inspecting the Process Environment Block (PEB), specifically looking for the “BeingDebugged” flag. This flag is set to indicate whether the process is currently being debugged. 

It is interesting to note that it uses an anti-emulation technique that was observed for the first time being used by Raspberry Robin. The technique involves attempting to retrieve the address of a function exported by kernel32 called “MpVmp32Entry”. 

However, when inspecting the exports of kernel32 for this function name, it cannot be found. This is because only modified versions of kernel32.dll used by emulators export that function.

The developers of SSLoad may have either intentionally or accidentally failed to properly decrypt the library name Kernel32.dll. This would result in the DLL base address not being retrieved to check for the target export. As a result, the implemented trick might fail even on an emulated system.

One of the system artifacts to check for is the presence of a directory with a randomly generated name under %APPDATA%/Microsoft. This directory name is generated at runtime using the function SystemFunction036 from the Advapi32.dll library, which is often used for cryptographic functions.

After completing its checks and decrypting the C2 URLs and IP addresses, SSLoad moves forward with fingerprinting the host it’s running on. This process involves collecting various details about the system.

This data is then stored in a JSON object, which will be sent later via POST request to the Command-and-Control (C2) server for further communication.

The fingerprinted data collected by SSLoad includes crucial system information like the OS version, username, hostname, architecture (arch), public IP address, and other system-specific details.

The data will be sent to the server in preparation of C2 communication process. 

If the connection was successful, the C2 server will return back response with a JSON object containing a “key” and an “ID”.

The returned key is a base64 encoded RC4 key that will be used to secure further communication between the host and C2 server. 

In its turn, the ID is a unique identifier generated on the C2 side that will be used by the infected host to authenticate and identify itself to the C2 server. 

In the later HTTP POST requests, no data is sent to the C2 server. Instead, the infected host sends empty HTTP POST requests that contain only the server-side generated “ID”.

Once SSLoad establishes a connection with the C2 server, it enters a beaconing loop, regularly checking in with the server for further instructions or tasks to execute.

It seems that for the current sample the server hasn’t returned any tasks to the infected host. However, in another SSLoad analysis sample, the server did return a response containing an “ID” and a “Job”.

The “ID” returned by the server identifies a task for the infected host.

The encoded structure contains two fields: “command” and “arguments.” Fishbein explained that when the “command” field is set to “exe” and the “arguments” field contains a URL, it indicates that the server is instructing the infected host to download and execute the next-stage malware payload from the given URL.

Indicators of Compromise (IOC)

File Paths and Names 

Incident_Harassment.doc

%TEMP%/app.com

File Hashes (MD5)

EC7E26A81B6002C53854A1769AD427A6

bd3231011448b2d6a335032d11c12cad

E01DDD72BC81781FE86A68D3AD045548

Related Domains, URLs, and IP addresses 

http://85[.]239[.]53[.]219 

YARA Rule

rule crime_phantom_loader_dll

{
    meta:
        description = “Detects PhantomLoader C/C++ DLL”
        author = “Mohamed Talaat”
        date = “2024-17-8”
        type = “crimeware”
        hash1 = “BD3231011448B2D6A335032D11C12CAD”
        hash2 = “CA303668B5420C022EF9C78CE1F2BFB7”
        hash3 = “1D8D71B4A0870C0DFA3468470FB28A28”
        hash4 = “B28A478EB5B99EFCDC7CAF428BFFB89A”
    strings:
        $pdb_str = “C:\vmagent_new\bin\joblist” ascii
        $iobit_str = “IUForceDelete123” ascii wide
        $mov_5F5E100 = { ( BF | 68 | C7 45 ?? ) 00 E1 F5 05 }
        $payload_size = { ( D0 | 6C ) 07 00 00 }
        $call_payload = { FF 55 ?? 68 [4] FF [-] 33 C0 ?? 8B E5 5D C3 }
    condition:
        (uint16(0) == 0x5A4D) and
        all of ($mov_5F5E100, $payload_size, $call_payload) and
        any of ($pdb_str, $iobit_str)
}

The post New PhantomLoader Malware Distributes SSLoad: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Key Takeaways

Cyble researchers investigated 19 vulnerabilities in the week ended Oct.1 and flagged eight of them as high priority.

Cyble also observed 10 exploits discussed on dark web and cybercrime forums, including an OpenSSH vulnerability with 8 million exposures and claimed zero days in Apple and Android.

Threat actors are also discussing vulnerabilities in products from SolarWinds, Microsoft, Zimbra, WordPress, and Fortinet on underground forums.

Cyble urges security teams to fix these vulnerabilities and to implement nine additional best practices.

Overview

Cyble Research & Intelligence Labs (CRIL) investigated 19 vulnerabilities from Sept. 25 to Oct. 1 and flagged eight of them in four products for security teams to prioritize.

CRIL researchers also observed 10 exploits discussed on dark web and cybercrime forums, one of which – an OpenSSH vulnerability – is present in more than 8 million web-facing hosts detected by Cyble sensors. Vulnerabilities in products from SolarWinds, Microsoft, Apple, Zimbra, WordPress and Fortinet are also under active discussion on cybercrime forums – including claimed zero days in Apple and Android messaging.

Here are the vulnerabilities and dark web exploits of greatest concern to security teams this week, followed by Cyble’s recommendations.

The Week’s Top IT Vulnerabilities

CVE-2024-41925 & CVE-2024-45367: ONS-S8 Spectra Aggregation Switch

Impact Analysis: Both of these critical vulnerabilities impact the ONS-S8 Spectra Aggregation Switch, a network management device developed by Optigo Networks for deploying passive optical networking (PON) in intelligent buildings.

CVE-2024-41925is classified as a PHP Remote File Inclusion (RFI) problem stemming from incorrect validation or sanitation of user-supplied file paths, while CVE-2024-45367 is a weak authentication problem arising from improper password verification enforcement on the authentication mechanism.

CISA released a warning for both vulnerabilities, citing low attack complexity and the product’s use in critical infrastructure.

Internet Exposure? No

Patch Available? Versions 1.3.7 and earlier are affected. Optigo recommends additional controls such as a unique management VLAN and either a dedicated NIC, firewall with allow list or a secure VPN connection.

CVE-2024-0132: NVIDIA Container Toolkit

Impact Analysis: This high-severity Time-of-check Time-of-Use (TOCTOU) vulnerability impacts the NVIDIA Container Toolkit, a suite of tools designed to facilitate the development and deployment of GPU-accelerated applications within containerized environments. The vulnerability allows an attacker to perform container escape attacks and gain full access to the host system, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Internet Exposure? No

Patch Available? Yes

CVE-2024-34102: Adobe Commerce

Impact Analysis: This 9.8-severity Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability impacts Adobe Commerce, formerly known as Magento, a comprehensive eCommerce platform that provides businesses with the tools to create and manage both B2B and B2C online stores. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities, resulting in arbitrary code execution. Researchers recently observed multiple Adobe Commerce and Magento stores compromised by actors leveraging the vulnerability, and the vulnerability is also being discussed on cybercrime forums (see the Underground section below).

Internet Exposure? Yes

Patch Available? Yes

CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: CUPS Vulnerabilities

Impact Analysis: These recently disclosed vulnerabilities – CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) – impact CUPS (Common UNIX Printing System), a modular printing system designed for Unix-like operating systems. It enables computers to function as print servers, allowing them to accept print jobs from client machines, process these jobs, and send them to the appropriate printers.

Under certain conditions, attackers can chain the set of vulnerabilities in multiple components of the CUPS open-source printing system to execute arbitrary code remotely on vulnerable machines.

Internet Exposure? No

Patch Available? See the CVE listings for details:

CVE-2024-47076

CVE-2024-47175

CVE-2024-47176

CVE-2024-47177

Vulnerabilities and Exploits on Underground Forums

Cyble researchers observed a high number of vulnerabilities and exploits discussed in Telegram channels and cybercrime forums. Because these vulnerabilities are under active discussion by threat actors, they merit close attention by security teams.

CVE-2024-28987: A critical vulnerability in SolarWinds Web Help Desk (WHD) software caused by hardcoded developer login credentials.

CVE-2024-38200: A critical vulnerability affecting multiple versions of Microsoft Office that arises from improper handling of certain document properties within Microsoft Office applications. It could potentially expose sensitive information such as NTLM hashes.

CVE-2023-32413: A security vulnerability identified as a race condition that affects various Apple operating systems. It arises from improper synchronization when multiple processes access shared resources concurrently, which can lead to unexpected behavior in the system.

CVE-2024-43917: A critical SQL Injection vulnerability affecting the TI WooCommerce Wishlist plugin for WordPress, specifically in versions up to 2.8.2.

CVE-2024-45519: A critical Remote Code Execution (RCE) vulnerability was discovered in the postjournal service of the Zimbra Collaboration Suite, a widely used email and collaboration platform. Cyble researchers also issued a separate report on the Zimbra vulnerability, and CISA added it to the agency’s Known Exploited Vulnerabilities catalog.

CVE-2024-8275: A critical SQL injection vulnerability in the Events Calendar Plugin for WordPress, affecting all versions up to and including 6.6.4. The vulnerability arises from insufficient input validation in specific functions.

CVE-2024-6387: A threat actor (TA) offered a list of IP addresses that are potentially affected by this vulnerability, which is also known as RegreSSHion. It is a critical remote code execution (RCE) vulnerability in OpenSSH, a widely used suite of secure networking utilities. Cyble’s Odin vulnerability search service shows more than 8 million web-facing hosts exposed to this vulnerability.

CVE-2024-34102: A TA offered to sell a critical security vulnerability affecting Adobe Commerce and Magento, specifically versions 2.4.6 and earlier. The vulnerability stems from improper handling of nested deserialization, which allows remote attackers to execute arbitrary code through crafted XML documents that exploit XML External Entities (XXE) during the deserialization process.

FortiClient: A TA on BreachForums advertised exploits weaponizing vulnerabilities present in Fortinet’s FortiClient EMS 7.4/7.3, which results in SQL Injection and Remote Code Execution. The TA is selling the exploits for USD $30,000.

Apple and Android Zero Day: A TA on BreachForums is advertising a 0-day exploit present in Apple’s iMessage and Android’s text messaging. The vulnerability results in Remote Code Execution (RCE). The TA is selling the binary for the exploit for USD $800,000.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

1. Implement the Latest Patches

To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

2. Implement a Robust Patch Management Process

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

3. Implement Proper Network Segmentation

Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

4. Incident Response and Recovery Plan

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

5. Monitoring and Logging Malicious Activities

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

6. Keep Track of Security Alerts

Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

7. Penetration Testing and Auditing

Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

8. Visibility into Assets

Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.

9. Strong Password Policy

Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.

The post Weekly IT Vulnerability Report: Cyble Urges Fixes for NVIDIA, Adobe, CUPS appeared first on Cyble.

Blog – Cyble – ​Read More

In September 2024, a team of researchers from both the University of Florida and Texas Tech University presented a paper detailing a rather sophisticated method for intercepting text entered by users of the Apple Vision Pro mixed reality (MR) headset.

The researchers dubbed this method GAZEploit. In this post, we’ll explore how the attack works, the extent of the threat to owners of Apple VR/AR devices, and how best to protect your passwords and other sensitive information.

How text input works in Apple visionOS

First, a bit about how text is input in visionOS — the operating system powering Apple Vision Pro. One of the most impressive innovations of Apple’s MR headset is its highly effective use of eye tracking.

Gaze direction serves as the primary method of user interaction with the visionOS interface. The tracking is so precise that it works even for the smallest interface elements — including the virtual keyboard.

Although visionOS offers voice control, the virtual keyboard remains the primary text input method. For sensitive information such as passwords, visionOS provides protection against prying eyes: in screen-sharing mode, both the keyboard and the entered password are automatically hidden.

Another key feature of Apple’s MR headset lies in its approach to video calls. Since the device sits directly on the user’s face, the standard front-camera option is no good for transmitting the user’s video image. On the other hand, using a separate external camera for video calls would be very un-Apple-like; plus, video-conference participants wearing headsets would look rather odd.

So Apple came up with a highly original technology that features a so-called virtual camera. Based on a 3D face scan, Vision Pro creates a digital avatar of the user (Apple calls it a Persona), which is what actually takes part in the video call. You can use your Persona in FaceTime and other video-conferencing apps.

The headset’s sensors track the user’s face in real-time, allowing the avatar to mimic head movements, lip movements, facial expressions, and so on.

GAZEploit: How to snoop on Apple Vision Pro user input

For the GAZEploit researchers, the seminal feature of the Persona digital avatar is the use of data fed from the Vision Pro’s highly precise sensors to replicate the user’s eye movements with absolute pinpoint accuracy. And it was here that the team discovered a vulnerability enabling interception of input text.

The attack’s core concept is quite simple: although the system carefully hides passwords entered during video calls, by tracking the user’s eye movements, mirrored by their digital avatar, a threat actor can reconstruct the characters entered on the virtual keyboard, or, rather, keyboards, as visionOS has three: passcode (PIN) keyboard, default QWERTY keyboard, and number and special character keyboard. This complicates the recognition process, since an outside observer doesn’t know which keyboard is in use.

However, neural networks effectively automate the GAZEploit attack. The first stage of the attack uses a neural network to identify text-input sessions. Eye movement patterns during use of the virtual keyboard differ significantly from normal patterns: blink rates decrease, and gaze direction becomes more structured.

At the second stage, the neural network analyzes gaze stability changes to identify eye-based selection of characters, and uses characteristic patterns to pinpoint virtual key presses. Then, based on gaze direction, the system calculates which key the user was looking at.

How accurately GAZEploit recognizes input data

In actual fact, it’s all a bit more complicated than the graph above suggests. Calculations based on the avatar’s eye position generate a heatmap of probable points on the virtual keyboard where the user’s gaze might have landed during text entry.

Then, the researchers’ model converts the collected information into a list of K virtual keys that were most likely “pressed” by the user. The model also provides for various data-entry scenarios (password, email address/link, PIN, arbitrary message), taking into account the specifics of each.

What’s more, the neural network uses a dictionary and additional techniques to improve interpretation. For example, due to its size, the spacebar is often a top-five candidate — producing many false positives that need filtering. The backspace key requires special attention: if the keystroke guess is correct, it means the previous character was deleted, but if it’s wrong, then two characters may get mistakenly discarded.

The researchers’ detailed error analysis shows that GAZEploit often confuses adjacent keys. At maximum precision (K=1), roughly one-third of entered characters are identified correctly. However, for groups of five most likely characters (K=5), depending on the specific scenario, the accuracy is already 73–92%.

How dangerous the GAZEploit attack is in practical terms

In practice, such accuracy means that potential attackers are unlikely to obtain the target password in ready-to-go form; but they can dramatically — by many orders of magnitude, in fact — reduce the number of attempts needed to brute-force it.

The researchers claim that for a six-digit PIN, it’ll only take 32 attempts to cover a quarter of all the most likely combinations. For a random eight-character alphanumeric password, the number of attempts is slashed from hundreds of trillions to hundreds of thousands (from 2.2×1014 to 3.9×105, to be precise), which makes password cracking feasible even with a prehistoric Pentium CPU.

In light of this, GAZEploit could pose a serious enough threat and find practical application in high-profile targeted attacks. Fortunately, the vulnerability has already been patched: in the latest versions of visionOS, Persona is suspended when the virtual keyboard is in use.

Apple could conceivably protect users from such attacks in a more elegant way — by sprinkling some random distortions in the precise biometric data driving the digital avatar’s eye movements.

Regardless, Apple Vision Pro owners should update their devices to the latest version of visionOS — and breathe easily. One last thing, we advise them — and everyone else — to exercise caution when entering passwords during video calls: avoid it if you can, always use the strongest (long and random) character combinations possible, and use a password manager to create and store them.

Kaspersky official blog – ​Read More

Welcome to ANY.RUN‘s monthly updates, where we share our team’s achievements over the past month. 

September has been a productive month at ANY.RUN, packed with exciting new features and improvements. We’ve launched Safebrowsing, a powerful tool that lets you safely check suspicious URLs in an isolated browser. 

In addition to that, we’ve integrated with Splunk, enhanced our sandbox capabilities, and rolled out new signatures and YARA rules to help you strengthen your security. 

Let’s break down what’s new in ANY.RUN step by step.

Safebrowsing for Quick URL Checks 

We’ve released Safebrowsing, a new tool that allows ANY.RUN users to safely analyze suspicious URLs within a fully interactive, isolated browser. It is a quick and secure way to explore websites and verify potentially malicious content without putting your local system at risk. 

You can interact with suspicious links in real time, detect threats using our proprietary technology, and receive detailed reports, including Indicators of Compromise (IOCs) and network traffic analysis.  

Now available in free beta for all ANY.RUN users, it adds a new layer of security to your daily operations. 

New Integration with Splunk 

In September, ANY.RUN officially launched an integration with Splunk. It brings access to our Interactive Sandbox and Threat Intelligence Lookup directly in the Splunk SOAR environment. 

With this integration, Splunk users can now analyze potentially malicious files and URLs in ANY.RUN’s sandbox and enrich their investigations using TI Lookup with comprehensive threat intelligence from TI Lookup—all without leaving Splunk.  

Key features: 

Comprehensive threat intelligence: Query ANY.RUN’s threat intelligence database directly from Splunk SOAR using the ‘get intelligence’ action. 

Automated malware analysis: Automatically detonate files and URLs in ANY.RUN’s sandbox as part of a Splunk SOAR playbook. 

Detailed reporting & IOC extraction: Quickly retrieve detailed reports and extract IOCs for further threat investigation and response. 

Advanced threat hunting: Perform complex queries against ANY.RUN’s threat intelligence database to search for file hashes, IP addresses, domains, and more. 

AI Assistant for Private Sandbox Sessions 

We’ve improved the sandbox’s AI capabilities by replacing the ChatGPT assistant with our own private AI model. Now you can access AI-powered explanations in both public and private analysis sessions, without worrying about your data going to any third party.

This private AI model is especially useful for those new to the cybersecurity field.

It breaks down complex data quickly, helping you better navigate your analysis and extract useful insights.

Security Training Lab 

In September, we launched Security Training Lab, a new program designed to equip future cybersecurity professionals with practical, hands-on skills.

Universities often struggle to keep their curricula up to date, but Security Training Lab bridges the gap between theory and real-world practice. 

Through in-depth modules and access to ANY.RUN’s tools, students gain valuable experience in detecting and responding to real threats.  

Key advantages of Security Training Lab include: 

30 hours of academic content: Including written materials, video lectures, and interactive tasks. 

Access to ANY.RUN: Students and instructors use real-world tools to analyze threats. 

Practical learning: Hands-on experience with real cyber threat samples. 

Network Detections Update 

In September, we added 459 new Suricata rules, of which 382 are dedicated to phishing detection.

This significant increase comes from closely monitoring the activity of threat actor Storm-1575, leading to the identification of two primary tools currently used by this group. 

New Signatures 

In September, we added a total of 9 new signatures. Here are some highlights:  

Stealc signature for mutex detection 

Razr signature for .raz file extension 

SFX Dropper signature  

Alucard ransomware  

Tgbdownloader adware  

Xmrig mutex and file drop detection 

Hawkeye ransomware detection  

Scheduled task creation via Registry  

EFI boot file modification  

YARA Rules Update 

We’ve added 5 new YARA rules to detect various malware threats: 

Megatools downloader  

Goldeneye ransomware  

Diablonet detection 

Pown ransomware  

AutoIT scripts detection  

Additionally, we’ve updated the YARA rule for Lumma, enhancing the detection mechanism for this threat.  

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial of ANY.RUN’s products →

The post Release Notes: Safebrowsing, Private AI Assistant, Splunk Integration, and more appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More