Why do even large companies that have invested heavily in their cyberdefense still fall victim to cyberattacks? Most often, it’s a matter of an outdated approach to security. Security teams may deploy dozens of tools, but lack visibility within their own networks, which nowadays include not only usual physical segments, but cloud environments as well. Hackers often exploit stolen credentials, operate through compromised contractors, and try to use malware as rarely as possible — preferring to exploit legitimate software and dual-purpose applications. That’s why security tools that are usually used to protect company’s endpoints may not be effective enough against well-disguised cyberattacks.

In a recent survey, 44% of CISOs reported missing a data breach, with 84% attributing the issue to an inability to analyze traffic, particularly encrypted traffic. This is where network detection and response (NDR) systems come into play. They offer comprehensive traffic analysis, including internal traffic — significantly enhancing security capabilities. In the Kaspersky product range, NDR functionality is implemented as part of its Kaspersky Anti Targeted Attack Platform (KATA).

Outdated security tools aren’t enough

If there was one word to describe the priorities of today’s attackers, it would be “stealth”. Whether it’s espionage-focused APTs, ransomware groups, or any other attacks targeting a specific organization, adversaries go to great lengths to avoid detection, and complicate post-incident analysis. Our incident response report illustrates this vividly. Attackers exploit legitimate employee or contractor credentials, leverage admin tools already in use within the system (a tactic known as “living off the land”), and exploit vulnerabilities to perform actions from privileged user accounts, processes, or devices. Moreover, edge devices, such as proxy servers and firewalls, are increasingly being used as attack footholds.

How do cybersecurity teams respond to this? If a company’s threat detection approach was designed several years ago, its defenders might simply lack the tools to detect such activity in a timely manner:

• In their traditional form, they only protect the organization’s perimeter, and don’t assist in detecting suspicious network activity inside it (such as attackers taking over additional computers).
• Intrusion detection and prevention systems (IDS/IPS). The capabilities of classic IDS’s for detecting activity over encrypted channels are very limited, and their typical location between network segments impedes detection of lateral movement.
• Antivirus and endpoint protection systems. These tools are difficult to use for detecting activity conducted entirely with legitimate tools in manual mode. Moreover, organizations always have routers, IoT devices, or network peripherals where it’s not possible to deploy such protection systems.

What is network detection and response?

NDR systems provide detailed monitoring of an organization’s traffic and apply various rules and algorithms to detect anomalous activity. They also include tools for rapid incident response.

The key difference to firewalls is the monitoring of all types of traffic flowing in various directions. Thus, not only communications between a network and the internet (north-south) are being analyzed, but data exchange between hosts within a corporate network (east-west) as well. Communications between systems in external networks and corporate cloud resources, as well as between cloud resources themselves, are not left unattended either. This makes NDR effective in various infrastructures: on-premises, cloud, and hybrid.

The key difference to classic IDS/IPS is the use of behavioral analysis mechanisms alongside signature analysis.

Besides connections analysis, an NDR solution keeps traffic in its “raw” form, and provides a whole range of technologies for analysis of such “snapshots” of data exchange; NDR can analyze many parameters of traffic (including metadata), going beyond simple “address-host-protocol” dependencies. For example, using JAx fingerprints, NDR can identify the nature even of encrypted SSL/TLS connections, and detect malicious traffic without needing to decrypt it.

Benefits of NDR for IT and security teams

Early threat detection. Even the initial steps of attackers — whether it’s brute-forcing passwords or exploiting vulnerabilities in publicly accessible applications — leave traces that NDR tools can detect. NDR, having “presence” not only on the edges of a network, but at its endpoints as well, is also well-suited to detecting lateral movement within the network, manipulation with authentication tokens, tunneling, reverse shells, and other common attack techniques, including network interactions.

Accelerated incident investigation. NDR tools allow for both broad and deep analysis of suspicious activity. Network interaction diagrams show where attackers moved and where their activity originated from, while access to raw traffic allows for the reconstruction of the attacker’s actions and the creation of detection rules for future searches.

A systematic approach to the big picture of an attack. NDR works with the tactics, techniques, and procedures of the attack — systematized according to such a popular framework as MITRE ATT&CK. Solutions of this class usually allow a security team to easily classify the detected indicators and, as a result, better understand the big picture of the attack, figure out the stage it’s at, and how the attack can be stopped as effectively as possible.

Detection of internal threats, misconfigurations, and shadow IT. The “behavioral” approach to traffic allows NDR to address preventive tasks as well. Various security policy violations, such as using unauthorized applications on personal devices, connecting additional devices to the company infrastructure, sharing passwords, accessing information not required for work tasks, using outdated software versions, and running server software without properly configured encryption and authentication, can be identified early and stopped.

Supply chain threat detection. Monitoring the traffic of legitimate applications may reveal undeclared functionality, such as unauthorized telemetry transmission to the manufacturer or attempts to deliver trojanized updates.

Automated response. The “R” in NDR stands for response actions such as isolating hosts with suspicious activity, tightening network zone interaction policies, and blocking high-risk protocols or malicious external hosts. Depending on the circumstances, the response can be either manual or automatic, triggered by the “if-then” presets.

NDR, EDR, XDR, and NTA

IT management and executives often ask tricky questions about how various *DR solutions differ from each other and why they’re all needed at the same time.

NTA (network traffic analysis) systems are the foundation from which NDR evolved. They were designed to collect and analyze all the traffic of a company (hence the name). However, practical implementation revealed the broader potential of this technology — that is, it could be used for rapid incident response. Response capabilities, including automation, are NDR’s primary distinction.

EDR (Endpoint Detection & Response) systems analyze cyberthreats on specific devices within the network (endpoints). While NDR provides a deep analysis of devices’ interactions and communication within the organization, EDR offers an equally detailed picture of the activity on individual devices. These systems complement each other, and only together do they provide a complete view of what’s happening in the organization and the tools needed for detection and response.

XDR (eXtended Detection & Response) systems take a holistic approach to threat detection and response by aggregating and correlating data from various sources, including endpoints, physical and cloud infrastructures, network devices, and more. This enables defenders to see a comprehensive overview of network activity, combine events from different sources into single alerts, apply advanced analytics to them, and simplify response actions. Different vendors put different spins on XDR: some offer XDR as a product that includes both EDR and NDR functionalities, while for others it may only support integration with these external tools.

Kaspersky’s approach: integrating NDR into the security ecosystem

Implementing NDR implies that an organization has already achieved a high level of cybersecurity maturity, with established monitoring and response practices, as well as tools for information exchange between systems, ensuring correlation and enrichment of data from various sources. This is why in Kaspersky’s product range and the NDR module enhances the capabilities of the Kaspersky Anti Targeted Attack Platform (KATA). The basic version of KATA includes mechanisms such as SSL/TLS connection fingerprint analysis, north-south traffic attack detection, selective traffic capture for suspicious connections, and basic response functions.

The KATA NDR Enhanced version includes all the NDR capabilities described above, including deep analysis and full storage of traffic, intra-network connection monitoring, and automated advanced response functions.

The top-tier version, KATA Ultra, combines expert EDR capabilities with full NDR functions, offering a comprehensive, single-vendor XDR solution.

Kaspersky official blog – ​Read More

The ransomware attack that hit supply chain management platform Blue Yonder and its customers last month was the work of a new ransomware group called “Termite.”

Cyble Research and Intelligence Labs (CRIL) researchers have examined a Termite ransomware binary and determined that Termite is essentially a rebranding of the notorious Babuk ransomware. The Termite leak site claims seven victims so far (geographic distribution below).

We’ll cover the technical details of the new Termite ransomware strain, which was first identified by PCrisk, along with MITRE ATT&CK techniques, indicators of compromise (IoCs) and recommendations.

Technical Details of Termite Ransomware

Upon execution, the ransomware invokes the SetProcessShutdownParameters(0, 0) API to ensure that its process is one of the last to be terminated during system shutdown. This tactic is used to maximize the time available for the ransomware to complete its encryption process.

The ransomware then attempts to terminate services on the victim’s machine to prevent interruptions during the encryption process. It uses the OpenSCManagerA() API to establish a connection with the Service Control Manager, granting access to the service control manager database (image below).

After gaining access, the ransomware enumerates the services on the victim’s machine to retrieve their names. It specifically looks for services such as veeam, vmms, memtas and others, and terminating them if they are found to be actively running.

The ransomware enumerates running processes using the CreateToolhelp32Snapshot(), Process32FirstW(), and Process32NextW() APIs. It checks process names such as sql.exe, oracle.exe, firefox.exe and others and terminates them if they are actively running.

After that, the ransomware launches the vssadmin.exe process to delete all Shadow Copies, as shown in the below figure. This action is performed to prevent system recovery after the files have been encrypted.

The ransomware also uses the SHEmptyRecycleBinA() API to delete all items from the Recycle Bin, ensuring that no deleted files can be restored after encryption. After execution, Termite Ransomware attempts to retrieve system information using the GetSystemInfo() API, which collects details like the number of processors, as shown in the below figure.

The ransomware then creates a separate thread for each detected CPU, generates ransom notes named “How To Restore Your Files.txt”, and encrypts files on the victim’s machine.

It avoids encrypting certain system folders such as AppData, Boot, Windows, Windows.old etc. Additionally, it specifically excludes system files such as autorun.inf, boot.ini, bootfont.bin etc., as well as file extensions like .exe, .dll, and .termite from the encryption process to ensure that essential system functions remain intact.

Similar to Babuk ransomware, Termite appends the signature “choung dong looks like hot dog” at the end of the encrypted file.

The figure below shows the ransom note dropped by the ransomware, titled ” How To Restore Your Files.txt,” which instructs victims to visit the onion site for additional information.

After dropping the ransom notes, the malware encrypts the files on the victim’s machine and appends the “.termite” extension, as shown in the figure below.

The Termite ransomware can also spread through network shares and paths of the infected machine, as shown below.

If the command-line argument is “shares,” the ransomware uses the NetShareEnum() API to locate network shares and retrieve information about each shared resource on the server. It then checks for the $ADMIN share and begins encrypting the files. If the command-line argument is “paths,” the ransomware calls the GetDriveTypeW() API to identify network drives connected to the infected machine, and once located, it starts encrypting the files. If neither “-paths” nor “-shares” are provided, and the mutex named “DoYouWantToHaveSexWithCuongDong” is not found on the infected machine, the ransomware recursively traverses all local drives and encrypts the files.

Conclusion

Termite ransomware represents a new and growing threat in the cyber landscape, leveraging advanced tactics such as double extortion to maximize its impact on victims. By targeting businesses and demanding substantial ransoms, it not only disrupts operations but also exposes organizations to significant financial, legal, and reputational risks. The emergence of Termite underscores the critical need for robust cybersecurity measures, proactive threat intelligence, and incident response strategies to counter the evolving tactics of ransomware groups.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices below:

Safety Measures to Prevent Ransomware Attacks

• Do not open untrusted links and email attachments without first verifying their authenticity.
• Conduct regular backup practices and keep those backups offline or in a separate network.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Use a reputable antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

MITRE ATT&CK® Techniques

IOC

The post A Technical Look at the New ‘Termite’ Ransomware that Hit Blue Yonder appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

Two Russian hacktivist groups are increasingly targeting critical infrastructure in the U.S. and elsewhere, and their attacks go well beyond the DDoS attacks and website defacements that hacktivist groups typically engage in. 

The groups – the People’s Cyber Army and Z-Pentest – have posted videos to their Telegram channels allegedly showing members tampering with operational technology controls (OT), most notably in the oil and gas and water system sectors. 

Those claims, documented by Cyble dark web researchers, may largely be intended to establish credibility rather than inflict damage on targets, but within the last week Z-Pentest’s claims have escalated to include disrupting one U.S. oil well system. 

The groups have also accessed operational controls for critical infrastructure in other countries, notably Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany and Poland, often claiming retaliation for a country’s support for Ukraine in its war with Russia. 

Some of the attacks have been publicly reported – most notably the People’s Cyber Army attacks on water facilities – but Z-Pentest’s claims of energy sector attacks have largely flown under the radar. 

It is not clear how much damage the Russian groups could do or are capable of, but given repeated warnings from U.S. cybersecurity and intelligence agencies about China’s deep penetration of U.S. critical infrastructure, these environments should be considered deeply vulnerable and strengthened accordingly. 

Z-Pentest’s Activities 

Z-Pentest appears to have been active only since October, but in those two months Cyble’s dark web research team has recorded 10 claims of attacks by the group, all involving accessing control panels in critical infrastructure environments. Their main Telegram channel was recently shut down but the group maintains a presence on X and claims to be based in Serbia. 

Z-Pentest’s most recent claim involved disrupting critical systems at an oil well site, including systems responsible for water pumping, petroleum gas flaring, and oil collection. A 6-minute screen recording shows detailed screenshots of the facility’s control systems, showing tank setpoints, vapor recovery metrics, and operational dashboards, allegedly accessed and changed during the breach. It is not clear where that oil facility is located, but the other two U.S. oil facility claims appear to correspond with known locations and companies. 

In one of the other two claimed attacks, the threat group released a 4-minute screen recording where they accessed a range of operational controls (identifying information removed from example below). 

While the hackers may well be accessing sensitive environments, it is not clear how much damage they could do. Programmable logic controllers (PLCs), for example, often include safety features that can prevent damaging actions from occurring, but the fact that such environments are accessible to threat actors is nonetheless concerning. 

Cyble has in general observed increased threat activity targeting the energy sector in recent months. Dark web claims and ransomware attacks have increased, and network access and zero-day vulnerabilities have been offered for sale on dark web market places. Cyble has observed instances where credentials for energy network access were offered for sale on the dark web before larger breaches and attacks occurred, suggesting that monitoring for credential leaks may be an important defense for preventing larger breaches later. 

People’s Cyber Army Activities 

The better-known People’s Cyber Army (PCA) – also known as the Cyber Army of Russia Reborn – has also been targeting critical infrastructure controls in the U.S. and elsewhere, and there have been some suggestions that PCA and Z-Pentest may be working together. While many of the group’s activities have involved DDoS attacks, recent claims have included access to the control panels of a U.S. environmental cleanup company and water systems in Texas and Delaware. 

Water and wastewater systems are considered particularly vulnerable by some OT security specialists, in part because communities are ill-equipped to deal without them for any length of time. 

The People’s Cyber Army struck twice in late August and September, releasing screen recordings showing the group tampering with system settings on control panels at the Stanton Water Treatment Plant in Stanton, Texas, and New Castle, Delaware water towers (images below). 

Image above: Stanton Water Treatment Plant attack 

Image above: Delaware water tower attack 

In the Texas case, the hackers were able to open valves and release untreated water, but otherwise no damage is believed to have occurred. 

In all, Cyble has documented eight water system attacks by the People’s Cyber Army this year in the U.S. and elsewhere, including a January attack that caused water storage tanks to overflow in Abernathy and Muleshoe, Texas. The group has been targeting Ukraine allies since 2022, and was sanctioned by the U.S. government in July 2024. 

Conclusion 

Security weaknesses in critical infrastructure organizations are by now a well-documented phenomenon, but the recent spate of attacks targeting energy and water facilities suggests a concerning escalation in the exploitation of these vulnerable environments. The emergence of Z-Pentest as a new threat actor in this space should be taken seriously, as the group has demonstrated an apparent ability to penetrate these environments and access – and tinker with – operational control panels. 

Critical infrastructure environments often cannot afford downtime, and end-of-life devices often remain in service long after support has ended. With those challenges in mind, below are some general recommendations for improving the security of critical environments: 

1. Organizations should follow ICS/OT vulnerability announcements and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly. 

2. Segregating ICS/OT/SCADA networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation. Devices that do not need to be exposed to the internet should not be, and those that require web exposure should be protected to the extent possible. 

3. Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks. 

4. Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with vulnerability intelligence reports is essential for proactive defense. 

5. Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise. 

The post Russian Hacktivists Increasingly Tamper with Energy and Water System Controls appeared first on Cyble.

Blog – Cyble – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places – from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said – I’m very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity – security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I’ve rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I’d do it.  

The one big thing 

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

Why do I care? 

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

So now what? 

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid. 

Top security headlines of the week 

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading) 

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet) 

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop) 

Can’t get enough Talos? 

• New PXA Stealer targets government and education sectors for sensitive information 
• The TTP Episode 7: Explore this year’s Macro-ATT&CK findings  
• Beers with Talos is back (kind of) with a special “B Team” episode: Misadventures, Rabbit Holes, and Turkey Lurkey Goes to the Movies 

Upcoming events where you can find Talos 

AVAR (Dec. 4-6)   

Chennai, India  

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG   

Cisco Talos Blog – ​Read More

Recently, our analyst team shared their research into a zero-day attack involving the use of corrupted malicious files to bypass static detection systems. Now, we present a technical analysis of this method and its mechanics. 

In this article, we will:  

• Demonstrate how attackers corrupt archives, office documents, and other files 
• Explain how this method successfully evades detection by security systems 
• Show how corrupted files get recovered by their native applications 

Let’s get started. 

Sandbox Analysis of a Corrupted File Attack

To first see how such attacks unfold, we can upload one of the corrupted filles used by attackers to ANY.RUN’s sandbox.  

View analysis session. 

Thanks to its interactivity, the sandbox lets us simulate a real scenario of user opening the broken malicious file inside the file’s corresponding application. 

In our case, it’s a docx file. When we open it with Word, the program immediately offers us the option to recover the content of the file and successfully does it. 

Inside, we find a QR code with a phishing link. The sandbox also automatically detects malicious activity and notifies us about this. 

How Corrupted Files Bypass Antivirus Software and Other Automated Solutions

Analysis inside the ANY.RUN sandbox showed how a corrupted file gets restored thanks to Word’s built-in recovery mechanisms, which allows us to identify its malicious nature. 

Yet, if we submit the same corrupted file to VirusTotal, which provides verdicts from numerous security solutions, we will see zero threat detections. The question is why? 

The answer is simple: most antivirus software and automated tools are not equipped with the recovery functionality that is found in applications, such as Word. This prevents them from accurately identifying the type of the corrupted file, resulting in a failure to detect and mitigate the threat. 

Docx is not the only file format used by attackers. There are also corrupted archives with malicious files inside, which easily bypass spam filters because security systems cannot view their contents due to corruption.  

Once downloaded onto a system, tools like WinRAR easily restore the damaged archive, making its contents available to the victim. 

Now, let’s see how exactly it works on a technical level. 

Technical Analysis of a Corrupted Word Document 

The Structure of a Word Document 

Since the mid-2000s, office documents (OpenOffice.org 2.0 — released in 2005) have been structured as archives containing the document’s content. 

In the image below, you can see the structure of a Word document. 

As we can see, all structures within this archive are interconnected, and this relationship begins from the end. 

At the end of the archive, there is a structure called the End of Central Directory Record (EOCD). This structure contains information about the size of the Central Directory File Header (CDFH), its offset, and the total number of entries in the archive. This structure helps locate the CDFH.  

The CDFH duplicates the data stored in the Local File Header (LFH) and the offsets to it. Yet, this structure does not contain the compressed data itself but rather represents a hierarchy of files within the archive. This part of the structure allows you to find the LFH of each file in the archive.  

The LFH is considered the header for each file in the archive. It contains important data such as the file name, compressed and uncompressed sizes, CRC32 checksum, and other parameters.  

The compressed data is located after the header. 

How the File Structure Can Be Manipulated by Attackers 

As shown in the image above (Figure 1), the archive is structured backward, starting with the end, while all parts are linked together.  

This has led us to test three different hypotheses (Figure 2): 

1. Can Word or an archiving program recover and successfully open a file if additional data is added to the beginning of the archive? 

2. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and delete the CDFH, which does not contain the file data itself?  

3. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and erase the EOCD, which is a crucial part of the recovery process? 

You can see the results of our hypothesis testing in the table below.

During our hypothesis testing, we’ve made several noteworthy observations: 

1. For minimal recovery of a Word document, the following files are essential: 

[Content_Types].xml,   

Word/document.xml,   

word/_rels/document.xml.rels,   

_rels/.rels;   

These contain crucial information regarding the relationships between elements and form the standard file hierarchy required for Word to interpret the document. 

2. A ZIP archive with corrupted Local File Headers will only show the file structure. The actual file content will be empty. 

3. If the end part of the ZIP file is damaged, the archiving software and Word will attempt to use an alternative recovery method: by leveraging intact Local File Headers. 

Our findings demonstrate that Word is more resilient to file corruption than ZIP. While Word successfully recovered files with corrupted CDFH, EOCD, and even when random bytes were added to create a non-existent LFH structure, ZIP failed in the first hypothesis, where random bytes were added to the beginning of the file. 

Why Security Systems Fail to Read Corrupted Files 

Security systems attempt to identify file types, including by using Magic Bytes in File Headers. In the case of office documents and ZIP archives, because the file effectively starts from the end, we can corrupt the archive structure and magic bytes, making it difficult for detection systems to identify the file type.  

This leads to the inability to unpack and inspect the contents. 

Consider this email with a corrupted Word document. 

The sandbox once again has no problem detecting the threat, returning a “malicious activity” verdict.

But, when run in VirusTotal, almost zero threat detections come back for this file. 

Conclusion

Our study revealed a vulnerability in document and archive structures. By manipulating specific components like the CDFH and EOCD, attackers can create corrupted files that are successfully repaired by applications but remain undetected by security software. As a result, we face a situation when security systems have not yet developed a clear logic for detecting such attacks, exposing the security of their users.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Explore all Black Friday 2024 offers →

The post Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More