Recently, our analyst team shared their research into a zero-day attack involving the use of corrupted malicious files to bypass static detection systems. Now, we present a technical analysis of this method and its mechanics. 

In this article, we will:  

• Demonstrate how attackers corrupt archives, office documents, and other files 
• Explain how this method successfully evades detection by security systems 
• Show how corrupted files get recovered by their native applications 

Let’s get started. 

Sandbox Analysis of a Corrupted File Attack

To first see how such attacks unfold, we can upload one of the corrupted filles used by attackers to ANY.RUN’s sandbox.  

View analysis session. 

Thanks to its interactivity, the sandbox lets us simulate a real scenario of user opening the broken malicious file inside the file’s corresponding application. 

In our case, it’s a docx file. When we open it with Word, the program immediately offers us the option to recover the content of the file and successfully does it. 

Inside, we find a QR code with a phishing link. The sandbox also automatically detects malicious activity and notifies us about this. 

How Corrupted Files Bypass Antivirus Software and Other Automated Solutions

Analysis inside the ANY.RUN sandbox showed how a corrupted file gets restored thanks to Word’s built-in recovery mechanisms, which allows us to identify its malicious nature. 

Yet, if we submit the same corrupted file to VirusTotal, which provides verdicts from numerous security solutions, we will see zero threat detections. The question is why? 

The answer is simple: most antivirus software and automated tools are not equipped with the recovery functionality that is found in applications, such as Word. This prevents them from accurately identifying the type of the corrupted file, resulting in a failure to detect and mitigate the threat. 

Docx is not the only file format used by attackers. There are also corrupted archives with malicious files inside, which easily bypass spam filters because security systems cannot view their contents due to corruption.  

Once downloaded onto a system, tools like WinRAR easily restore the damaged archive, making its contents available to the victim. 

Now, let’s see how exactly it works on a technical level. 

Technical Analysis of a Corrupted Word Document 

The Structure of a Word Document 

Since the mid-2000s, office documents (OpenOffice.org 2.0 — released in 2005) have been structured as archives containing the document’s content. 

In the image below, you can see the structure of a Word document. 

As we can see, all structures within this archive are interconnected, and this relationship begins from the end. 

At the end of the archive, there is a structure called the End of Central Directory Record (EOCD). This structure contains information about the size of the Central Directory File Header (CDFH), its offset, and the total number of entries in the archive. This structure helps locate the CDFH.  

The CDFH duplicates the data stored in the Local File Header (LFH) and the offsets to it. Yet, this structure does not contain the compressed data itself but rather represents a hierarchy of files within the archive. This part of the structure allows you to find the LFH of each file in the archive.  

The LFH is considered the header for each file in the archive. It contains important data such as the file name, compressed and uncompressed sizes, CRC32 checksum, and other parameters.  

The compressed data is located after the header. 

How the File Structure Can Be Manipulated by Attackers 

As shown in the image above (Figure 1), the archive is structured backward, starting with the end, while all parts are linked together.  

This has led us to test three different hypotheses (Figure 2): 

1. Can Word or an archiving program recover and successfully open a file if additional data is added to the beginning of the archive? 

2. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and delete the CDFH, which does not contain the file data itself?  

3. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and erase the EOCD, which is a crucial part of the recovery process? 

You can see the results of our hypothesis testing in the table below.

During our hypothesis testing, we’ve made several noteworthy observations: 

1. For minimal recovery of a Word document, the following files are essential: 

[Content_Types].xml,   

Word/document.xml,   

word/_rels/document.xml.rels,   

_rels/.rels;   

These contain crucial information regarding the relationships between elements and form the standard file hierarchy required for Word to interpret the document. 

2. A ZIP archive with corrupted Local File Headers will only show the file structure. The actual file content will be empty. 

3. If the end part of the ZIP file is damaged, the archiving software and Word will attempt to use an alternative recovery method: by leveraging intact Local File Headers. 

Our findings demonstrate that Word is more resilient to file corruption than ZIP. While Word successfully recovered files with corrupted CDFH, EOCD, and even when random bytes were added to create a non-existent LFH structure, ZIP failed in the first hypothesis, where random bytes were added to the beginning of the file. 

Why Security Systems Fail to Read Corrupted Files 

Security systems attempt to identify file types, including by using Magic Bytes in File Headers. In the case of office documents and ZIP archives, because the file effectively starts from the end, we can corrupt the archive structure and magic bytes, making it difficult for detection systems to identify the file type.  

This leads to the inability to unpack and inspect the contents. 

Consider this email with a corrupted Word document. 

The sandbox once again has no problem detecting the threat, returning a “malicious activity” verdict.

But, when run in VirusTotal, almost zero threat detections come back for this file. 

Conclusion

Our study revealed a vulnerability in document and archive structures. By manipulating specific components like the CDFH and EOCD, attackers can create corrupted files that are successfully repaired by applications but remain undetected by security software. As a result, we face a situation when security systems have not yet developed a clear logic for detecting such attacks, exposing the security of their users.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Explore all Black Friday 2024 offers →

The post Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview 

A coalition of cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), as well as counterparts from Canada and New Zealand, has issued a hardening guidance to strengthen communications infrastructure against cyber espionage and other malicious cyber activities.   

This hardening guidance focuses on visibility enhancements and hardening practices for network devices. It aims to help engineers and defenders safeguard their systems from the growing threats posed by China-affiliated threat actors. The latest intelligence reports reveal that Chinese hackers have compromised networks of major telecommunications providers globally, conducting extensive cyber espionage campaigns.  

These groups have been targeting vulnerabilities in telecommunications networks, gaining unauthorized access to sensitive data. This activity aligns with known weaknesses in existing network infrastructure and highlights the urgent need for organizations to address security gaps.  

The agencies involved in this effort, including the ASD and the ACSC, emphasize that while the tactics used by these threat actors are not novel, their success stems from exploiting well-established vulnerabilities in communications infrastructure. The newly issued hardening guidance, therefore, provides actionable steps for network engineers and defenders to strengthen visibility, detect malicious activities, and harden systems against future exploitation.  

Hardening Guidance: Enhancing Visibility in Communications Networks  

One key strategy in this guidance is to improve visibility across communication networks. For organizations to effectively monitor, detect, and respond to cyber threats, they must have thorough insight into network traffic, user behavior, and overall data flow. High visibility enables swift identification of anomalies that may indicate a cyber intrusion, allowing defenders to take immediate action.  

Monitoring Network Configurations and Changes  

Network engineers are advised to closely monitor configuration changes in critical network devices, such as routers, switches, and firewalls. Any alterations outside the formal change management process should raise red flags. Additionally, regular audits and monitoring for unusual activities, such as unauthorized changes to routes or protocols, can help detect malicious intrusions early.  

Centralized Configuration Management  

The guidance recommends centralizing configurations and storing them in a secure, centralized location. This prevents devices from becoming the sole source of truth for their own configurations, which could be manipulated in the event of a breach. Network engineers should also implement strong network flow monitoring solutions to gain insights into the ingress and egress points of data across the network.  

Monitoring Accounts and Logging  

A proactive approach to monitoring user accounts and logins is also essential for mitigating threats. Monitoring anomalies in user and service account activity—such as abnormal login times, failed login attempts, or logins from unexpected locations—can help identify malicious actors who have gained unauthorized access to the network.  

Organizations should also ensure that logging mechanisms are vigorous, secure, and centralized. Logs should be encrypted in transit and stored off-site to prevent tampering. Using Security Information and Event Management (SIEM) systems is encouraged to help analyze logs and correlate data from various devices for rapid incident detection.  

Hardening Network Systems  

Beyond improving visibility, securing the underlying network systems through hardening is a critical defense strategy. Hardening aims to reduce vulnerabilities by ensuring that network devices and protocols are securely configured to minimize the attack surface. The collaboration between CISA, ACSC, and other agencies has provided valuable hardening guidance that organizations can apply to their communications infrastructure.  

Isolated Management Networks  

One of the most critical recommendations in the guide is the use of out-of-band management networks. By ensuring that network infrastructure devices can only be managed from physically separate, trusted networks, organizations can prevent the lateral movement of hackers within their systems. This isolation limits the potential impact of a breach, as attackers cannot easily move between devices on the network once one device has been compromised.  

Segmentation and Access Control  

Segmentation of networks into isolated zones, such as using Virtual Local Area Networks (VLANs) and private VLANs (PVLANs), helps protect critical systems and restricts access to sensitive data. Access Control Lists (ACLs) should be configured with a default-deny policy to control both inbound and outbound traffic, ensuring that only authorized connections are allowed.  

Securing Virtual Private Networks (VPNs)  

The guidance stresses the importance of securing VPN gateways by limiting their exposure to the internet and enforcing strong cryptographic protocols for key exchange and data encryption. VPNs should be configured to only allow strong authentication methods, and unused cryptographic algorithms should be disabled to reduce the risk of exploitation.  

Proactive Authentication and Account Management  

In addition to securing network devices, organizations should focus on improving authentication methods to ensure that only authorized users can access their networks. Implementing phishing-resistant multi-factor authentication (MFA) for all users, especially those with administrative privileges, is one of the primary strategies to prevent unauthorized access.  

The guidance also emphasizes the importance of strong password policies, including the use of secure hashing algorithms and the requirement to change default passwords immediately upon deployment. Additionally, organizations should regularly review user accounts to ensure that inactive or unnecessary accounts are removed, and all accounts are assigned the minimum necessary permissions.  

Conclusion   

Adopting a “secure by design” approach is crucial for software manufacturers to enhance the security of their products and reduce the need for customers to manually implement hardening measures.   

As cyber threats, especially Chinese threat actors, continue to target global organizations, collaboration between international agencies like CISA, ACSC, and other stakeholders is important to protect global communications infrastructure. Australia’s leadership, through agencies such as the ASD and ACSC, plays an important role in fighting cybercrime.  

By focusing on hardening guidance, improving visibility, and working together internationally, organizations can strengthen their security posture, mitigate vulnerabilities, and contribute to the collective global effort to protect digital life. 

The post Australia’s ACSC and ASD Team Up with CISA, NSA, FBI, and International Allies to Protect Communications Infrastructure appeared first on Cyble.

Blog – Cyble – ​Read More

Finding information on specific cyber threats in a vast amount of data can be challenging. Threat Intelligence Lookup from ANY.RUN simplifies this task with wildcards and operators that provide you with the ability to create flexible and precise search queries.

Let’s take a look at how you can use them to identify and collect intel on malware and phishing attacks more effectively. 

About Threat Intelligence Lookup 

Threat Intelligence (TI) Lookup is a fast and efficient tool designed to simplify cyber threat investigations. It allows for flexible searches for Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).  

TI Lookup provides access to a constantly updated database of threat data collected from millions of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox.  

Each sandbox session contains detailed logs of system and network events that occur while a threat is executing. By searching through this comprehensive data, you can easily find connections between seemingly unrelated pieces of information and tie them to a specific threat. 

Here’s how TI Lookup can help you and your organization: 

• Investigate Threats Quickly: Gather extensive and in-depth information on emerging and persistent cyber threats with over 40 search parameters (e.g. threat names, command lines, registry logs, etc.). 

• Receive Real-Time Updates: Stay informed with real-time updates on results for your search queries. 

• Enrich Threat Intelligence: Get relevant context, indicators, and samples manually analyzed by threat analysts. 

Search Operators in TI Lookup 

Search operators are essential tools in TI Lookup that allow you to combine several indicators to refine your search queries effectively. They act as logical connectors that help you specify the relationships between different conditions in your search and achieve greater flexibility and precision in your searches. 

TI Lookup supports logical operators like AND, OR, and NOT, as well as grouping with parentheses. Let’s take a closer look at each of these. 

AND 

What it does  

The AND operator helps you combine multiple conditions. 

Why use it  

AND is great for narrowing down your search to find threats by including as many unique indicators as possible.  

It is equally effective in situations when you have several completely disparate artifacts, like an IP address and a mutex, and want to link them to a particular threat. 

Example 

This query is designed to search for sandbox sessions where both thum[.]io and logo[.]clearbit[.]com domains were found. 

• Thum[.]io is a real-time website screenshot generator. 

• logo[.]clearbit[.]com is a service for fetching company logos. 

TI Lookup almost instantly provides results: associated IP addresses and sandbox sessions, all of which contain a “malicious activity” label and a “phishing” tag. 

We can click any session of our interest to investigate the threat further.

By reviewing the analysis report, we can spot that this is a cyber attack which uses thum[.]io to dynamically generate phishing pages with the backgrounds of a website that coincides with that of the victim. Attackers also use logo[.]clearbit[.]com to add corresponding company logos to make fake pages appear more legitimate. 

OR 

What it does 

The OR operator helps return matches where at least one of the given conditions is found. 

Why use it  

OR is excellent in situations when you are not sure which one of two indicators is related to a threat. It is also useful for broadening your search to include results where both indicators are found, but necessarily together in the same session.  

Example  

It searches for entries where the synchronization object name is “DocumentUpdater” or “PackageManager”. If you’re investigating a threat that could be using either of these sync objects, this query ensures you don’t miss any relevant information. 

TI Lookup shows that the synchronization objects are mutexes and provides sandbox sessions where they were previously discovered. 

NOT 

What it does 

The NOT operator excludes results that match the specified condition. 

Why use it 

NOT is helpful when you want to refine your search and see sandbox sessions where no certain item, like a domain or file name, was observed. 

Example 

This query is looking for phishing samples but excludes any entries where the initial submission uploaded to the ANY.RUN sandbox was a URL.

It helps us find email, html, zip, exe, or other types of files, used in phishing attacks. 

Parentheses () 

What they do 

Parentheses group conditions and control the order of operations to ensure they are processed in the order you specify. 

Why use them  

Parentheses are essential for creating complex queries, making your search more precise and effective. 

Example

This query searches for sandbox sessions and their related data where the process “mshta.exe” was observed along with connections to destination ports of either 80 or 443. The parentheses ensure that the OR condition is processed first, making the search more precise. 

TI Lookup returns a wealth of threat data related to our query. Some of the results include malicious domains and IP addresses, as well as a list of network threats detected during analyses. 

Wildcard Characters 

Wildcards in TI Lookup act as placeholders in your search queries. They can represent different types of character sequences. 

Asterisk (*) 

What it does  

The asterisk represents any number of characters, including none. This means it can stand in for zero, one, or multiple characters. The asterisk is added by default at the start and end of each query, so you in most cases there is no need to enter it manually.

Why use it 

The asterisk is great for when you’re not sure about the exact content of a string. It helps you find matches even if there are unknown parts or certain variations in your query string. 

Example 

This query searches for sandbox sessions where the command line includes paths to specific script files located in the C:UsersPublic directory. The scripts must be of types .vbs (Visual Basic Script), .bat (Batch file), and .ps1 (PowerShell script).  

Yet, the names of these scripts are replaced with the asterisk wildcard, representing any string of characters, as they can vary.

This helps us discover scripts with different file names and see how each of them fits into a wider context of the entire attack analyzed in the sandbox.

In the image above, you can see the execution of one of the found scripts inside the ANY.RUN sandbox. 

Question Mark (?) 

What it does  

The question mark represents any single character or its absence. This means it can stand in for exactly one character or none at all. 

Why use it  

The question mark is perfect for situations when you are not sure about a certain character in your string or know that it varies. 

Example  

Here, we can borrow a query from Jane_0sint’s article on phishing investigations, which is intended for identifying samples of Mamba2FA attacks.  

A notable part of this query is that we can see the question mark being used twice. Yet, there is a difference between these two instances: 

• The first one is the wildcard that serves as a stand-in for the characters “m”, “n”, and “o” that are commonly used in Mamba2FA URLs.  

• The second question mark is a part of the address. To escape it, we use the slash symbol. 

We once again can observe a variety of results, including command lines that contain different URLs matching our query. 

Dollar Sign ($) 

What it does 

The dollar sign ensures that the search term must appear at the end of the string. It excludes matches with any characters after the specified content. 

Why use it  

The dollar sign is useful when you know the exact ending of a string but are unsure about the beginning. It helps you find matches that end with your specified term. 

Example 

This query searches for any synchronization object whose name ends with _STOP. 

Among the results, we can see mutex names such as biudfw_stop, jeboi_stop, and nonij_stop. As always, we can explore each of them in detail by navigating to their corresponding sandbox sessions. 

Caret (^) 

What it does  

The caret ensures that the search term must appear at the beginning of the string. It prevents matches with any characters before the specified query content. 

Why use it 

The caret is helpful when you know the exact starting point of a string but are unsure about the rest. It narrows down your search to items that begin with your specified term. 

Example 

This query finds domain names that start with 0ffice and end with .com, with any characters allowed in between. The caret (^) and dollar sign ($) ensure the exact start and end. 

TI Lookup provides us with domains that match our query along with sandbox sessions, where they were found. 

Conclusion 

wildcards and operators in TI Lookup provide the flexibility and precision needed to perform threat intelligence searches. By learning how to use these tools, you can make your threat hunting efforts more effective.

Give it a try by requesting a free trial of TI Lookup.

About ANY.RUN  

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

See Black Friday deals for ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup →

The post Search Operators and Wildcards for Cyber Threat Investigations appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview

Dubai is making significant strides in integrating advanced technologies while emphasizing strong cybersecurity frameworks. A recent study by the World Economic Forum (WEF), titled “Navigating Cyber Resilience in the Age of Emerging Technologies,” highlights how the city is utilizing technologies such as artificial intelligence (AI), blockchain, quantum computing, and smart city solutions across critical sectors.

The Dubai Electronic Security Center (DESC) plays a central role in supporting the secure adoption of these emerging technologies. Initiatives such as the Dubai Cyber Security Strategy and the UAE National Strategy for Artificial Intelligence 2031, along with policies like the Dubai AI Security Policy and autonomous vehicle security standards, aim to balance innovation with a focus on digital security.

This blog delves into DESC’s contributions, Dubai’s cybersecurity strategies, and the city’s efforts to enhance cyber resilience and enable secure digital transformation.

The Role of DESC in Dubai’s Cybersecurity Strategy

The Dubai Electronic Security Center (DESC) is at the heart of Dubai’s digital transformation. As a key player in Dubai’s Cyber Security Strategy, DESC focuses on securing digital assets, fostering innovation, and establishing Dubai as a leading secure digital hub.

His Excellency Yousuf Hamad Al Shaibani, CEO of DESC, highlighted the center’s proactive measures, saying, “The Center continues to coordinate with governmental, regional, and international entities to study the security requirements of modern and emerging technologies and set standards and controls that ensure their safe adoption across various sectors.”

DESC has introduced multiple initiatives to ensure the secure implementation of emerging technologies:

• Dubai AI Security Policy: A framework for safe use of AI technologies across sectors.
• Autonomous Vehicle Security Specification: The first of its kind globally, providing security standards for self-driving vehicles.
• RZAM Cybersecurity Application: A real-time solution leveraging AI to protect internet users from malicious websites and phishing attacks.

These policies stress Dubai’s efforts to create a secure environment for the adoption of advanced technologies.

Advancing Emerging Technologies

Dubai’s leadership in cybersecurity is closely aligned with the UAE National Strategy for Artificial Intelligence 2031. This strategy, combined with substantial investments in technologies such as quantum computing, 5G communications, and the Internet of Things (IoT), is designed to drive innovation while maintaining robust digital safeguards.

For example, DESC has been instrumental in supporting Dubai’s Self-Driving Transport (SDT) Strategy. The SDT Strategy aims to convert 25% of Dubai’s total transportation to self-driving vehicles by 2030. To achieve this, DESC recently published a study on connected vehicles, highlighting the security specifications required to mitigate cyber risks in IoT-enabled transport systems.

The Economic Impact of AI

Artificial intelligence is central to Dubai’s digital transformation efforts. The WEF report estimated that AI will contribute USD 320 billion to the UAE economy by 2030. In line with this, DESC issued a detailed study examining AI’s potential across various sectors in Dubai.

This study analyzed:

• AI’s Economic Contributions: Estimating how AI can drive Dubai’s economic growth.
• Ethical and Societal Considerations: Exploring the implications of widespread AI adoption.
• Risk Mitigation: Identifying challenges and solutions for safe AI integration.
• Stakeholder Collaboration: Promoting partnerships to enhance AI research and application.

These efforts are part of a broader vision to position Dubai as a global hub for AI research, development, and implementation.

Global Partnerships and Regulatory Frameworks

DESC has also been instrumental in establishing partnerships with public and private stakeholders at both local and international levels. By collaborating with research institutions and global technology leaders, Dubai is developing regulatory frameworks to safely integrate cutting-edge technologies.

These partnerships are crucial in fostering an environment where innovation can thrive without compromising security. Policies such as the Dubai AI Security Policy and the autonomous vehicle security standards reflect the city’s commitment to balancing innovation with cybersecurity.

Building a Resilient Digital Infrastructure

Dubai’s success in integrating new technologies is rooted in its digital infrastructure and forward-looking strategies. The Dubai Cyber Security Strategy serves as a guiding framework for ensuring the resilience and reliability of digital systems.

By focusing on key areas like secure IoT adoption, AI governance, and blockchain implementation, DESC is driving Dubai’s vision of a smart and secure city. These efforts are complemented by national initiatives such as the UAE’s investments in advanced communication technologies like 5G and quantum computing.

The Future of Cyber Resilience in Dubai

Dubai’s approach to cybersecurity offers valuable lessons for other cities and nations seeking to embrace emerging technologies. With DESC leading the charge, Dubai is not only addressing present-day challenges but also preparing for future risks associated with digital transformation. Its comprehensive strategies and global collaborations ensure that innovation is securely integrated into all aspects of life.

References: https://www.desc.gov.ae/world-economic-forum-study-highlights-descs-innovative-efforts-in-securing-emerging-technologies/

The post DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital City appeared first on Cyble.

Blog – Cyble – ​Read More

Welcome to ANY.RUN’s monthly updates, where we give you all the details on our latest features and enhancements. 

November has been a month of innovation at ANY.RUN, with major upgrades. We’ve launched Smart Content Analysis as part of Automated Interactivity, updated the home screen of TI Lookup featuring an interactive MITRE ATT&CK matrix connected with real-world samples, and expanded our detection capabilities with new YARA rules, signatures, and Suricata rules for even more comprehensive threat coverage. 

Here’s everything you need to know about our November updates! 

Product Updates 

Automated Interactivity: Stage 2 

Last year, we introduced Automated Interactivity, a feature that simulates user behavior inside the ANY.RUN sandbox to automatically trigger cyberattacks. It was a game-changer, helping analysts streamline tasks like clicking buttons or solving CAPTCHA challenges. 

Now, we’re thrilled to unveil Stage 2 of this feature: Smart Content Analysis, a major upgrade that offers better detection and execution of complex threats. 

This update makes your security workflow more efficient by enhancing detection capabilities, automating time-consuming tasks, and simplifying complex analyses. It saves analysts valuable time, provides deeper insights, and helps teams respond to threats faster and more effectively. 

What is Smart Content Analysis? 

Smart Content Analysis enhances Automated Interactivity by analyzing and detonating malware and phishing attacks at every step of the kill chain. Here’s how it works: 

• Identifying content: It scans for URLs, email attachments, or hidden malicious components. 

• Extracting key data: This includes extracting URLs from QR codes or bypassing rewritten links from security filters. 

• Simulating actions: It interacts with extracted content, such as opening links, solving CAPTCHA challenges, or launching payloads. 

Automated Interactivity is available to Hunter and Enterprise-plan users and can be manually enabled in any sandbox session.  

MITRE ATT&CK Techniques with Real-World Samples inside TI Lookup 

We’re thrilled to announce a major update to TI Lookup, now featuring a redesigned home screen integrated with the MITRE ATT&CK matrix. This upgrade turns the matrix into an interactive tool, bridging the gap between theoretical frameworks and practical, real-world threat analysis. 

What’s new? 

• Interactive MITRE ATT&CK matrix: All techniques and tactics are now neatly organized in a functional, actionable layout. 

• Filtering options: Prioritize techniques by risk level—red for high risk, yellow for moderate, and blue for less urgent. 

• Real-world sample connections: Click on any technique to see related malware samples and how they behave in real attacks. 

Best of all, this feature is completely free and available to everyone right now. Dive into the MITRE ATT&CK matrix on TI Lookup and start exploring it today! 

Threat Coverage Update 

Enhanced Network Threat Detection 

In November, we expanded our Suricata rule collection with an additional 7,206 rules, significantly enhancing network threat detection.  

The new rules were added using domains derived directly from Public submissions, supplemented by data from TI Lookup and advanced processing logic.  

Key highlights: 

• Focus on threat group activity: We continue to monitor the operations of major threat groups and phishing kits, leveraging this information to enhance detection capabilities. 

• Community engagement: Regular updates and insights into phishing threats are shared through our dedicated weekly post on X, helping you stay informed about the latest developments in the phishing and malware attacks. 

Recent Updates in Suricata Rules 

Our latest Suricata updates have focused on enhancing detection accuracy for phishing campaigns and domain-related threats. Here are some examples of the recent additions: 

MassBass phishing campaign detection– A massive phishing attack that we named MassBass, has been identified and tagged in our Suricata rules: 

• MassBass Example 1 
• MassBass Example 2 

TI Lookup: Search MassBass-related rules and insights here 

CrossDomain rules detection– These Suricata rules for domains were created using data from public submissions and include “CrossDomain” in their rule names. 

• CrossDomain Task Example 1 
• CrossDomain Task Example 2 

TI Lookup: You can explore CrossDomain-related activity and insights using our TI Lookup tool: 
Search CrossDomain 

New Signatures 

This month, we’ve added a total of 56 new signatures to enhance our detection capabilities, covering a wide range of malicious behaviors and threats. 

• Office/archive exploit: Detection of deliberately damaged files exploiting the self-repair mechanism. 
• Kms tool: Identification of unauthorized kms activation tools. 
• Torvil mutex: Discovery of torvil-related mutex activity. 
• Cve-2024-43451: a critical vulnerability (example session). 
• Untrusted certificate execution: alerting on files executed with untrusted certificates. 
• Silentkill: a sophisticated malware strain identified. 
• Rhysida: a ransomware strain (example session). 
• Secretsdump: detection of credential-stealing activity. 
• Gumen: a unique malware variant (example session). 
• Badrabbit: identification of the infamous ransomware. 
• Ateraagent: detection of unauthorized agent installations (example session). 
• Lunam and Luna: discovery of related malware strains (example session). 
• Behavioral detection of attempts to establish rdp connections using configuration files extracted from outlook emails. 
• Identification of conti-based ransomware, formbook, and xworm. 
• Detection of expresszip malware (example session). 

Browser extension module

A new signature module for browser extensions was introduced, enabling in-depth content analysis of web pages. Besides, the following signatures were added: 

• Obfuscated JavaScript. 
• Fake Microsoft authentication pages. 
• Email addresses embedded in URLs. 
• Phishing kits such as Tycoon2fa and Mamba2fa. 

New YARA Rules  

This month, 9 new YARA rules were implemented, further enhancing our detection capabilities. Notable additions include: 

• winPEAS detection (example session) 
• rhysida YARA rule (example session) 

APT Detection Update 

This month, we’ve enhanced our detection capabilities against APT groups, specifically focusing on Lazarus and Rhysida. To address these threats, we’ve added 2 YARA rules and approximately 20 tailored signatures, ensuring more precise tracking and analysis of their activity. 

Get Your Black Friday Deals from ANY.RUN! 

Black Friday 2024 is here, and ANY.RUN has prepared exclusive time-limited offers to help you save big while enhancing your security workflow: 

• Hunter Plan: Get two annual subscriptions for the price of one—perfect for individual researchers who want to collaborate. 

• Enterprise Plan: Buy 5 licenses and get 2 free, or 10 licenses with 3 free plus a complimentary Threat Intelligence Lookup plan. Special renewal bonuses available! 

• TI Lookup: Double your search requests with every subscription purchase. 

Offers will expire on December 8th, 11:59 PM PST. Don’t miss out: secure your deal today! 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Explore all Black Friday 2024 offers →

The post Release Notes: MITRE ATT&CK Matrix with Samples, Upgraded Automated Interactivity, Expanded Threat Coverage, and More appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More