The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cybersecurity landscape.
In October 2024 , the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
using ADS
Detecting clearing Windows event logs
Detecting Process Doppelgänging
2) Configuration Extraction capabilities for:
3) New YARA rules for:
4) YARA rules enhancements for:
Now, let’s delve into each topic for a more comprehensive understanding.
New VMRay Threat Identifiers (VTIs)
In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
using ADS
Category : Hide Tracks
MITRE ATT&CK® Technique : T1070.004
As the Latrodectus malware family Alternate Data Streams (ADS) . This sophisticated method allows the malware to delete itself while it is still running, effectively
Here’s how it works: the malware renames its main data stream to an Alternate Data Stream and sets a flag to ensure the file is automatically deleteThis clever use of ADS, a feature of the NTFS (New Technology File System) on Windows, enables the malware to disappear without leaving a trace on the hard drive, bypassing many traditional security tools.
By monitoring for specific API calls and actions associated with this self-deletion technique, our new VTI can trigger alerts when malware attempts to delete itself using this method, ensuring that we can still capture and analyze these evasive threats.
New VTI in the VMRay Platform Sample analysis report: https://www.vmray.com/analyses/_vt/5cecb26a3f33/report/overview.html
New VTI to detect clearing Windows event logs Category: Hide Tracks
MITRE ATT&CK® Technique: T1070.001
In the cybersecurity world, event logs are like a security camera for your computer. These logs keep track of everything that happens on a system—from login attempts and file access to system errors. Security experts rely on them to detect unusual or malicious activity. But what if the “bad guys” delete these records? That’s exactly what some malware tries to do to avoid being caught.
Malware, especially ransomware, often clears event logs to hide its tracks. If logs are erased, it becomes an anti-forensics technique that makes it harder for investigators or security tools to trace what the malware did or how it got in . For example, if ransomware deletes logs related to login attempts or system changes, no one can go back and review the suspicious activity. This tactic is used to make malware more stealthy, allowing it to stay undetected for longer.
How malware clears event logs: Recently, we’ve seen ransomware using specific commands to wipe out important logs. Here are a few examples of the commands used to erase logs in Windows:
wevtutil cl systemwevtutil cl securitywevtutil cl application
These commands target different types of logs: system logs (which track hardware and software events), security logs (which record login attempts and other security-related events), and application logs (which show activity from different programs).
To combat this, VMRay has introduced a new VTI that specifically focuses on detecting when malware tries to clear Windows event logs. This gives us an early warning that something suspicious is happening on the system, even if the malware tries to delete its tracks.
New VTI in the VMRay Platform about malware clearing event logs New VTI to detect Process Doppelgänging
Category: Injection
MITRE ATT&CK® Technique: T1055.013
ttackers are constantly finding clever ways to avoid detection. One of the more sophisticated tricks they use is called Process Doppelgänging. This technique allows cybercriminals to run harmful software on a system while avoiding detection by disguising it as a trusted process—much like a digital “doppelgänger.”
What is Process Doppelgänging? Imagine a harmful program hiding by pretending to be something safe. Attackers use this technique to make malicious software look like a normal, trusted part of the operating system, often by taking on the name and appearance of legitimate applications. This disguise lets the malware blend in and evade detection by antivirus software.
Process Doppelgänging is especially sneaky because it takes advantage of a Windows feature (NTFS transactions) that allows temporary data immediately committing them to disk. Upon creating a suspended process from a legitimate executable, the malware uses NTFS transactions to replace the executable image with harmful code. These changes can be invisible to many traditional security tools that focus on scanning files on disk.
How process doppelganging works:
Transaction manipulation – the attacker initiates an NTFS transaction to write malicious data into a trusted Disguised code execution – the harmful code runs from memory, blending into system processes.Evasion – since the transaction isn’t committed, typical security scans don’t notice the
Why process doppelganging is dangerous: Process Doppelgänging is highly evasive and challenging to detect because it doesn’t leave a footprint on the disk. This method is popular in attacks on high-value targets, such as financial institutions, where attackers steal data or maintain control over systems with a special focus on avoid security tools to ring the bells.
Our latest VTI is designed to spot instances of Process Doppelgänging. Whenever a suspicious process is created with this technique, our VTI will trigger an alert, helping to uncover these hidden threats.
New YARA Rules
New YARA rule for XWorm detection
XWorm is a powerful and stealthy type of malware, classified as a Remote Access Trojan (RAT). RATs like XWorm allow attackers to gain complete remote control over an infected machine or network. Once inside, cybercriminals can spy on users, steal sensitive data, and execute malicious commands without the victim’s knowledge.
Key threats posed by XWorm: Corporate espionage XWorm can be used to infiltrate organizations, stealing intellectual property, financial data, and other sensitive corporate information, causing significant reputational and financial damage.
Ransomware delivery XWorm can act as a precursor to ransomware attacks, delivering malicious payloads that encrypt users’ files and demand ransom for their release.
Identity theft The personal data stolen by XWorm—including credentials and financial information—can be sold on the dark web, leading to identity theft and further cybercriminal activities.
To strengthen our defenses against XWorm, we added a new YARA rule as part of our October detection updates. With this new YARA rule in place, our Platform now identifies XWorm by unique signatures associated with the malware.
XWorm YARA Detection
Enhanced YARA coverage for NerbianRAT (Linux) In October, we focused on samples of the Nerbian RAT (Remote Access Trojan), particularly focusing on Linux systems. This malware, first spotted in 2022, is becoming increasingly sophisticated, posing more and more challenges for security teams.
What is Nerbian RAT? Nerbian RAT is a dangerous form of malware designed to give attackers full remote control over infected machines. Initially spread via phishing campaigns, the malware has evolved from its earlier versions, now incorporating more advanced techniques to bypass detection. Written in Go, this RAT is cross-platform, capable of running on both Windows and Linux environments, which makes it a versatile tool for RAT employs encryption and other methods to evade detection by antivirus software and sandboxes. It actively monitors its environment and can terminate processes or shut down if it detects it’s being analyzed in a controlled setting (e.g., a virtual machine).
Recent campaigns: Magnet Goblin and 1-Day vulnerabilities The Magnet Goblin threat actor, a financially motivated group, has recently been observed deploying a Linux variant of Nerbian RAT in their campaigns. Exploiting
The Linux variant of Nerbian RAT allows attackers to infiltrate servers, steal sensitive data, and maintain persistence for long-term access. This poses a substantial risk, especially for organizations that are slow to patch vulnerabilities in their systems. Notably, even if the organization patches security vulnerabilities, once an attacker has exploited them and gained access to the server, patching alone isn’t enough to remove them.
In response to these emerging threats, we have enhanced our YARA rule to better detect the most recent Linux variants of Nerbian RAT. This update includes:
Improved pattern matching for the latest malicious behaviors.
Detection of obfuscation techniques used by the malware to hide its presence.
Specific focus on Linux-based environments, which are increasingly being targeted.
TrickBot: enhancing YARA rule for better detection
TrickBot is a highly sophisticated and modular banking trojan that has rapidly evolved into a multi-purpose malware platform. Originally designed to steal banking credentials, it has become a versatile tool for cybercriminals, now being used for a range of malicious activities such as ransomware delivery , network infiltration , and data theft .
First discovered in 2016 , TrickBot was initially seen as the successor to the infamous Dyre banking trojan, which was taken down by law enforcement. Despite a significant takedown operation in 2020 that disrupted its original botnet infrastructure, TrickBot continues to persist in various forms. Its operators have adapted and shifted tactics, integrating it with other malware tools to remain a prominent player in the broader cybercrime ecosystem.
TrickBot’s role in advanced attacks TrickBot is a critical part of multi-stage cyberattacks, often working in conjunction with other malware families like Emotet and Ryuk:
Part of a larger attack chain – TrickBot frequently operates in tandem with other threats. For example, Emotet may serve as the initial dropper, delivering TrickBot to gather network intelligence. Once this is done, ransomware like Ryuk can be deployed, causing further disruption and data encryption.Ransomware-as-a-Service (RaaS) – TrickBot is sometimes involved in RaaS operations, where cybercriminal groups rent access to compromised networks, facilitating attacks for a portion of the ransom proceeds.
Our latest updates to the YARA rules include adjustments to catch a wider range of TrickBot samples, ensuring we cover not only existing samples but also its newer variants.
Latrodectus In the past month, we’ve made great updates, adding configuration extraction support for Latrodectus v1.4. But just as quickly, cybercriminals have updated their tactics, and Latrodectus has already evolved through versions 1.5 to 1.8. We’re proud to say that the VMRay Platform now fully supports config extraction for these newer versions too.
Latrodectus is a type of malware that acts like a “” for hackers. Once it infects a system, it doesn’t do the main damage itself. Instead, it downloads other harmful programs from a control server to execute various malicious actions, like stealing sensitive information or taking over systems. This malware spreads primarily through phishing emails and often targets industries like finance and healthcare.
To keep up with hackers’ fast-paced updates, we’ve also enhanced our detection tools with new YARA rules. These rules help us identify and extract the configurations of Latrodectus versions 1.5 to 1.8, ensuring we can respond effectively to this evolving threat.
Latrodectus v.1.8 YARA Detection
Latrodectus v.1.8 YARA Config Extraction
Final Thoughts
Our mission is to provide you with cutting-edge tools and insights to navigate the complex landscape of cybersecurity with confidence. With our latest product updates—such as new VTIs to detect self-deleting malware, VTIs to check for Windows event log clearing, continuous updates to our YARA rule sets, and vigilant tracking of active malware families like Latrodectus, TrickBot, and NerbianRAT—you’ve got some serious tools at your disposal.
As we continue to monitor emerging threats, stay tuned for more updates and actionable insights. Until then, we wish you a safe and secure fall season!
