The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In November 2024 , the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
Detecting process cloning via vfork()
Detecting usage of  command line parameter
Detecting obfuscated inputs in macOS osascript
2)Â
3) New YARA rules for:
DCRat
Phorpiex
Detecting known vulnerable drivers (BYOD)
SnipBot
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
Detect process cloning via vfork()Â Category:Â Anti Analysis
MITRE ATT&CK® Technique : T1497.001
Overview of vfork() as an anti-analysis technique To appreciate the value of this VTI, let’s review the role of vfork() and why it’s relevant in malware analysis. vfork() is a system call in UNIX-like operating systems, similar to fork(), used for creating a new process. However, unlike fork(), vfork() is optimized for efficiency by allowing the child process to share the parent’s address space temporarily, reducing memory usage and avoiding the need for copying data.
Why vfork() matters in malware Malware may exploit vfork() as an anti-analysis technique by using it to clone processes in a way that minimizes detection. By sharing the address space with the parent until it is replaced, vfork() can evade certain types of analysis and avoid leaving the typical traces of traditional process creation.
To address these types of evasion attempts, our Labs team created a new Linux-based VTI tailored to identify process cloning through the use of vfork().
Detect usage of Powershell -NoProfile command line parameter PowerShell is a powerful command-line tool in Windows. It allows users and administrators to perform tasks, automate processes, and manage the operating system or applications more efficiently.
What are -NoProfile and -nop? These are command options used when running PowerShell. They help customize how PowerShell operates:
-NoProfile -nop
When malware uses the -NoProfile or -nop switch, it’s doing so to:
Make the attack faster  – loading a profile takes time, so attackers often use the -NoProfile option to speed up PowerShell’s startup. By skipping the loading of existing profile settings, they can execute their commands more quickly and reduce the risk of their scripts or commands failing due to conflicts or errors caused by those settings.Avoid triggering detection alerts – loading a profile might make the attack more noticeable. By avoiding this, the malware tries to keep a low profile and remain undetected.
To protect you against this technique, we added a new VTI that tracks and alerts when malware applies one of those command options.
New VTI in the VMRay Platform One of our recent VTIs focuses on identifying a specific type of suspicious behavior in osascript, a command-line tool available on macOS. osascript is commonly used for running scripts written in AppleScript or JavaScript for Automation (JXA). These scripts are powerful tools that allow users to automate tasks, control applications, and interact with macOS at an advanced level. While osascript is widely used for legitimate purposes, its capabilities also make it a target for misuse by attackers.
Since osascript can access system applications and perform extensive automation tasks, attackers often exploit it for malicious purposes. For example, they might use it to run scripts that help malware avoid detection or automate harmful actions on an infected Mac. This makes monitoring osascript activity an essential part of identifying potential threats.
Our new VTI is designed to flag suspicious usage of osascript. Specifically, it triggers when the analyzed sample passes a Base64-encoded string to osascript—a behavior often associated with obfuscation, where attackers hide the true intent of their scripts to evade detection. When this occurs, the VTI assigns a score of 2/5, indicating potentially concerning activity that warrants closer investigation.
New VTI in the VMRay Platform – Obfuscated MacOS osascript
Defending Against Fake Voicemail Phishing Scams with Web Engine Auto UI
Phishing campaigns are evolving, and so are our defenses. One of the latest deceptive techniques cybercriminals are deploying involves using fake “Voice Mail” notifications as bait. Let’s explore how this phishing method works and how our enhanced Web Engine Auto UI is equipped to combat it.
How the attack works
Initial deception  –  a convincing “Voice Mail” interface with a large Play button. Users naturally think they need to click this button to listen to the voice message.Credential harvesting  – upon clicking the Play button, victims are redirected to a convincing—but fraudulent—Microsoft login page. Here, they’re tricked into entering their credentials, which are then harvested by the attacker.
How the Mamba2FA phishing kit powers this campaign Our investigation revealed that this phishing campaign is leveraging the Mamba2FA phishing kit, a sophisticated phishing-as-a-service (PhaaS) platform designed to target Microsoft 365 (M365) users. The kit is particularly dangerous because it bypasses multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) techniques to intercept and exploit authentication tokens in real-time.
What sets Mamba2FA apart is its ability to create convincing fake M365 login pages that dynamically replicate legitimate corporate branding, including logos and themes, by querying Microsoft APIs. This attention to detail lends a high degree of credibility to the phishing attempts, increasing their success rate.
To tackle this evolving threat, we’ve refined our Web Engine Auto UI functionality. The enhanced feature can now automatically interact with new type of deceptive elements, such as fake Play buttons, to expose the underlying phishing content.
Fake Voicemail Phishing Scam New YARA Rules
New rule to detect DCRat DCRat has quickly gained traction among cybercriminals due to its low cost and ease of customization . As one of the most affordable and accessible Remote Access Trojans (RATs) available on underground forums, it has become a widespread threat, especially appealing to less sophisticated attackers. Its simple setup allows cybercriminals to target individuals and organizations with minimal effort.
What makes DCRat particularly dangerous is its customizability . Attackers can easily tailor it to carry out specific malicious actions, such as:
Keylogging to captureÂ
Data exfiltration to steal files andÂ
Remote control of the system to take full control over the victim’s device
Webcam and screen capturing to spy on the victim
The modular design  of DCRat further enhances its threat potential. By using plugins and additional modules, attackers can extend its capabilities, making it adaptable to various attack scenarios and allowing it to evolve as new targets are identified.
Targeted campaigns In October 2024, The Hacker News reported a new phishing campaign that used the Gophish toolkit to deliver DCRat alongside another Trojan, PowerRAT, targeting Russian-speaking users, read more here .
To counter this growing threat, we have added a new YARA rule designed to detect DCRat, enhancing our ability to recognize and block this Trojan before it can do harm.
DCRat YARA Rule in the VMRay Platform
New YARA rule to detect Phorpiex Phorpiex, one of the older malware families still active today, has long been recognized for its role as a botnet  that infects large numbers of systems to conduct a variety of malicious activities. Unlike other botnets, Phorpiex is primarily known for large-scale spam email campaigns rather than DDoS attacks. It operates as a malware distribution platform, delivering payloads like ransomware (e.g., GandCrab), cryptominers, and information-stealing trojans.
Given its long-lasting presence in the cybersecurity landscape, Phorpiex continues to be a significant threat. To help combat this malware family, we’ve added a new YARA rule  that provides enhanced detection coverage, enabling us to quickly identify and block Phorpiex-related threats.
Phorpiex YARA Rule in the VMRay Platform New YARA rule to detect known vulnerable drivers (BYOD)
A BYOVD  (Bring Your Own Vulnerable Driver) attack is a type of cyberattack where hackers take advantage of legitimate, , software drivers that control hardware components like printers or video cards. Drivers normally run inside the kernel, providing them the highest-level of permissions, so hackers can use them to bypass security systems and gain deep control over a victim’s computer.
The trick they use is that signed drivers—which are supposed to be safe because they’ve been verified—can be exploited if they have flaws. Such drivers can be used to disable security tools, like EDR systems, which are meant to detect and block malicious activity. This allows the attackers to operate undetected, making it much harder for regular security software to catch them.
To defend against this threat, we’ve developed a new YARA rule that helps us detecting known vulnerable drivers based on their hashes. The rule scans for an attack is happening, giving us a better chance of  to minimize impact.
Vulnerable Driver YARA Rule in the VMRay Platform YARA coverage for SnipBot
SnipBot, a sophisticated malware variant, is closely linked to the RomCom malware family and is primarily designed for data theft. Known for its stealthy tactics, SnipBot acts as a backdoor that allows cybercriminals to:
Remotely execute commands  – the malware opens a backdoor that allows attackers to run arbitrary commands, download and execute additional payloads, or manipulate files and processes on the infected system.
Exfiltrate data  – it targets sensitive files stored locally or in cloud directories like OneDrive, compressing them with utilities such as 7-Zip or WinRAR before transmitting them to attacker-controlled servers.
Listen network commands  – it creates a network listener on specific ports to accept commands like updating payloads, deleting itself, or restarting processes to ensure smooth operation.
Communicate with Command and Control (C2) servers  – the malware collects system information, such as the computer name, MAC address, and OS version, and sends it to its C2 servers. It uses this communication channel to download additional payloads
SnipBot primarily spreads through phishing campaigns, often masquerading as seemingly harmless attachments like PDFs. This malware, an advanced iteration of the RomCom family, strategically targets sectors such as government, healthcare, IT, and critical infrastructure. Its sophisticated capabilities pose a significant threat, especially in environments where sensitive or critical data is at stake. To better  this advanced malware, we developed a new YARA rule designed to improve detection and analysis of SnipBot.
Final Thoughts
At VMRay, our mission is to equip you with cutting-edge tools and insights to confidently navigate the complex cyber threat landscape. Our latest updates—such as new VTIs designed to detect suspicious activities like process cloning via vfork() or the use of the PowerShell -NoProfile command-line parameter—are just a few examples of how we’re helping you stay ahead of evolving threats. Additionally, the enhanced Web Engine Auto UI delivers even greater power and precision to your threat detection capabilities.
As we continue to monitor emerging attack vectors, stay tuned for more updates and actionable insights. Until then, we wish you a safe and secure season!
