Detection & Signature updates

Date: 05/02/2023

Introduction

With this article, we are ready to share a new series of posts that will reveal the latest signature and detection changes.

Constant research in threat landscape is vital to VMRay products – DeepResponse, FinalVerdict and TotalInsight – as it allows us to react to the latest malware developments and address new threats. In recent times, the VMRay Labs team has focused on:

Addressing new phishing campaigns
Adding new VMRay Threat Identifiers (VTIs)
YARA rules extension
Updates to malware configuration extractors

Now, let’s dive into each topic in more detail.

Beating the Tricky Phishing Campaigns

Malicious Adobe Acrobat Sign URLs

In the last months, we observed more and more URL-targeted phishing attacks.

One of them attempts to trick the user into clicking a URL on the Adobe Acrobat Sign document, which is often trusted by its recipients. To address this threat, we improved the logic of the Smart Link Detonation feature, which automatically evaluates and detonates hyperlinks in documents and email samples.

The URL detonation is implemented in our Automatic User Interaction (Auto UI) engine. Auto UI simulates user actions during Dynamic Analysis, enabling comprehensive detonation of samples.

Below is an Adobe Acrobat Sign sample showing a picture that links to a phishing HTML file hosted on mediafire.com. With the Smart Link Detonation improvements, the VMRay Platform successfully handles the Adobe Acrobat Sign URL and detects the phishing attempt

Scams Using Audio Voicemail Links

Upon discovering another campaign that entices the users into clicking the link to play an audio message that leads to an undetected phishing page, we improved the behavior of Adaptive Browsing Simulation – a feature of Dynamic Web Analysis that automatically detects and clicks on user interface buttons to trigger payload delivery and flush out phishing attacks requiring user clicks in the browser.

Now, such audio message links are clicked, and phishing pages are correctly detected.

VMRay’s New Threat Identifiers

Let’s start with a quick recap on what VTIs are: VTIs are a collection of malware issues used during analysis to evaluate samples and contribute to the final determination of a Verdict.

For example, ‘Reads ssh keys’ is a VTI in the Data Collection VTI Category. VTIs flag threatening or unusual behavior and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VMRay products present VTIs on the analyzed sample overview with a score for each on a scale of 1 to 5.

Search:

Edit
VTI Operation Description	VTI Category	MITRE ATT&CK® ID	Why it’s important
Detect using BITS to download files	Network Connection	T1197 [legacy T1197, T1105]	BITS (Background Intelligent Transfer Service) jobs can be exploited by adversaries to establish persistence and carry out covert background activities on a compromised system. BITS jobs consist of a queue that contains one or more file transfer tasks, making them an attractive target for malicious actors seeking to evade detection while conducting surreptitious activities.
Detect file download attempts with finger.exe	Network Connection	T1105 [legacy: T1105]	Adversaries may abuse legitimate command-line tools like finger.exe to stealthily download and execute malicious payloads from cloud storage and file-sharing services, allowing them to bypass security controls and evade detection
Detect privilege escalation using AppInit Dlls	Privilege Escalation	T1546.010 [legacy: T1103]	Malicious actors can achieve persistence and elevate privileges by running malicious code that is triggered by these DLLs loaded into processes, thereby exploiting a Windows operating system feature to evade detection
Detect privilege escalation using AppCert Dlls	Privilege Escalation	T1546.009 [legacy: T1182]
Detect persistence using SilentProcessExit monitor	Privilege Escalation	T1546.012 [legacy: T1183]	Attackers use this technique to evade detection and remain on a compromised system for extended periods of time. The technique involves running malicious code as a process that silently exits when no longer needed, making it difficult to detect using traditional process monitoring methods.
Detect application shimming	Privilege Escalation	T1546.011 [legacy: T1138]	Shimming involves the use of third-party software to modify application behavior, often for compatibility reasons, but attackers can abuse this technique to inject malicious code into legitimate processes to gain elevated privileges and evade detection.

Fresh Built-in YARA Rulesets

YARA is an open source tool that helps malware researchers identify and classify malware by family based on known binary patterns and strings. YARA works by ingesting rules and applying them against various elements of the analysis (such as files and registry keys) to flag potentially malicious files and processes.

VMRay products contain several hundred built-in YARA rules, and that list keeps on growing. To strengthen the detection efficacy, our Threat Analysts made the following updates:

Extended YARA coverage for:

Aurora Stealer
CatB Ransomware
CVE-2023-21716
GootLoader
Magniber Ransomware
Malicious OneNote documents with attachments
Stealc Stealer
Vidar Stealer

Improved YARA rules for:

Cobalt Strike
BumbleBee Loader
GuLoader Shellcode
RecordBreaker Stealer
RedLine Stealer

On the Lookout for Commodity Malware Families

Recently we released the 2023.2.0 version of our Platform, which we happily shared in this post. However, we cannot forget that malware developers are also improving and adding new features to attack with greatest power.

Our Labs team analyze and track the latest malware developments in various ways, including malware configuration extractors. But what are malware configurations?? Each malware sample has an embedded configuration that tells the sample what to execute, how to infect the system, how to exfiltrate data, what evasion methods are enabled, and anything else the malware developer implemented.

Find a list of recently updated configuration extractors with some technical details below:

Malware Family	Malware Family
Aurora Stealer	Update ReasonThe number of Aurora Stealer samples has started to rise considerably at the end of 2022 and the beginning of 2023. Furthermore, recently it was distributed via malicious Google Ads, which makes it a dangerous threat.
PrivateLoader	PrivateLoader samples were used very frequently in 2022. As loaders are the main entry point to deploy further malicious payloads, it is very important to cover them via configuration extraction and generate high-quality Indicators of Compromise (IOCs) which can be used to hunt as well as to protect environment

Improved configuration extractors for:

Malware Family	Update Reason
Agent Tesla	Adjusted logic used to locate embedded configuration if SMTP-based exfiltration method is used.
Cobalt Strike	Improved configuration extractor to extract more elements from the embedded configuration.
Cobalt Strike	Fixed C2 extraction which now decides whether a C2 address is a valid or a fake entry. Additionally, extraction has been adjusted to also have this information in the configuration as well as IOCs and artifacts.
RecordBreaker	Improved configuration extractor to cover more samples by adjusting its internal logic used to locate and extract the configuration.
RedLine	Improved configuration extractor to cover more samples by adjusting its internal logic used to locate the embedded configuration.
Snake Keylogger	Adjusted the configuration extractor to also support samples which have an encrypted configuration.
Warzoner	Adjusted configuration extractor to support samples with RC4+ encrypted configurations.
XLoader	Adjusted configuration extractor to also cover XLoader samples of version 2.8.

Tags : detection updates

Get The Latest Update

Subscribe to our newsletter

Keep up to date with our weekly digest of articles. Get the latest news, invites to events, and threat alerts!

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

Detection & Signature updates

Fresh Built-in YARA Rulesets

On the Lookout for Commodity Malware Families

Get The Latest Update

Subscribe to our newsletter

Table of Contents

Share With Others:

You May Also Like:

Subscribe to our Newsletter:

Solutions

Products

Why VMRay

Resources

Missed the headlines?

We’re featured in:

ThreatFeed

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Malware Analysis Reports

cybersecurity glossary

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs