The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In December 2024 , the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
Detecting DLL hollowing
Detecting phishing using SVG files
2) New YARA rules for:
ZIP evasion technique
CryptBot
VIPKeylogger
Terminator (Spyboy)
The use of Antibot services
Now, let’s delve into each topic for a more comprehensive understanding.
New VMRay Threat Identifiers
identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
VTI to detect DLL hollowing Category:
MITRE ATT&CK® Technique : T1055
DLL hollowing is a stealthy technique used by adversaries to run malicious code under the guise of a legitimate process. In this method, attackers load a legitimate DLL (Dynamic Link Library) into memory but then overwrite its contents with their own malicious payload. This allows the malicious code to operate as though it’s part of a trusted module, eliminating the need for additional memory allocations and enhancing its ability to evade detection by security tools
Why is DLL hollowing hard to detect? Everything looks normal at first glance:
Legitimate file on disk – the original DLL file remains untouched, so antivirus or file integrity checks won’t flag any issues.Memory-only modification – the malicious code exists only in memory, making it harder to monitor or analyze in real time.
Because of these characteristics, traditional detection methods struggle to identify DLL hollowing attacks.
We developed this VTI in response to a malicious sample that leveraged DLL hollowing to execute shellcode. The attack involved loading an unrelated DLL and hijacking its memory region instead of allocating its own. The adversary wrote malicious shellcode into this memory region and then executed it.
Our new VTI will trigger an alert if a sample uses LoadLibrary or related functions to load a DLL, modifies the DLL’s memory region instead of using standard memory allocation or mapping functions, and then executes code from the modified memory region.
DLL Hollowing VTI in the VMRay Platform
VTI to detect phishing using SVG files Heuristics
Phishing campaigns are evolving rapidly, with threat actors constantly finding creative ways to bypass traditional security defenses. One emerging technique is the use of Scalable Vector Graphics (SVG) files in phishing campaigns. Let’s focus now on why SVG files are becoming a popular tool for phishing. SVG files offer features that make them uniquely suited for phishing attacks when compared to traditional image formats like JPG and PNG. What are the key differences?
File structure:
SVG – an SVG file is XML-based, meaning it is essentially a text file that defines images through code. This structure enables SVGs to include shapes, text, and embedded scripts such as JavaScript.
JPG/PNG – these raster image formats store visual data as static pixels. They cannot include any executable code, making them less flexible (and less dangerous) than SVGs.
Interactivity and embedded code:
SVG – the ability to embed interactivity and animations through scripts makes SVG files a prime candidate for phishing. Malicious actors can embed JavaScript to create phishing links or redirects, allowing them to execute attacks the moment a user interacts with the file.
JPG/PNG – these static formats lack interactivity and cannot execute code.
SVG phishing campaign New YARA Rules
Two new popular phishkits – Phishkit.Srj and Phishkit.Blur
During a recent investigation, we uncovered a phishing page utilizing distinct phishkits, which we named Phishkit.Srj and Phishkit.Blur . These kits use obfuscation techniques and visual impersonation to deceive victims and steal credentials.
Phishkit.Srj .s plit() , .r everse() , and .j oin() – to :
Slice encoded strings,
Reverse their characters, and
Reassemble them into a cohesive form.
This obfuscation method complicates and delays analysis. Furthermore, the final layer of decoding involves Base64, adding an additional difficulty for researchers examining the phishing page.
Phishkit.Blur As the name suggests, this kit features a blurred background designed to resemble the Microsoft Office Excel interface. However, it is simply a deceptive static image with a fake login box overlay. The visual resemblance to legitimate Microsoft Office products increases the likelihood of users mistakenly entering their credentials.
Both phishkits are essentially credential harvesters, targeting unsuspecting users by mimicking Microsoft Office products. Their tactics are designed to create a false sense of legitimacy and lure victims into providing sensitive information.
Phishkit.Blur
Detecting ZIP evasion technique The ZIP file format is a popular, widely-used file format for compressing and archiving multiple files and directories into a single, portable container. It reduces the overall size of the contents and allows for efficient storage, sharing, and transmission of data.
This widespread usage, and seemingly harmless have made ZIP files an interesting choice for threat actors. Recently, we’ve seen a chain of attack targeting Windows users that leverages ZIP file concatenation to evade detection. Hackers have found a way to hide malware inside ZIP files using a trick called concatenated ZIP files . This involves combining multiple ZIP archives into one file, but not all parts of the file are visible or processed by common ZIP archive utilities.
How does it work?
Step 1 – Create the file
Hackers create two ZIP archives:
The first archive contains harmless-looking files, like a report or a PDF.
The second archive holds dangerous malware.
They then merge these two ZIP files into one. To most people, this looks like a single normal ZIP file.
Step 2 – Exploit software behavior
When you open the file with common tools (like Windows File Explorer or 7-Zip), these tools often only process part of the ZIP file:
Some tools show only the safe files in the first part of the ZIP file and ignore the rest.
This allows the malware in the hidden part to escape detection by security systems.
Step 3 – Deliver the file
Hackers send this file in phishing emails, often disguised as something urgent like: “Parcel delivery failed – open for details.”
The goal is to trick you into opening the file and unknowingly running the hidden malware.
Step 4 – Malware activation
Steal your passwords or banking info.
Take control of your computer.
Install ransomware to lock your files until you pay a ransom.
This technique is quite effective taking into account the fact that many antivirus tools only scan the visible part of the ZIP file, missing the hidden malware. Additionally, ZIP files are commonly used and don’t seem suspicious, so people often open them without thinking twice.
YARA coverage for CryptBot CryptBot is a notorious type of malware that primarily targets Windows systems. First discovered in 2019, CryptBot is designed to steal a wide range of sensitive data from infected machines, including browser credentials, , credit card details, cookies, and even screenshots. Over time, CryptBot has evolved to target more file paths, making it more difficult to detect and stopping many security systems in their tracks. While some of its features have been simplified, its ability to steal critical data remains a significant threat to individuals and businesses.
CryptBot and HijackLoader CryptBot does not always act alone. It may be deployed in conjunction with another piece of malware: HijackLoader. This loader is a modular malware component often executed through a technique known as DLL sideloading once it is delivered to the system.
In a typical scenario, HijackLoader installs a malicious DLL file onto the system. This file then decrypts and executes CryptBot, allowing the malware to start stealing data from the victim’s computer. By using DLL sideloading, attackers can take advantage of legitimate software or processes to disguise their malicious activities and evade detection by security tools.
To protect our users from this , we’ve developed designed to various versions of CryptBot, complementing our already existing HijackLoader detections.
YARA coverage for VIPKeylogger VIPKeylogger is a type of malware classified as an This malware is designed to capture sensitive information like passwords, usernames, credit card details, and personal messages. It typically spreads through email attachments, software downloads, or compromised websites. Once installed, it runs in the background, making it difficult for users to detect. The data collected by VIPKeylogger is sent to cybercriminals, who can use it for various malicious purposes, including identity theft, financial fraud, and unauthorized access to accounts.
VIPKeylogger appears to be a highly active threat. On Malware Bazaar , there have been over 200 entries related to this malware in the last three months alone, indicating its prevalence and popularity among cybercriminals. This high activity level shows the importance of detection strategies to safeguard against this threat.
To defend against this evolving threat, we have developed and deployed a new YARA rule designed to detect VIPKeylogger’s unique patterns. In addition to YARA-based detection, we added a c or VIPKeylogger to our Platform. This extractor allows security teams to analyze samples of the malware, extracting valuable information such as its command-and-control (C2) server addresses, encryption methods, and other operational parameters.
VIPKeylogger malware configuration extraction YARA coverage for Terminator (Spyboy)
One of the recent malware observed in the wild is Terminator (Spyboy) , which, as its name suggests, is designed to terminate critical security systems, specifically EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and AV (Antivirus) software.
, we addressed BYOVD attacks and introduced a new YARA rule to help detect known vulnerable drivers based on their hashes. As a reminder, a BYOVD attack (Bring Your Own Vulnerable Driver) involves using a vulnerable driver to infiltrate a system and disable security tools. Terminator leverages this technique as well.
In this case, Terminator exploits a weakness in a legitimate driver used by Zemana Anti-Malware products. The driver, called zam64.sys (Zemana Anti-Logger) or zamguard64.sys (Zemana Anti-Malware), plays a core role in Zemana’s security tools, which are designed to protect systems from malware and spyware. However, this driver contains a vulnerability that attackers can exploit to take control of the system.
The vulnerability in these Zemana drivers stems from their failure to properly check or verify the processes that request their services. These drivers maintain a list of approved, or “legitimate,” processes allowed to interact with them. However, an attacker can exploit a specific technique, by sending a special code called an IOCTL code (0x80002010), to add their own malicious processes to the approved list. Once the attacker’s process is added, they can execute harmful actions, such as terminating security software processes that protect against malware.
To help defend against these attacks, we’ve added a new YARA rule. This rule is designed to detect the malicious patterns Terminator uses to disable security systems.
Detecting the use of Antibot services with YARA rule Antibot services are designed to safeguard websites, applications, and online platforms from malicious automated activities, commonly known as “bot attacks.” These services typically act as a gatekeeper by presenting challenges, such as CAPTCHAs, that only humans are expected to solve.
One popular example involves Antibot services first showing a Cloudflare CAPTCHA for verification. If you solve it correctly, you might think you’re good to go. However, there’s often a second layer of checks in the background. This second check evaluates factors like how quickly you clicked the CAPTCHA or other behavioral patterns that indicate whether the activity is human-like or automated. This setup is what makes Antibot an effective tool against bots. However, cybercriminals have found a way to turn this technology to their advantage.
While the primary goal of Antibot services is to filter out bad bots, we’ve seen threat actors use these services as a disguise to hide malicious activities. For example, a phishing page might use Antibot to block automated security scanners or prevent researchers from accessing the malicious content. By doing so, attackers can ensure that only human visitors – potential victims – see their phishing page, making detection and takedown efforts much harder.
To address this misuse, we’ve developed a new YARA rule to detect when the Antibot service is being employed.
Final Thoughts
At VMRay, our mission is to equip you with cutting-edge tools and insights to confidently navigate the complex cyber threat landscape. Our latest enhancements such as new VTIs designed to detect sophisticated tactics like DLL hollowing and phishing attacks leveraging SVG files will elevate your ability to defend against modern threats. In addition to these advancements, we’ve introduced a robust set of new YARA rules, providing you with sharper edge in identifying malicious activities. Wishing you a strong start to 2025 and a safe, secure season ahead!
