Introduction
With this article, we are ready to share a new series of posts that will reveal the latest signature and detection changes.
Constant research in threat landscape is vital to VMRay products – DeepResponse , FinalVerdict and TotalInsight – as it allows us to react to the latest malware developments and address new threats. In recent times, the VMRay Labs team has focused on:
Addressing new phishing campaigns
Adding new VMRay Threat Identifiers (VTIs)
YARA rules extension
Updates to malware configuration extractors
Now, let’s dive into each topic in more detail.
Beating the Tricky Phishing Campaigns
Malicious Adobe Acrobat Sign URLs
In the last months, we observed more and more URL-targeted phishing attacks.
One of them attempts to trick the user into clicking a URL on the Adobe Acrobat Sign document, which is often trusted by its recipients. To address this threat, we improved the logic of the Smart Link Detonation feature, which automatically evaluates and detonates hyperlinks in documents and email samples.
The URL detonation is implemented in our Automatic User Interaction (Auto UI) engine. Auto UI simulates user actions during Dynamic Analysis , enabling comprehensive detonation of samples.
Below is an Adobe Acrobat Sign sample showing a picture that links to a phishing HTML file hosted on mediafire.com. With the Smart Link Detonation improvements, the VMRay Platform successfully handles the Adobe Acrobat Sign URL and detects the phishing attempt.
Scams Using Audio Voicemail Links
Upon discovering another campaign that entices the users into clicking the link to play an audio message that leads to an undetected phishing page, we improved the behavior of Adaptive Browsing Simulation – a feature of Dynamic Web Analysis that automatically detects and clicks on user interface buttons to trigger payload delivery and flush out phishing attacks requiring user clicks in the browser.
Now, such audio message links are clicked, and phishing pages are correctly detected.
VMRay’s New Threat Identifiers
Let’s start with a quick recap on what VTIs are: VTIs are a collection of malware issues used during analysis to evaluate samples and contribute to the final determination of a Verdict.
For example, ‘Reads ssh keys’ is a VTI in the Data Collection VTI Category. VTIs flag threatening or unusual behavior and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VMRay products present VTIs on the analyzed sample overview with a score for each on a scale of 1 to 5.
These are some of the VTIs from a broader changelog that we added to address the latest threats: