Introduction
The VMRay Labs team continuously reviews publicly available data to detect significant advancements in malware that require immediate attention. Our internal tracking further reinforces this work as we vigilantly monitor events reported by the security community, ensuring we remain at the forefront of the ever-evolving cybersecurity landscape.
In November 2023, the VMRay Labs team has been specifically focused on the following areas:
Adding new VTIs (VMRay Threat Identifiers)
Now, let’s delve into each topic for a more comprehensive understanding.
New VMRay Threat Identifiers
VMRay Threat Identifiers (VTIs) form a repository of categorized malware behaviors, integral to the analytical process for evaluating samples. These behaviors play an important role in shaping the Verdict regarding a given sample’s threat level.
Acting as red flags, VTIs identify threatening or unusual behavior and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VMRay products present VTIs on the analyzed sample overview with a score for each on a scale of 1 to 5.
These are some of the most interesting VTIs from a broader changelog that we added to address the latest threats:
1) VTI: QR codes detection
Category: Obfuscation
Recently, we’ve addressed the Quishing campaign and added a feature allowing to extract and analyze URLs embedded in QR codes. Quishing is a form of phishing that abuses QR codes to attack victims. The QR codes are extracted from phishing emails delivered to users. Common phishing scenarios involve an email with a link leading to a phishing page, while quishing convinces the victim to scan a QR code with their smartphone and use the phishing website on their mobile device.
To protect you from this quite new technique, our Threat Researchers improved the VMRay Platform’s mechanisms and detection techniques to force the detonation of QR-encoded URLs that originated from an email. You will see the following VTI scoring in the Platform:
1/5 VTI that informs that a QR-encoded link exists in the email and shows the decoded URL2/5 VTI if the email only contained one URL and that URL was QR encoded
2) VTI: Detect suspicious DLL loading behavior
Category: Defense Evasion
MITRE ATT&CK® ID: T1218.011
DLL is a file format that contains compiled code and is typically used to extend the functionality of programs. These libraries allow code to be modularized and reused, promoting efficient use of memory. Dropping a Dynamic Link Library (DLL) technique is quite often used by malware authors, including Emotet’s delivery chain. Malicious DLLs can be designed to exfiltrate sensitive information from the system. This may include personal data, login credentials, or proprietary business information, leading to data breaches and potential financial or reputational damage.
This technique has been observed in the wild for a few years and is still not losing popularity. With the focus on protection against this behavior, we added a new VTI to detect scripts loading dropped DLLs.
3) VTI: Detect HTML redirections
Category: Heuristics
Recently, we have observed HTML files attached to emails executing redirects to phishing pages through JavaScript. It’s clear that email redirections can be exploited by malware authors for various malicious purposes, primarily because they provide means to obfuscate the true source of emails and manipulate the flow of communication.
To defend against this tactic, our new VTI will trigger upon detecting HTML samples that lead to immediate redirections using JavaScript.
Other Noteworthy Updates
1) AutoUI feature improvements
Our Automatic User Interaction (AutoUI) engine simulates user actions by detonating samples to assess their behavior. AutoUI ensures the correct functionality of a sample and identifies any unexpected behaviors, including potential threats like navigating to phishing pages.
Recently, we’ve enhanced the effectiveness of our Web Analysis automation in handling multistage phishing pages. This improvement involves updating the AutoUI feature to automatically open suspicious links within documents hosted on assets.adobe.com and acrobat.adobe.com, navigating to the phishing page without requiring manual user interaction.
2) Configuration Extractor upgrades
Configuration Extractors work as a tool that extracts configuration information from certain malware samples to determine how the malware behaves. You can deep dive into Configuration Extractors in one of our past blog posts .
To provide top-quality of our extractors, we’re constantly running research and adding improvements to the existing supported malware. In November, we enhanced the following extractors:
To provide top-quality of our extractors, we’re constantly running research and adding improvements to the existing supported malware. In November, we enhanced the following extractors:
Amadey – Based on our malware tracking dashboards, Amadey ranks among the top 10 malware families.Stealc – Stealc seems to gain more attention as the number of samples we see in the wild constantly increases.Vidar – Since our support for this malware family began in October 2023, we have made a few enhancements to the configuration extractor, refining its capabilities to ensure even greater reliability in hunting down instances of this threat.
3) Smart Link Detonation improvements
Malicious actors often use URL redirection to create phishing attacks. They may set up a seemingly legitimate URL, using the high reputation of popular domains, that redirects users to a fake website designed to mimic a trusted site.
In recent months, we’ve observed threat actors exploiting the authenticity of Baidu – the Chinese search engine giant, to conduct phishing campaigns. Unsuspecting users might be tricked into clicking the seemingly safe link starting with “baidu.com/link?url=“
To address this recent campaign, we’ve extended the logic of SLD to trigger detonation of URLs that use baidu.com
4) Known web hosters – new detections
When you create a website, you need to store its files (including HTML, CSS, images, videos, etc.) on a server. This server is often owned and managed by a web hoster. Malware authors may abuse such web hosting services to host their web pages and/or resources. These sites can be used for phishing attacks, distributing malware, or hosting other types of malicious content.
When you submit a URL to the VMRay Platform, our system checks the link against a list of web hosters that we know and were observed being abused by threat actors. If a match is detected, the Smart Link Detonation feature automatically initiates a recursive submission. This is vital as phishing pages are often hosted on temporary web hosting services. In November, we have identified a few new web hosters that were abused to host phishing pages:
dorik[.]com spark[.]adobe[.]com glitch[.]com glitch[.]me pitch[.]com webnode.* wix.com/wixsite.com
5) Support for new malware family – DarkGate
DarkGate is a downloader that has been in development since 2018, gaining some popularity in 2023, and is known to have been used by the threat actor known as TA577. The infection chain usually starts with a file that extracts the AutoIt interpreter and an obfuscated/compiled script file that executes shellcode to drop DarkGate.
Although DarkGate has shown limited activity over the past couple of years, we’ve noted a resurgence in campaign deployments this year. Consequently, we’ve decided to redirect our attention towards this malware family.
Final Thoughts
We do hope our constant research of new malware trends and the features we together bring to our products help you in the navigation of the complex landscape of cybersecurity. Stay tuned for the December updates, which we will share in 2024. Wishing you a cyber-secure and prosperous New Year!
Thank you for choosing VMRay, and here’s to another year of safeguarding your digital world.
Happy New Year!
