Introduction
The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cybersecurity landscape.
In October 2023, the VMRay Labs team has been specifically focused on the following areas:
- Adding New VTIs (VMRay Threat Identifiers)
- Extension of supported web hosters and supported malware families
- Improvements to SLD (Smart Link Detonation) feature
Now, let’s delve into each topic for a more comprehensive understanding.
New VMRay Threat Identifiers
Linux VTI
1) VTI: Detect writing to .ssh/authorized_keys
Category: Backdoor
MITRE ATT&CK® ID: T1098.004
Recently, we’ve observed a sample of the RapperBot malware family, which is a botnet malware attacking Linux servers and IoT devices. What sets RapperBot apart is that it not only steals user credentials but also has the capability for brute-force credential cracking. RapperBot writes to certain files storing public keys most likely to allow the attacker (or the malware itself) to connect to the machine via SSH without providing credentials in the future.
If malware writes its own public key to the /root/.ssh/authorized_keys file, it can gain unauthorized access to the affected user’s account and potentially to the entire system. This allows the attacker to execute commands, access sensitive data, and manipulate the system as if they were a legitimate user. To respond to this technique, our new VTI will trigger whenever malware tries to execute similar behavior.
macOS VTI
1) VTI: Detect extraction of passwords
Category: DataCollection
Lately, we’ve encountered a macOS sample that attempts to extract passwords from the Google Chrome browser. This was done by executing a command line utility, which in turn tried to access the OS X Keychain. To counteract this malware’s behavior, we have introduced a new VTI that will trigger when similar behavior is detected. Additionally, we have enhanced our capability to identify the specific web browser or application for which this command was executed.
Phishing Improvements VTIs
1) VTI: Detect fake reCAPTCHA
Category: Heuristics
reCAPTCHA is a security measure designed to distinguish between human users and automated bots. We recently stumbled upon a phishing attempt with a website protected via a fake reCAPTCHA that attempts to look like the legitimate one to be more trustworthy. In this relatively new technique, phishing actors may create fake login pages that include a reCAPTCHA widget.
These login pages are not reachable unless a user interacts with the fake reCAPTCHA they created. In this scenario, the fake reCAPTCHA widget is used to evade automated analysis as it requires user interaction. To address this emerging threat, we added a new VTI that activates when we detect attempts to mock the original reCAPTCHA.
2) VTI: Detect pages that build the HTML via JavaScript only
Category: Heuristics
Recently, we’ve encountered a unique phishing attempt, which was discovered in a webpage that builds its HTML source only via an encoded JavaScript. When opening the page, the JavaScript is interpreted and decodes the big string to its HTML source. While encoded JavaScript itself is not inherently malicious, its presence in a webpage’s source code should raise suspicion, especially if it’s the sole content of the page.
The encoded JavaScript might contain instructions to perform malicious actions, such as stealing sensitive information (like login credentials or credit card numbers) entered on the webpage, redirecting the user to phishing sites, or loading additional malicious scripts. To tackle this behavior, we added a new VTI that will trigger when similar behavior is detected.
3) VTI: Detect Microsoft copyright text on non-allowed websites
Category: Masquerade
Microsoft copyrights are occasionally used on non-Microsoft websites in adherence to legal requirements, demonstrating a commitment to respecting intellectual property rights and adhering to copyright laws. However, this practice can also be exploited as a cunning phishing technique, as observed in a recent incident.
In this scenario, we investigated a phishing site that displayed counterfeit Microsoft copyrights, logos, and trademarks to create an illusion of authenticity. By posing as an official Microsoft site, unsuspecting users might be tricked into revealing sensitive information, such as login credentials or personal details.
To counter this threat, we’ve improved our phishing detection via check for copyright leftovers.
4) VTI: Detect Mark of the Web for webpage
Category: Heuristics
The Mark of the Web (MotW) is a security feature in Microsoft Windows designed to identify files downloaded from the Internet. It consists of a specialized metadata embedded in the file, indicating its origin from the online source. MotW consists of a comment included within an HTML page. For example:
The MotW has to start with <!– saved from url= and must be followed by a number in parentheses. The number describes the length of the URL that comes afterwards. Malware authors might manipulate file extensions and MotW data to make executable files look like harmless documents (e.g., changing a malicious .exe file to appear as a PDF file).
Users might be more inclined to open such files, believing them to be safe. To proactively address this threat, we added a new VTI that checks if the MotW in the HTML file matches the domain it’s hosted on.
Other Noteworthy Updates
1) Support for new ransomware extension
To improve ransomware classification, we added a new file extension to detect attacks conducted by Rhysida ransomware properly. Rhysida ransomware was first discovered in May 2023 and has since been actively targeting various sectors, including education, government, manufacturing, and technology industries.
Notably, Rhysida gained significant attention in early August when it conducted a large-scale ransomware attack on healthcare industries. The incident impacted 16 hospitals and 166 other medical facilities across the United States.
Utilizing phishing attacks for initial access, Rhysida threat actors infect the system and encrypt the user’s files or restrict access, rendering the data inaccessible.
2) Extension of tracked domains
To react to new phishing pages reported by our customers, we added zohopublic.com to the list of tracked web hosters. As indicated by our VTIs, among others, that page impersonated Microsoft login form.
Our Smart Link Detonation will also trigger a recursive submission if this domain is embedded in documents or emails.
3) Exploiting reversed base64 encoding by malware authors
First, let’s start with what the obfuscation technique is.
Obfuscation in cybersecurity is a practice of intentionally making the code of a malicious program difficult to understand or analyze. The main goal of obfuscation is to avoid detection by security tools and to slow down threat researchers. By disguising the real nature and functionality of the malware, obfuscation makes it harder for antivirus programs, intrusion detection systems, and other security mechanisms to identify and block the malicious code.
One of the recently reported obfuscation techniques is using the reversed base64 encoded strings that attempt to hide the real URL. As an example,
http://vmray.com/?param=”ABC== → is a regular base64 encoded parameter string, and would be easily decoded by analysis tools
while
http://vmray.com/?param=”==ABC → contains a base64-reversed parameter string, designed to impede direct decoding. Malicious actors often employ this technique to obfuscate and complicate URL parameters, making it challenging for both humans and automated tools to comprehend. The intent is to obscure the true nature of the URL, hiding the detection of potentially harmful payloads. Since malware hunters and security tools have already acknowledged how to identifying base64 encoded data, malware authors increasingly exploit this technique by utilizing encoded versions that attempt to evade detection.
To tackle this technique, we improved our Smart Link Detonation mechanism to detonate URLs that include reversed base64 strings.
4) New malware family support
Vidar is an information stealer, based on Arkei stealer, and well-known for abusing platforms such as Steam, Telegram or Twitter as part of their command and control (C2) infrastructure. Vidar communicates with remote servers controlled by cybercriminals. These servers are used to receive commands, upload stolen data, and download additional payloads or updates. Vidar can be delivered through various means, including malicious email attachments, fake software updates, compromised websites, or bundled with other malicious software.
According to our malware tracking dashboards, Vidar is among the top 10 most-seen malware families and is still gaining traction. That is why, we have just added it to our malware families supported by configuration extraction.
