The VMRay Labs team is always on the ball, scouring publicly available data to pinpoint any critical developments that need immediate focus. We ramp up these efforts with our own internal malware tracking process, keeping tabs on the latest headlines from the security community. This keeps us plugged into the pulse of the threat landscape, ensuring we’re right on the cutting edge of change. Stay tuned as we continue to deliver useful updates on the most pressing technical malware analysis topics.

In June 2024, the VMRay Labs team specifically focused on the following areas:

1) New VMRay Threat Identifiers around:

• Reading clipboard content via Powershell
• Tampering with Windows Defender via PowerShell
• ML-triggered phishing detection
• Remote template injection

2) Smart Link Detonation trigger logic improvements

3) Against EDR Evasion: YARA rule for EDRSilencer

4) Against Linux threats: YARA rules for ELF files packed with KiteShield and Modified UPX

Now, let’s delve into each topic for a more comprehensive understanding.

1) Detect reading clipboard content via Powershell

Category: Input Capture

MITRE ATT&CK® Technique: T1115

Malware authors often exploit the use of PowerShell to read clipboard content for several reasons:

• Access to sensitive information – The clipboard often contains sensitive data such as passwords, credit card numbers, cryptocurrency wallet addresses, and other confidential information.
• Low detection rate – PowerShell scripts can be executed in memory without writing to disk, making them harder for traditional antivirus and anti-malware solutions to detect.
• Ease of use and flexibility – PowerShell is a powerful scripting language that is pre-installed on all modern Windows operating systems. It provides extensive access to system resources and can be easily used to perform a wide range of tasks, including interact with other Windows components and reading clipboard content.

To stay ahead of this threat, we’ve added a new VTI to detect attempts by malware to read clipboard data using PowerShell. This enhancement aims to improve our defenses against such attacks.

2) Detection of tampering Windows Defender via Powershell

Category: Defense Evasion

MITRE ATT&CK® Technique: T1562.001

Tampering with Windows Defender is a significant concern among security teams because it directly undermines a key layer of defense against malicious activities on Windows systems. Adversaries often target security tools to either disable or modify them, aiming to evade detection and ensure the . The BianLian ransomware group, for example, has been reported by the Cybersecurity and Infrastructure Security Agency (CISA) to use commands that disable Windows Defender via the Deployment Image Servicing and Management (DISM) tool. This method is similar to the PowerShell cmdlet Disable-WindowsOptionalFeature, which our new VTI is specifically designed to identify.

This type of manipulation not only facilitates a more prolonged and undisturbed presence on the system but also complicates the remediation efforts by security teams. The ability of such tools to execute quietly, without generating standard output, adds an additional layer of stealth, making it even more challenging for traditional monitoring solutions to detect and alert on these activities. Therefore, enhancing malware analysis capabilities to identify attempts to tamper with security tools like Windows Defender is crucial for maintaining robust security postures.

3) Detection of Remote Template Injection

Category: Defense Evasion

MITRE ATT&CK® Technique: T1221

Remote Template Injection is an attack vector that is known to be leveraged by various APT groups to compromise targeted systems. This technique involves the manipulation of templates used in document formats such as RTF and Microsoft Office files to execute malicious code remotely. By embedding a link to an external template in the document, attackers can bypass traditional security controls and deliver payloads directly to the victim’s system when the document is opened. Notable threat actor groups, including the DoNot Team, Chinese-related APT actors, and Gamaredon, have employed this method in various high-profile campaigns, targeting sectors ranging from governmental agencies to energy. Recently the use of Remote Template Injection has also been observed in malicious email campaigns distributing DarkGate malware through Excel attachments, highlighting the prevalence of the technique.

Traditional static analysis methods employed by email security tools and antivirus solutions often fall short in detecting Remote Template Injection attacks. Unlike macros, which can be easily identified based on their presence within documents, template injections operate more covertly by embedding external links to malicious templates. This stealthy approach does not raise immediate red flags during static analysis because the malicious code is not directly embedded within the document but is fetched from a remote server upon opening. Consequently, this evades traditional security controls, making it a preferred technique for threat actors.

We added a new VTI to detect documents showing this behavior.

First, we introduced significant improvements to our Mantaray ML module, which have greatly enhanced our machine learning technologies for detecting phishing attempts. Mantaray, our advanced and holistic ML model, integrates a variety of signals and data points—including URL patterns, content analysis, and user behavior. By enhancing the Mantaray model, we achieved a notable 28% increase in phishing detection rates. This improvement means detecting nearly a quarter more phishing threats, which significantly strengthens our defenses against these malicious activities.

Additionally, when our ML algorithms identified a malicious URL, the system attributed the detection to three distinct modules—each employing unique algorithms to detect phishing attempts. These models likely work in tandem, each contributing its strengths to improve the overall phishing detection accuracy. To reduce confusion and streamline the user experience, we have consolidated these into a single detection label: “Machine Learning.” This simplification makes it easier for users to understand the source of the detection without sifting through multiple module names.

In June 2024, we’ve made several improvements to the Smart Link Detonation (SLD) mechanism in our Platform products. If you haven’t read about it yet – SLD is a feature that enables the automatic evaluation and detonation of appropriate hyperlinks in document and email samples to strike a balance between efficiency and detection efficacy. This time, we’ve added a couple of new detonation rules, which greatly improves this feature to capture malicious URLs.

Added trigger logic for SLD

Recently, we encountered a case where SLD failed to detect a malicious URL. The URL appeared generic but redirected to a phishing page. This highlighted an area for improvement: adding a trigger for SLD to activate when it detects redirection patterns in URLs.

With this enhancement, SLD now detects and recursively submits URLs for evaluation when redirection indicators are present. This improvement significantly increases the likelihood of identifying and mitigating malicious redirects.

Phishing attacks often use URL redirection to obfuscate the final destination of a link. Attackers craft URLs that seem benign but include redirection parameters, leading unsuspecting users to malicious sites.

By improving SLD to recognize and handle these redirections, we can enhance the detection accuracy by automatically identifying URLs with redirection patterns that might lead to malicious sites.

1) EDRSilencer

EDRSilencer is an open source tool designed to block the outbound traffic of running Endpoint Detection and Response (EDR) processes using Windows Filtering Platform (WFP) APIs. It has the ability to search for running EDR processes, add and remove WFP filters when needed. The tool supports in-memory execution, facilitating sophisticated attack techniques while bypassing defenses. Most modern EDRs rely on cloud connectivity to function effectively, gathering threat intelligence and reporting suspicious activities to a centralized system for further analysis. By blocking outbound traffic, EDRSilencer can prevent these crucial security functions, potentially allowing attackers to operate undetected within a compromised network. This capability makes the tool a powerful asset for attackers looking to evade advanced endpoint protection measures.

It has been observed that variants of this tool are circulating in the wild, being actively used by threat actors. These variants are often modified to evade signature-based detection and may possess additional malicious functionalities. This trend indicates the tool’s utility and effectiveness in real-world attack scenarios.

This month, we’ve added a new YARA rule specifically for EDRSilencer. With this rule, all VMRay products can now identify and flag malware samples that utilize this tool, either directly or as part of a malware payload delivery chain.

2) Against Linux threats: New Rules for Kiteshield and Modified UPX Packers

UPX

The “upx -d" command, although designed to decompress executables packed with UPX, may not always successfully unpack UPX-packed ELF binaries due to several reasons. One common issue is the use of advanced or modified UPX versions (i) that implement custom packing algorithms or additional layers of obfuscation In cases where ELF binaries are corrupted or modified post-compression to prevent reverse engineering, or where security features or anti-tampering mechanisms interfere with decompression, upx -d may fail to restore the original file.

In the context of Linux malware analysis, we’ve added new built-in YARA rules which can be instrumental during the static analysis phase to detect such ELF files. By defining specific patterns and characteristics associated with malicious or altered UPX-packed binaries, all VMRay products can identify and flag these threats before the dynamic analysis phase. This proactive detection helps in understanding the nature of the binary and helps reverse engineering or unpacking efforts.

Kiteshield

Another packer used by Linux threat actors is Kiteshield. Multiple actors including Winnti and Dark Mosquito are known to utilize this packer to evade detection on Linux systems. 

In conclusion, advanced threat detection is a non-stop job, and the latest updates really deliver on that front. We’ve dialed up our game with new threat identifiers, smarter link detonation logic, and pinpoint YARA rules for Windows and Linux systems. Keep your eyes peeled for even more updates next month, as we continue to evolve and tighten our detections. Also, don’t miss our webinar on July 24th for a deeper dive into these updates and to get more context on how we’re keeping your digital environments secure. Join us to stay informed!