The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cybersecurity landscape.

In October 2024, the VMRay Labs team has been focused on the following areas:

1) New VMRay Threat Identifiers addressing:

• using ADS
• Detecting clearing Windows event logs
• Detecting Process Doppelgänging

2) Configuration Extraction capabilities for:

• Latrodectus

3) New YARA rules for:

• XWorm detection

4) YARA rules enhancements for:

• NerbianRAT
• TrickBot

Now, let’s delve into each topic for a more comprehensive understanding.

In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.

 using ADS

Category: Hide Tracks

MITRE ATT&CK® Technique: T1070.004

As the Latrodectus malware family continues to evolve, we’ve introduced a new VTI designed to detect its self-deletion technique, which leverages Alternate Data Streams (ADS). This sophisticated method allows the malware to delete itself while it is still running, effectively 

Here’s how it works: the malware renames its main data stream to an Alternate Data Stream and sets a flag to ensure the file is automatically deleteThis clever use of ADS, a feature of the NTFS (New Technology File System) on Windows, enables the malware to disappear without leaving a trace on the hard drive, bypassing many traditional security tools. 

By monitoring for specific API calls and actions associated with this self-deletion technique, our new VTI can trigger alerts when malware attempts to delete itself using this method, ensuring that we can still capture and analyze these evasive threats.

Sample analysis report: https://www.vmray.com/analyses/_vt/5cecb26a3f33/report/overview.html

New VTI to detect clearing Windows event logs

Category: Hide Tracks

MITRE ATT&CK® Technique: T1070.001

In the cybersecurity world, event logs are like a security camera for your computer. These logs keep track of everything that happens on a system—from login attempts and file access to system errors. Security experts rely on them to detect unusual or malicious activity. But what if the “bad guys” delete these records? That’s exactly what some malware tries to do to avoid being caught.

Malware, especially ransomware, often clears event logs to hide its tracks. If logs are erased, it becomes an anti-forensics technique that makes it harder for investigators or security tools to trace what the malware did or how it got in. For example, if ransomware deletes logs related to login attempts or system changes, no one can go back and review the suspicious activity. This tactic is used to make malware more stealthy, allowing it to stay undetected for longer.

How malware clears event logs: 

Recently, we’ve seen ransomware using specific commands to wipe out important logs. Here are a few examples of the commands used to erase logs in Windows:

• wevtutil cl system
• wevtutil cl security
• wevtutil cl application

These commands target different types of logs: system logs (which track hardware and software events), security logs (which record login attempts and other security-related events), and application logs (which show activity from different programs).

To combat this, VMRay has introduced a new VTI that specifically focuses on detecting when malware tries to clear Windows event logs. This gives us an early warning that something suspicious is happening on the system, even if the malware tries to delete its tracks.

New VTI to detect Process Doppelgänging

Category: Injection

MITRE ATT&CK® Technique: T1055.013

ttackers are constantly finding clever ways to avoid detection. One of the more sophisticated tricks they use is called Process Doppelgänging. This technique allows cybercriminals to run harmful software on a system while avoiding detection by disguising it as a trusted process—much like a digital “doppelgänger.”

What is Process Doppelgänging?

Imagine a harmful program hiding by pretending to be something safe. Attackers use this technique to make malicious software look like a normal, trusted part of the operating system, often by taking on the name and appearance of legitimate applications. This disguise lets the malware blend in and evade detection by antivirus software.

Process Doppelgänging is especially sneaky because it takes advantage of a Windows feature (NTFS transactions) that allows temporary data  immediately committing them to disk. Upon creating a suspended process from a legitimate executable, the malware uses NTFS transactions to replace the executable image with harmful code. These changes can be invisible to many traditional security tools that focus on scanning files on disk.

How process doppelganging works:

1. Transaction manipulation – the attacker initiates an NTFS transaction to write malicious data into a trusted 
2. Disguised code execution – the harmful code runs from memory, blending into system processes.
3. Evasion – since the transaction isn’t committed, typical security scans don’t notice the 

Why process doppelganging is dangerous:

Process Doppelgänging is highly evasive and challenging to detect because it doesn’t leave a footprint on the disk. This method is popular in attacks on high-value targets, such as financial institutions, where attackers steal data or maintain control over systems with a special focus on avoid security tools to ring the bells.

Our latest VTI is designed to spot instances of Process Doppelgänging. Whenever a suspicious process is created with this technique, our VTI will trigger an alert, helping to uncover these hidden threats.

New YARA rule for XWorm detection

XWorm is a powerful and stealthy type of malware, classified as a Remote Access Trojan (RAT). RATs like XWorm allow attackers to gain complete remote control over an infected machine or network. Once inside, cybercriminals can spy on users, steal sensitive data, and execute malicious commands without the victim’s knowledge.

Key threats posed by XWorm:

Corporate espionage

XWorm can be used to infiltrate organizations, stealing intellectual property, financial data, and other sensitive corporate information, causing significant reputational and financial damage.

Ransomware delivery

XWorm can act as a precursor to ransomware attacks, delivering malicious payloads that encrypt users’ files and demand ransom for their release.

Identity theft

The personal data stolen by XWorm—including credentials and financial information—can be sold on the dark web, leading to identity theft and further cybercriminal activities.

To strengthen our defenses against XWorm, we added a new YARA rule as part of our October detection updates. With this new YARA rule in place, our Platform now identifies XWorm by  unique signatures associated with the malware.

Enhanced YARA coverage for NerbianRAT (Linux)

In October, we focused on  samples of the Nerbian RAT (Remote Access Trojan), particularly focusing on Linux systems. This malware, first spotted in 2022, is becoming increasingly sophisticated, posing more and more challenges for security teams.

What is Nerbian RAT? 

Nerbian RAT is a dangerous form of malware designed to give attackers full remote control over infected machines. Initially spread via phishing campaigns, the malware has evolved from its earlier versions, now incorporating more advanced techniques to bypass detection. Written in Go, this RAT is cross-platform, capable of running on both Windows and Linux environments, which makes it a versatile tool for  RAT employs encryption and other methods to evade detection by antivirus software and sandboxes. It actively monitors its environment and can terminate processes or shut down if it detects it’s being analyzed in a controlled setting (e.g., a virtual machine).

Recent campaigns: Magnet Goblin and 1-Day vulnerabilities

The Magnet Goblin threat actor, a financially motivated group, has recently been observed deploying a Linux variant of Nerbian RAT in their campaigns. Exploiting  in publicly accessible servers, they have been able to compromise systems, especially those running unpatched software.

The Linux variant of Nerbian RAT allows attackers to infiltrate servers, steal sensitive data, and maintain persistence for long-term access. This poses a substantial risk, especially for organizations that are slow to patch vulnerabilities in their systems. Notably, even if the organization patches security vulnerabilities, once an attacker has exploited them and gained access to the server, patching alone isn’t enough to remove them.

In response to these emerging threats, we have enhanced our YARA rule to better detect the most recent Linux variants of Nerbian RAT. This update includes:

• Improved pattern matching for the latest malicious behaviors.
• Detection of obfuscation techniques used by the malware to hide its presence.
• Specific focus on Linux-based environments, which are increasingly being targeted.

TrickBot: enhancing YARA rule for better detection

TrickBot is a highly sophisticated and modular banking trojan that has rapidly evolved into a multi-purpose malware platform. Originally designed to steal banking credentials, it has become a versatile tool for cybercriminals, now being used for a range of malicious activities such as ransomware delivery, network infiltration, and data theft.

First discovered in 2016, TrickBot was initially seen as the successor to the infamous Dyre banking trojan, which was taken down by law enforcement. Despite a significant takedown operation in 2020 that disrupted its original botnet infrastructure, TrickBot continues to persist in various forms. Its operators have adapted and shifted tactics, integrating it with other malware tools to remain a prominent player in the broader cybercrime ecosystem.

TrickBot’s role in advanced attacks

TrickBot is a critical part of multi-stage cyberattacks, often working in conjunction with other malware families like Emotet and Ryuk:

• Part of a larger attack chain – TrickBot frequently operates in tandem with other threats. For example, Emotet may serve as the initial dropper, delivering TrickBot to gather network intelligence. Once this is done, ransomware like Ryuk can be deployed, causing further disruption and data encryption.
• Ransomware-as-a-Service (RaaS) – TrickBot is sometimes involved in RaaS operations, where cybercriminal groups rent access to compromised networks, facilitating attacks for a portion of the ransom proceeds.

Our latest updates to the YARA rules include adjustments to catch a wider range of TrickBot samples, ensuring we cover not only existing samples but also its newer variants.

Latrodectus

In the past month, we’ve made great updates, adding configuration extraction support for Latrodectus v1.4. But just as quickly, cybercriminals have updated their tactics, and Latrodectus has already evolved through versions 1.5 to 1.8. We’re proud to say that the VMRay Platform now fully supports config extraction for these newer versions too.

Latrodectus is a type of malware that acts like a “” for hackers. Once it infects a system, it doesn’t do the main damage itself. Instead, it downloads other harmful programs from a control server to execute various malicious actions, like stealing sensitive information or taking over systems. This malware spreads primarily through phishing emails and often targets industries like finance and healthcare.

To keep up with hackers’ fast-paced updates, we’ve also enhanced our detection tools with new YARA rules. These rules help us identify and extract the configurations of Latrodectus versions 1.5 to 1.8, ensuring we can respond effectively to this evolving threat.

Our mission is to provide you with cutting-edge tools and insights to navigate the complex landscape of cybersecurity with confidence. With our latest product updates—such as new VTIs to detect self-deleting malware, VTIs to check for Windows event log clearing, continuous updates to our YARA rule sets, and vigilant tracking of active malware families like Latrodectus, TrickBot, and NerbianRAT—you’ve got some serious tools at your disposal.

As we continue to monitor emerging threats, stay tuned for more updates and actionable insights. Until then, we wish you a safe and secure fall season!