Introduction

The first release of 2024 is already behind us, but we’re not slowing down! We hope you’ve enjoyed the features delivered in recent months, including addressing the QR code phishing attacks, support for the analysis of ISO and UDF filetypes as well as our continuous enhancements and research to Signature & Detection. You can read about the latest Detection highlights here.

Now, without further ado, let’s dive into our latest achievements of the 2024.2.0 release.

URL extraction from OneNote documents

The exploitation of OneNote files in malware campaigns was initially observed in the wild in late 2022 and early 2023, reaching peaks in February through April of 2023. These attacks were mostly associated with QBot. The operators of QBot began employing OneNote files containing embedded HTML applications (HTA files) to retrieve the QBot malware payload. They utilized two distribution methods for these HTA files, one of which involved hijacking existing email threads and sending a “reply-to-all” message with a malicious OneNote Notebook file attached.

Moreover, in recent attacks, we’ve observed the use of malicious Microsoft OneNote documents redirecting users to AsyncRAT (Asynchronous Remote Administration Tool). AsyncRAT is a type of malware that allows unauthorized remote access to a victim’s computer system. It is a malicious program designed to operate stealthily in the background, giving attackers control over the infected system without the user’s knowledge or consent.

With this latest release, users gain the ability to extract URLs directly from OneNote documents within VMRay Platform products. Once extracted, these URLs undergo the recursive analysis, which is the analysis of samples contained within other samples, enabling you to delve deeper into potential threats.

Enhanced LNK file analysis

To begin with, let’s briefly recap what LNK file types are. An LNK file type is a shortcut file used in Microsoft Windows operating systems. These files typically contain a reference to another file or program, enabling users to quickly access the target file or program without navigating through the entire file system. LNK files often feature a small arrow overlay icon to indicate that they are shortcuts and are commonly created by users to provide convenient access to frequently used files, folders, or applications.

In recent times, we’ve observed changes in the delivery chain of malware. Rather than relying on Office documents with macros, threat actors are now using ISO files containing an LNK file to execute hidden script files. A common delivery method for the QBot malware family involves using .ISO as a delivery container with an .LNK file serving as an entry point to trigger the further execution of malicious PowerShell or other scripts. By leveraging these techniques, threat authors can disguise malware as legitimate shortcuts by using similar icons and filenames. Users may be deceived into clicking on these shortcuts, thinking them to be harmless, and consequently – executing the malware. Additionally, the execution of LNK files has gained popularity, especially following Microsoft’s announcement of disabling VBS macros in MS Office applications.

With this release, we introduce enhanced support for LNK-triggered Windows scripts within the VMRay Platform. Users can now benefit from Dynamic Analysis of a variety of script types, including JScript, VBScript, and Windows Script Files, by submitting them as ISO archives in the Console. Upon submitting the ISO file, the Console mounts the samples as virtual drives and detects the entry point as an LNK file, which is used to execute hidden Windows script files.

With this update, you’ll delve deeper into understanding the behavior and potential threats linked to “LNK shortcut” files. Moreover, we automate the process, relieving analysts of manual tasks. This not only saves time but also allows them to stay focused on critical cybersecurity matters.

Support for STIX 2.1 in Analysis Reports

We’re happy to announce that with the release of 2024.2.0, our Platform now offers support for the STIX 2.1 file format in generated Analysis Reports. STIX, short for Structured Threat Information eXpression, serves as the standardized language and format for conveying cyber threat intelligence.

While STIX 2.0 laid a strong foundation by offering a good selection of artifacts and Indicators of Compromise (IOCs), the integration of STIX 2.1 support marks a substantial leap forward. Users now gain access to an expanded array of STIX Domain Objects, including Attack Patterns, Intrusion Sets, Malware, Relations, and more. This advancement not only ensures alignment with the latest industry standards but also enriches the diversity of available artifacts and IOCs compared to STIX 2.0. Note we maintain backward compatibility by continuing to support the STIX 2.0 format alongside the new STIX 2.1 implementation.

The New STIX 2.1 JSON Report will contain a robust set of information, such as:

• Malware and Report Analysis summary together with accompanied software information
• Artifacts (directories, URLs, IP addresses, processes, and more)
• MITRE attack patterns
• Network traffic patterns
• YARA indicator patterns
• VTI with extension definition and custom STIX
• Domain Objects
• Relationship between nodes
• and more!

By releasing STIX 2.1 report format export in our product, we also empower Cyberthreat Intelligence (CTI) teams to:

Simplify threat data sharing – effortlessly share enriched threat data (indicators, TTPs, malware relationships) with internal security teams and external partners.

Accelerate threat analysis – reduce manual effort in translating and integrating threat data into existing security tools by leveraging the machine-readable nature of STIX.

Improve collaboration – foster better communication and collaboration between your CTI teams and other security analysts across different departments and organizations.

Support for Windows 10 21H2 Dynamic Analysis for Cloud and On Premises

We announce the addition of support for Windows 10 21H2 Long-Term Support in the Dynamic Analysis of samples in our Platform products. This update enhances our product’s capabilities but also opens doors to a broader audience of Windows users. Moreover, by aligning with the latest Windows version, we aim to streamline the compliance and compatibility efforts by:

• Running the latest version of Windows, analysts can ensure compatibility with the widest range of malware samples and accurately assess their behavior across different Windows versions.
• Compliance standards often align with industry-recognized security best practices, which include keeping software and systems up-to-date with the latest security patches.
• Ensuring that the VMRay Platform is running current Windows versions, organizations mitigate the risk of non-compliance and avoid potential legal consequences associated with security breaches and data loss.

Having an up-to-date Windows version in our Platform will also greatly improve the detection and analysis capabilities. Malware authors may alter their code to exploit specific vulnerabilities or features present in certain versions of Windows. By using an up-to-date Windows version in the VMRay Platform, analysts can better detect and analyze malware behavior in an environment that closely resembles what users are likely to encounter in real-world scenarios.

Windows 10 21H2 will be the longest staying Windows 10 version through Long-Term Servicing Channel for Enterprise until January 12, 2027.

Quishing – taking further steps

Quishing (QR codes phishing) is a relatively new trend in cyber attacks, where malware authors adopt the QR codes to redirect the users to malicious websites. In early November 2023, we introduced the capability to extract and analyze URLs embedded within QR codes, thereby enhancing our users’ security measures. Expanding upon this foundation, we are excited to announce a significant enhancement in 2024—the capability to directly extract QR codes from PDF files. This decision stems from our Threat Researchers’ observations of the increasing prominence of this technique in recent weeks, as well as consideration of our customers’ valid requests.

What sets apart the exploitation of QR codes is that, unlike “oldschool” phishing attacks with direct URLs or email attachments, QR codes appear identical to legitimate ones, thus making them easier to evade detection. With this upgrade, our Platform offers better protection, particularly in light of the increase in phishing campaigns utilizing PDF-contained malicious QR codes delivered as email attachments.

From this release, you can extract QR codes from PDF files attached to the email, convert them into URLs, and submit them for analysis. Once the QR code is extracted, we pass it over to match against the VMRay Threat Identifiers and Smart Link Detonation engine to receive the sample’s Verdict.

FinalVerdict Booster

If you’re a FinalVerdict user, we have an exciting enhancement just for you! For those on our Unlimited plans, here’s what’s new:

This upgrade turbocharges your analysis capabilities, allowing you to run 4 or 8 analyses simultaneously, providing even greater efficiency and productivity!

Curious about our Unlimited plans? They’re fully supported across all our products: DeepResponse, FinalVerdict, and TotalInsight. For tailored details to meet your industry-specific needs, reach out to [email protected].

Final Thoughts

We do hope you will greatly benefit from what winter months’s work of our developments’ team has to offer – from the extraction of malicious URLs embedded within OneNote documents to enhanced support for analyzing LNK-triggered Windows scripts. Moreover, the integration of STIX 2.1 support enriches the depth of threat intelligence available to users, and expanding the QR code phishing attacks gives you even more power ot stay ahead of cyber adversaries.

In 2024, there’ll be 3 more releases to go, giving you another set of valuable updates already in June! Enjoy this fresh and new months of the new year and follow our ongoing journey!