The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cybersecurity landscape.

In July 2024, the VMRay Labs team has been focused on the following areas:

1) New VMRay Threat Identifiers addressing:

• Detecting  Windows Defender configurations
• Detecting malicious use of Windows binary (certutil.exe)
• Detecting suspicious file names created in startup folder

2) Smart Link Detonation improvements including new detonation rules for:

• Detonating Constant Contact click-tracking URLs

3) New YARA rules for:

• Kematian stealer
• Latrodectus downloader
• Socks5Systemz
• FakeBat, STRRAT
• Most recent Lumma samples

Now, let’s delve into each topic for a more comprehensive understanding.

New VMRay Threat Identifiers

In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.

Category: Defense Evasion

MITRE ATT&CK® Technique: T1562.001

Malware authors often modify Windows Defender configurations as a strategy to weaken or disable the built-in antivirus protection on a Windows system. By altering these settings, malware can evade detection and removal, allowing it to operate more freely.

In a previous Detection Highlights blog, we introduced a new VTI aimed at detecting  via PowerShell. Building on that feature, we are now unveiling another VTI. Both of these VTIs share the same objective: detecting attempts to disable Windows Defender. However, they target different scenarios. The previous VTI focused on detecting the complete disabling of Windows Defender as a Windows feature. This new VTI, on the other hand, identifies changes to Defender’s configurations as a means of malware defense evasion.

Malware authors can use registry modifications to disable various Windows Defender features. For example:

• By setting the registry of DisableRealTimeMonitoring to 1, malware can disable the real-time protection feature of Windows Defender. This prevents Windows Defender from scanning files and processes in real-time, significantly reducing its ability to detect and stop malicious activities as they happen.
• Setting the registry key of DisableBehaviorMonitoring to 1, disables behavior monitoring, which can help detect suspicious activities based on behavior rather than signatures.
• Changing the registry key of DisableAntiSpyware to 1, disables Windows Defender entirely, leaving the system without its primary line of defense against malware and spyware.

 This additional layer of protection ensures that any attempts to tamper with Windows Defender settings are detected and mitigated, keeping your systems secure.

Category: Defense Evasion

MITRE ATT&CK® Technique: T1140

We’re happy to introduce new VTIs to our Platform products that can detect the misuse of a legitimate Windows utility called certutil.exe for decoding files. This utility is often exploited by attackers to decode encoded files, which are typically used to bypass signature-based detections at both the network and host system levels. By encoding malicious files, attackers aim to evade security measures, but just before these files are executed, they are decoded using certutil.exe.

What is certutil.exe?

Certutil.exe is a command-line tool included with the Windows operating system. It is primarily used for managing certificates, Certificate Authorities (CAs), and key pairs. Among its many functions, certutil.exe can encode files into base64 format and decode base64 encoded files. While this feature is intended for legitimate tasks, attackers can exploit it to hide malicious files or steal data.

Why attackers like certutil.exe: 

• Evasion of detection – since certutil.exe is a legitimate Windows utility, its use is less likely to be flagged by antivirus software compared to custom-made malware.
• Trusted execution – being a native Windows tool, certutil.exe is trusted by the operating system, making it easier to bypass security measures that restrict unknown applications.
• Reduced footprint – attackers can use tools already present on the target system, minimizing the need to download additional files that might be detected by security software.

We have recently observed a malware sample that used certutil.exe as a Living Off the Land Binary (LOLBin) for decoding a file. LOLBins are legitimate tools that come with the operating system or installed software, but they can be repurposed by attackers for harmful activities. Their legitimate origins help them blend into normal system activities, making detection challenging for traditional security tools.

How malware might misuse certutil.exe:

1. Initial infection – the attacker gains access to the target system through phishing, exploit kits, or another method.
2. Downloading encoded payload – after gaining access, the attacker downloads an encoded malicious file (often base64 encoded) from a remote server. This helps the file avoid detection by security software.
3. Decoding the payload with certutil.exe – the attacker then uses certutil.exe to decode the base64 file into its original form, usually a malicious executable or script.
4. Executing the decoded payload – finally, the attacker runs the decoded file, which then carries out malicious activities such as data theft, system takeover, or spreading to other systems.

To enhance our Platform’s ability to detect such activities, we’ve introduced two new VTIs addressing:

• Detection of certutil.exe used to decode a file: This will alert when certutil.exe is used to decode any file, which can be an indication of potential misuse.
• Detection of certutil.exe decoding a file that is then executed: This will trigger an alert when a decoded file is immediately executed, highlighting a higher risk of malicious activity.

3) Detect suspicious file names created in startup folder

Category: Persistence

Let’s start by understanding the importance of the startup folder in computing and cybersecurity. In Windows operating systems, the startup folder is a directory that contains shortcuts to programs set to launch automatically when the system boots. This feature allows legitimate software to run essential programs without requiring user intervention. However, it can also be exploited by malware authors to ensure their malicious programs execute every time the system starts.

While adding new software or system updates to the startup folder is normal, malware authors exploit this directory to create suspicious files. These unexpected additions, particularly those with unfamiliar file names or programs, often signal malicious activity.

To address this issue, we have implemented a new VMRay Threat Identifier designed to trigger alerts when suspicious actions are detected within the startup folder. This enhancement will help us better identify and mitigate potential threats associated with unauthorized modifications.

Smart Link Detonation gets smarter

In July 2024, we’ve made several improvements to the Smart Link Detonation (SLD) mechanism in our Platform products. If you haven’t read about it yet – SLD is a feature that enables the automatic evaluation and detonation of appropriate hyperlinks in document and email samples. This time, we’ve added new detonation rule, which allows for even greater capability of this feature to capture malicious URLs.

Detonating Constant Contact click-tracking URLs

Constant Contact click-tracking URLs are special URLs used by the email marketing service Constant Contact to monitor and analyze how recipients interact with links in email campaigns. These URLs are modified to route the user through Constant Contact’s servers before redirecting them to the final destination. While Constant Contact is a legitimate service provider for marketing purposes, its click-tracking URLs are often exploited in malicious activities, particularly phishing attacks.

To enhance our defense mechanisms and better identify phishing attempts that disguise their malicious intent behind click-tracking URLs, we are now extending our Smart Link Detonation feature. Our Platform products can now detonate and analyze Constant Contact links by triggering a recursive submission on such URLs. This ensures that any hidden phishing threats are thoroughly examined.

New YARA Rules

1) Extend YARA support for most recent Lumma samples

Lumma stealer – a digital thief that emerged in 2022, written in the C programming language. This malware quickly gained notoriety in the cyber underworld for its ability to steal valuable information, such as cryptocurrency wallets and two-factor authentication credentials. It’s even sold on Russian forums as Malware as a Service (MaaS). Earlier this year, we were actively tracking the latest versions of Lumma, improving our tools to detect its behaviors and configurations with YARA rules.

However, the game of cat and mouse continues. As we update our products to catch new variants of Lumma, the malware creators are constantly evolving their tactics. One recent change involves obscuring how Lumma communicates with its controllers (C2).

C2, or command and control, serves as a communication channel between an infected system and the attacker behind it, allowing the latter to control the compromised devices. In recent samples of Lumma, the C2 servers are no longer listed in plaintext. Instead, they are XOR encrypted and base64 encoded, making it more challenging to extract the malware configuration.

In response to these challenges, we’ve updated our YARA rules to better detect and counteract these tricky new tactics employed by Lumma stealer variants.

2) Support for Kematian Stealer & SomalifuscatorV2

Introducing Kematian Stealer, a recently identified type of malicious software designed to sneak into computers undetected and steal valuable information. Unlike typical viruses, , making it harder to analyze and stop.

Once it infiltrates a computer, Kematian Stealer goes to work quietly extracting all sorts of sensitive data. It targets everything from login details and cryptocurrency wallets to detailed hardware information like the type of processor and amount of memory in your device. It even grabs geographical data and a list of all the programs you have installed.

Developers behind Kematian Stealer are actively promoting it online via GitHub since June 2024, showcasing its ability to evade security measures with anti-debugging and anti-detection features. Moreover, this malware is persistent, it can restart itself automatically after your computer reboots, ensuring it stays hidden and continues its data theft. You can check out our recent blog entries on this discovery here: Malicious batch file reveals its full behavior only when it was started by a double click, Kematian Stealer VMRay Dynamic Analysis Report.

In our latest security update, we’ve identified that the Kematian Stealer malware is being . The creators of this tool boast that it is “the most advanced and poorly coded Windows batch obfuscator ever made (aka the best).” Obfuscators are tools that make software, especially malicious software, difficult to understand and analyze.

Attackers use obfuscators to hide what their code is really doing. This makes it harder for security software and experts to detect and figure out how the malware works. By using SomalifuscatorV2, attackers can disguise the Kematian Stealer, making it more challenging to spot and stop. However, with our newly added YARA rules, we can now detect both the obfuscator and the stealer itself.

3) YARA coverage for Latrodectus: a follower of IcedID

Somewhere around , a new menace has emerged: Latrodectus. This downloader appears to be a successor to the notorious IcedID, a modular banking spyware that operates since 2017, potentially developed by the same threat actors behind it. In 2024, we’re observing a concerning trend: the volume of Latrodectus samples has steadily risen through the middle of the year.

Latrodectus functions as a loader malware, designed to infiltrate systems using  techniques such as dynamically resolving APIs, API hashing, and string encryption. Written in C, it operates as a stealthy backdoor, enabling threat actors to execute commands, deploy malicious executables and libraries, and gather sensitive information from infected machines.

To strengthen our defenses against Latrodectus, we are introducing YARA rules tailored specifically to statically detect its files and artifacts. As we continue to monitor the threat landscape, .

4) Socks5Systemz Proxy-For-Rent threat

Socks5Systemz, a malicious software that turns infected computers into proxy servers for hire. Cybercriminals use this malware to reroute their internet traffic through compromised machines, keeping their activities anonymous and evading detection. Socks5Systemz is typically spread through deceptive downloads, malvertizing and phishing emails, often delivered by malware like PrivateLoader and Amadey.

Socks5Systemz first appeared around 2016 but largely flew under the radar until late 2023. It infects computers when users unwittingly download infected files or click on malicious links. Once installed, the malware quietly sets up special proxy connections on the infected computers. These proxies act as intermediaries, directing internet traffic from cybercriminals to their desired destinations.

Key Features:

• Proxy-For-Rent – cybercriminals can rent these infected computers as proxy servers for a fee, using them to hide their online activities.
• Traffic redirection – infected computers forward internet traffic for purposes that can include illegal or anonymous activities, making it difficult to trace the original source.
• Persistent Operation – Socks5Systemz installs a hidden door that allows it to keep running even if the computer is restarted, ensuring that the proxy services remain available for as long as possible.

To stay ahead of this emerging threat, we’ve added YARA rule coverage for Socks5Systemz.

5) YARA coverage for recently emerging threats: FakeBat & STRRAT 

FakeBat 

In light of the increased activity of the FakeBat malware family, we have implemented new YARA rules to enhance our detection capabilities. FakeBat, active since December 2022, operates as a loader-as-a-service and is mainly spread through malvertising. The loader is designed to bypass security mechanisms and provides users with options to generate builds using templates to trojanize legitimate software. Additionally, it includes an administration panel for monitoring installations over time.

STRRAT

We have introduced a new YARA rule for the STRRAT malware family, a Java-based Remote Access Trojan (RAT). STRRAT is notorious for credential and password stealing via keylogging and uses plugins to provide remote access to attackers. The latest version, 1.6, features enhanced obfuscation and encryption techniques, making it more challenging to detect. In addition to its RAT capabilities, STRRAT can also drop other malicious software, significantly increasing its threat potential.