The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cybersecurity landscape.
In September 2024, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
2) Configuration Extraction capabilities for:
3) New YARA rules for:
3 new PhishKits
Now, let’s delve into each topic for a more comprehensive understanding.
, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score plays a key role in determining the ultimate Verdict of the sample, which is displayed in the VMRay Platform after the analysis is complete. Here’s a summary of the new VTIs we’ve added or enhanced over the past month.
Category: Hide Tracks
MITRE ATT&CK® Technique: T1112
In recent months, we’ve focused on detecting modifications to Windows Defender settings. Now, we’re expanding to address a related tactic: disabling Windows Defender notifications. Our new VTI identifies when malware attempts to silence crucial security alerts, ensuring that users remain informed of potential threats.
Cybercriminals often employ various methods to conceal malicious activities from users and administrators. One effective tactic involves suppressing Windows Defender notifications to prevent security warnings from being displayed. By muting these alerts, malware can operate undetected, giving attackers more time to steal data or cause damage.
Malware can modify the Windows Defender setting known as the Notification_Suppress
value, preventing Windows Defender from displaying alerts. As a result, even if a threat is detected, users remain unaware, allowing the malware to continue its operations undisturbed. This increases the likelihood of the infection going unnoticed until significant harm is done.
Disabling enhanced notifications
Beyond basic alerts, Windows Defender also provides enhanced notifications, offering detailed information on non-critical threats or quarantined files. By tampering with the DisableEnhancedNotifications
registry key, malware can disable these more comprehensive warnings, further reducing the user’s ability to detect early signs of a security breach.
This is where our new VTI comes into play. If malware successfully disables these notifications after gaining administrative control, it can remain hidden for an extended period. Our VTI helps detect such changes, allowing security teams to respond quickly and prevent potential damage—even when alerts are suppressed.
Category: Hide Tracks
MITRE ATT&CK® Technique: T1112
In September, we released a new VTI designed to tackle a specific malware technique targeting Windows systems. The malware operates by disabling Windows Security Center notifications, leaving users vulnerable to security threats without their knowledge.
In this technique, the malware exploits a registry key to disable the Windows Action Center, cutting off crucial security notifications from reaching the user. This change effectively disables Action Center notifications, allowing the malware to carry out malicious activities undetected. The disabling of the Action Center also affects the visibility of important security alerts like antivirus notifications, making it harder for users and security teams to react in a timely manner.
To combat this, we’ve introduced a new VMRay Threat Identifier that detects this behavior. The VTI triggers upon identifying any malware samples attempting to modify this registry value, providing an early warning system against attacks using this technique.
Category: Defense Evasion
MITRE ATT&CK® Technique: T1218.011
We’re happy to announce a new VTI that detects when the rundll32.exe
tool is used to load and run files (DLLs) from remote network drives.
Rundll32.exe
is a legitimate Windows utility that allows users to execute functions stored in dynamic-link libraries (DLLs). DLLs contain code and data that can be used by multiple applications simultaneously, and rundll32.exe
provides a way to call functions within these DLLs directly from the command line. In normal cases, this tool helps run important system functions. However, it can also be exploited by attackers to run harmful code while appearing as a legitimate Windows process.
Why this is suspicious?
We recently observed a doubtful activity where rundll32.exe
was used to load a DLL file from a network drive instead of the usual local system location (like C:\Windows\System32
). This is unusual for several reasons:
rundll32.exe
loads DLLs from trusted, local directories. Loading a file from an external or network drive is not standard and could mean that an unauthorized source is trying to run code on your system.To address this threat, we’ve introduced a new VTI that automatically detects when rundll32.exe
is used to load DLLs from network drives.
Category: Credential Access
MITRE ATT&CK® Technique: T1555
In our arsenal, we already had a VTI capable of detecting attempts to read or search for sensitive email data. Now, we have expanded this capability to include attempts to access sensitive information stored in Mozilla Thunderbird, a popular and free email client. Thunderbird is widely used for managing emails, contacts, and calendars, and it supports multiple email accounts. Because of its widespread use, attackers may target Thunderbird to exploit sensitive data stored in user profiles.
Recently, we identified a suspicious sample trying to access Thunderbird profile information. These profiles contain data like email account settings, messages, and contacts, which could be valuable to attackers. Our new VTI triggers when malware attempts to search for or access Thunderbird profiles. For example, it will detect when suspicious code tries to locate files in the following directory:
C:\Users\<username>\AppData\Roaming\Thunderbird\Profiles\.
By detecting these attempts early, we can stop attackers from gaining access to your private email data. This detection aligns with MITRE ATT&CK® technique T1555, which refers to malicious actors trying to gather email-related data for their attacks.
, also known as phishing kits, are pre-packaged sets of tools used by cybercriminals to facilitate phishing attacks. These kits typically contain HTML pages, scripts, and resources needed to create a fake version of a legitimate website, like a banking portal or a social media login page. The goal of these phishing sites is to deceive users into entering sensitive information, such as usernames, passwords, or financial data.
are designed to make phishing attacks easy to execute, even for individuals with minimal technical skills. They usually include:
In September, we’ve added new YARA rules to detect three types of PhishKits:
In September, we introduced two new YARA rules to enhance our detection capabilities against emerging malware evasion techniques. These new rules focus on identifying behaviors that malware increasingly uses to probe the environment it is executing in, allowing it to evade detection and analysis—particularly in sandboxed environments or security tools.
Most programs use these functions for legitimate purposes, such as ensuring they have sufficient memory for their operations. However, malware can abuse these functions to check if a security product is observing their behavior.
VirtualAlloc
A common tactic used by malware is to provide VirtualAlloc
with invalid parameters. This technique allows malicious code to detect whether it is being debugged or analyzed. For example, by feeding VirtualAlloc
unrealistic size values or conflicting flags, malware can provoke unusual responses that would not occur in a typical environment. This helps the malware determine if it is being observed, and, if so, it can choose to remain inactive, thereby avoiding detection.
One advanced technique involves using the MEM_WRITE_WATCH
flag with VirtualAlloc
. This flag allows malware to monitor changes to specific memory regions. If the malware detects unexpected modifications—such as a sandbox overwriting or observing its memory—it can alter its behavior or terminate itself, effectively evading analysis.
While VirtualAlloc
is a tool designed for legitimate memory management, malware misuse of this function for evading sandbox and debugging checks is a sophisticated tactic. Our YARA rule is designed to detect these anomalies, helping security teams identify suspicious behavior early in the execution process.
The second YARA rule is designed to detect attempts by malware to evade Windows Defender’s AV emulator, particularly by tracking its “goat files.” Recent research presented at the Black Hat conference shown that Windows Defender includes a built-in emulator for analyzing potential threats in a controlled environment. This emulator comes with a predefined file system, which includes numerous files known as “goat files.” These files are harmless and pre-created to simulate a typical Windows environment.
Some sophisticated malware families have begun to check for the presence of these goat files to determine if they are running inside the Windows Defender AV emulator. If these files are detected, the malware halts execution, thus avoiding analysis. Our YARA rule specifically monitors this behavior to catch instances where malware tries to evade Windows Defender’s built-in protections. By doing so, we can offer customers critical insights into evasive malware behavior.
In our last blog post, we took a deep dive into what configuration extraction is and how it works. If you’ve been following along, you know we recently rolled out a config extractor for Socks5Systemz—but we’re not stopping there. This month, we’re excited to announce that Latrodectus is now on board for configuration extraction.
Latrodectus is a highly active downloader, often seen as the next evolution of the infamous IcedID loader. It’s been making waves for a while, and with the release of Latrodectus version v.1.4, we’ve seen some major updates. One standout change? The switch to (CTR mode) encryption to secure its internal strings. This is a big deal, and we’re happy to offer configuration extraction for this evolving threat.
What is AES-256 encryption? AES-256 (Advanced Encryption Standard) is a highly secure method of encrypting dataThis encryption standard is widely trusted and used by governments and industries globally to protect sensitive data because of its strength and reliability. In the case of Latrodectus, the malware uses AES-256 to hide critical data, making it more difficult for security tools to detect and analyze the threat.
With the addition of Configuration Extraction for Latrodectus v.1.4, our Platform can now automatically decode and extract the hidden configurations—even those protected by AES-256 encryption. This new capability enhances our coverage of the malware, combining both YARA-based detection and detailed configuration extraction to provide a more complete threat profile.
We hope our ongoing research into emerging malware trends and the new features we’re adding to our products help you tackle the world of cybersecurity with confidence. With the latest updates—like new Windows VTIs to disable notifications, YARA rules that spot phishing kits, and the advanced config extractor for the Latrodectus malware family—you’ve got some serious tools at your disposal.
We’re always on the lookout for the latest threats, and we’ll be bringing you more updates and insights in the weeks ahead. Until then, wishing you a safe and enjoyable fall season!