This is ANY.RUN’s monthly update, where we keep you posted on our progress.
In October, we took initial steps to maximize the use of our IOC database for threat intelligence. We launched TI feeds to enhance the threat coverage of security systems, delivering the latest indicators straight from the ANY.RUN sandbox. We also rolled out detection of malicious content within QR codes.
Product updates
Threat Intelligence Feeds
TI feeds supply malicious IPs, URLs, and domains to boost the threat coverage of your SIEM and other security systems with up-to-date IOCs. These indicators come from our public tasks database, refreshed by samples analyzed in the sandbox. In Q3 2023, our community of over 300,000 users gathered nearly 49 million unique IOCs while investigating malware samples.
Read about ANY.RUN’s Threat Intelligence Feeds.
UPD: Now you can also access Threat Intelligence Lookup, a platform that lets you find more information on malware attacks and phishing campaigns by searching specific IOCs, TTPs, or artifacts in command lines, registries, processes, as well dozens of other fields.
QR codes
Our sandbox now auto-detects the presence of QR codes in images. If the QR code contains a link (even in text form) the image is saved while linked resources are opened in a browser. Directing to malicious content within QR codes is becoming a common tactic in recent malware campaigns.
New YARA rules, malware config extractors, and fixes
In October, we enhanced the ANY.RUN sandbox by adding config extractors and expanding our YARA coverage for multiple malware strains and variants.
- RisePro: We’ve updated detection rules and the extractor for new RisePro samples.
- MortisLocker: This non-functional ransomware resembles test builds. We’ve added a detection rule, sourced from MalGamy samples, and uploaded it to our GitHub.
- OnlyLogger: We’ve added YARA rules and an extractor for this new loader, likely a GCleaner variant.
- DBatLoader Fix: Resolved issues with configuration decryption by introducing a universal decryption method.
- RustyStealer: Added detection rules and capabilities for this Rust-based stealer that sends exfiltrated data to Telegram via API.
- RustLoader: Implemented YARA rules for detecting RustLoader, which fetches malicious software from GitHub. This loader usually drops RustyStealer, XMrig, and others.
New signatures
We’ve added hundreds of new Suricata rules. Here are some of the highlights:
- LostTrust has been detected (specific LostTrust malware signature)
- Found IP address in command line (alert for possible C2 communication);
- Uses pipe srvsvc via SMB (detects data transfer via srvsvc pipe over SMB);
- SMB connection has been detected (Signature for SMB activity likely related to file transfers);
- PowerShell delay command usage (probably sleep evasion);
- Kill processes via PowerShell (detects termination of processes using PowerShell);
- Pikabot has been detected (fix: alert includes a resolution).
We’ve also detected a steganography campaign and added a signature to detect its hidden payloads.
Read how threat actors utilize steganography to hide malicious payloads.
To summarize
This month, we’ve taken initial steps to optimize our IOC database for enhancing client threat intelligence. We’ve also added features to our sandbox, improving detection of malicious content hidden in QR codes. Additionally, we’ve expanded the threat coverage of ANY.RUN itself.
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.
Request a demo today and enjoy 14 days of free access to our Enterprise plan.
0 comments