RE: https://infosec.exchange/@netresec/115905237000922504
Hereβs a good example on why you should have network egress filtering on your network. Nobody uses the finger protocol any more. But the binary still exists in Windows! And if you donβt block outbound port 79/tcp your users are at risk #cybersecurity #LOLBIN
π¨ Attackers abuse #LOLBin to execute payloads without triggering alerts. The real challenge for SOC teams is spotting this behavior early before it escalates into a full incident.
πΎ See rundll32 abuse delivering #Gh0stRAT exposed in real time: https://app.any.run/tasks/c00a5ca2-7fc2-4e59-b3d2-1f45d55a03ab/?utm_source=mastodon&utm_medium=post&utm_campaign=LOLBin_attacks_case&utm_term=241125&utm_content=linktoservice
π Read the report to learn how to spot LOLBin abuse techniques with interactive analysis: https://any.run/cybersecurity-blog/lolbin-attacks-soc-detection-guide/?utm_source=mastodon&utm_medium=post&utm_campaign=LOLBin_attacks_case&utm_term=241125&utm_content=linktoblog
β οΈ Rundll32, certutil, mshta; attackers abuse them to load payloads without raising alerts.
Security teams using real-time analysis expose these #LOLBin tactics fast.
Hereβs how to achieve it inside your SOC π
https://any.run/cybersecurity-blog/lolbin-attacks-soc-detection-guide/?utm_source=mastodon&utm_medium=post&utm_campaign=lolbin-attacks&utm_term=191125&utm_content=linktoblog
π¨ #LOLBin abuse remains one of the hardest techniques for SOC teams to detect.
Attackers hijack trusted Windows tools to execute malicious activities while blending into legitimate processes.
π¨βπ» See example of a typical attack:
https://app.any.run/tasks/02dd6096-b621-49a0-a7ef-4758cc957c0f/?utm_source=mastodon&utm_medium=post&utm_campaign=new_tactics_lolbin&utm_term=231025&utm_content=linktoservice
π Read the breakdown of new #malware tactics:
https://any.run/cybersecurity-blog/new-malware-tactics/?utm_source=mastodon&utm_medium=post&utm_campaign=new_tactics_lolbin&utm_term=231025&utm_content=linktoblog
πΎ Top threats in July 2025.
#DeerStealer via obfuscated .LNK + #LOLBin abuse, fake 7-Zip stealing AD files, and the most exploited Remote Access Tools of H1 2025.
Dive into analysis and actionable intel on the threats active right now β¬οΈ
https://any.run/cybersecurity-blog/cyber-attacks-july-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=cyber_attacks_july&utm_term=290725&utm_content=linktoblog
π¨ Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
β οΈ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.
π Execution chain:
Obfuscated JS β‘οΈ ScriptRunner.exe β‘οΈ EXE β‘οΈ CMD β‘οΈ extrac32.exe β‘οΈ PING delay β‘οΈ Snake
The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.
πΎ The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.
βοΈ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %β¦%, further complicating static and dynamic analysis.
Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into β/Windows /β and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.
π Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
π Snake is launched after a short delay using a PING, staggering execution.
π¨βπ» See execution on a live system and download actionable report:
https://app.any.run/tasks/0d53bef9-c623-4c2f-9ce9-f1d3d05d21f3/?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_term=240725&utm_content=linktoservice
Explore #ANYRUNβs threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
πΉ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522extrac32*.dll*.%255C%2522%2522,%2522dateRange%2522:180%7D
πΉ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522%255C%255C%255C%255CWindows%2520%255C%255C%255C%255C%255C%2522%2522,%2522dateRange%2522:180%7D
πΉ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522ping%2520%2520127.0.0.1%2520-n%252010%255C%2522%2522,%2522dateRange%2522:180%7D
πΉ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522registryKey:%255C%2522%255C%255CRun$%255C%2522%2520AND%2520registryValue:%255C%2522.url$%255C%2522%2522,%2522dateRange%2522:180%7D
#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url
π¨βπ» Gain full visibility with #ANYRUN to make faster, smarter security decisions.
π¨ #DeerStealer Delivered via Obfuscated .LNK and #LOLBin Abuse.
A new phishing campaign delivers #malware through a fake PDF shortcut (Report.lnk) that leverages mshta.exe for script execution, which is a known LOLBin technique (MITRE T1218.005).
β οΈ The attack begins with an .lnk file that covertly invokes mshta.exe to drop scripts for the next stages. The execution command is heavily obfuscated using wildcard paths.
π Execution chain:
.lnk β‘οΈ mshta.exe β‘οΈ cmd.exe β‘οΈ PowerShell β‘οΈ DeerStealer
To evade signature-based detection, #PowerShell dynamically resolves the full path to mshta.exe in the System32 directory. It is launched with flags, followed by obfuscated Base64 strings. Both logging and profiling are disabled to reduce forensic visibility during execution.
π #ANYRUNβs Script Tracer reveals the full chain, including wildcard LOLBin execution, encoded payloads, and network exfiltration, without requiring manual deobfuscation.
Characters are decoded in pairs, converted from hex to ASCII, reassembled into a script, and executed via IEX. This ensures the #malicious logic stays hidden until runtime.
πΎ The script dynamically resolves URLs and binary content from obfuscated arrays, downloads a fake PDF to distract the user, writes the main executable into AppData, and silently runs it. The PDF is opened in Adobe Acrobat to distract the user.
π¨βπ» See analysis session:
https://app.any.run/tasks/02dd6096-b621-49a0-a7ef-4758cc957c0f?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725
π Use these TI Lookup search requests to find similar threats to enrich your company's detection systems:
πΉ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725#%7B%2522query%2522:%2522threatName:%255C%2522susp-lnk%255C%2522%2522,%2522dateRange%2522:180%7D%20
πΉ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725#%7B%2522query%2522:%2522commandLine:%255C%2522%7C%2520IEX%255C%2522%2522,%2522dateRange%2522:180%7D
πΉ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=deerstealer_lolbin&utm_content=linktoti&utm_term=170725#%7B%2522query%2522:%2522commandLine:%255C%2522powershell*%2520-E%2520%255C%2522%2522,%2522dateRange%2522:180%7D%20
#IOC:
https[:]//tripplefury[.]com/
fd5a2f9eed065c5767d5323b8dd928ef8724ea2edeba3e4c83e211edf9ff0160
8f49254064d534459b7ec60bf4e21f75284fbabfaea511268c478e15f1ed0db9
β‘οΈ With real-time and deep visibility into script execution, process details, and network behavior, #ANYRUN simplifies dynamic analysis of evasive threats like DeerStealer.
Hans-Cees π³π³π€’π¦ππππππ
Brian Clark
ANY.RUN
Jeremy Wiedner
