ANY.RUNJan 12

Top 10 last week's threats by uploads 🌐
⬆️ #Xworm 563 (350)
⬆️ #Asyncrat 335 (176)
⬆️ #Warzone 289 (35)
⬆️ #Gh0st 241 (14)
⬆️ #Stealc 216 (180)
⬆️ #Quasar 211 (159)
⬆️ #Vidar 204 (184)
⬆️ #Remcos 169 (40)
⬇️ #Lumma 139 (167)
⬆️ #Reverseloader 108 (21)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=120126&utm_content=linktoregister#register

#cybersecurity #infosec

ANY.RUNFeb 19, 2025

🚨 New #Stegocampaign abuses obfuscated registry to execute payload
The attack is carried out through users following instructions, such as downloading a REG file that adds a #malicious script to Autorun. While exploiting Autorun has been rarely used recently, we found a sample actively using this method.

🔗 Execution chain:
PDF ➡️ Phish link ➡️ REG file adds a script to Autorun ➡️ OS reboot ➡️ CMD ➡️ PowerShell ➡️ #Wscript ➡️ Stegocampaign payload (DLL) extraction ➡️ Malware extraction and injection into AddInProcess32 ➡️ XWorm

⚠️ Victims receive a phishing PDF containing a link to download a .REG file. By opening it, users unknowingly modify the registry with a #script that fetches a VBS file from the web and adds it to Autorun.

Upon system reboot, the #VBS file launches #PowerShell, triggering an execution chain that ultimately infects the operating system with #malware.

👾 Then, #ReverseLoader downloads #XWorm, initiating its execution. The payload contains a DLL file embedded in an image, which then extracts XWorm from its resources and injects it into the AddInProcess32 system process.

❗️ This chain of actions abuses legitimate system tools and relies on user actions, making it difficult for automated security solutions to detect.
This puts organizations at risk by allowing attackers to evade detection, potentially leading to data breaches and access to sensitive data. #ANYRUN Sandbox offers full control over the VM, which allows you to interact with malware and manipulate its behavior.

👨‍💻 See analysis with a reboot:
https://app.any.run/tasks/068db7e4-6ff2-439a-bee8-06efa7abfabc/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice

🚀 #ANYRUN's interactive VMs let users manually execute each step of the entire attack chain, even without a system reboot:
https://app.any.run/tasks/f9f07ae8-343f-4ea5-9499-a18f7c8534ef/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice

🔍 Use this TI Lookup search query to find similar samples to enrich your company's detection systems:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_content=linktoti&utm_term=190225#%7B%22query%22:%22domainName:%5C%22filemail.com$%5C%22%22,%22dateRange%22:180%7D

Analyze and investigate the latest malware and phishing threats with #ANYRUN 🛡️

#cybersecurity #infosec

Analysis package_photo.pdf (MD5: 3D89F1BCC3873D106F138F35A9B1D3C6) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.