VMRay

🚨 #Alert: Backdoored configuration script waits until user is inactive (!) to run #Linux #malware 🐧 VMRay Labs found a backdoored build configuration script for httpd designed to drop and run the #XMRig malware to mine #Monero. ⛏️ ⏳ Surprisingly, the script waits until the user has been #inactive for at least a minute before starting the crypto-miner. 🔍 It also looks out for resource monitoring tools such as htop, nmon, or iostat, in which case it kills the resource-heavy XMRig process to avoid being caught. To maintain access, the sample adds the attackers' public key to the ".ssh/authorized_keys" file, allowing them to re-enter into the compromised machine without a password. Note, the official httpd configuration script from Apache is NOT backdoored – this is about a custom modification by threat actors, likely to distribute their own backdoored httpd source code to their victims.In a nutshell:  🚫 0/62 detection on #VirusTotal 🕵️♂️ Delivery Chain: - backdoored "configure" script → Shell script → Daemon → XMRig - Watches for these processes and kills the miner if present: top, htop, atop, mate-system-mon, iostat, mpstat, sar, glances, dstat, nmon, vmstat, ps - Collects information about the hardware (cpuinfo, meminfo, os-release, machine-id, etc.) and about files in the home directory every 12h - Uploads information to file.io with an expiry date of ten days. - Shows fake error message about a missing "libnetauth" which does not seem to be a real library - Installs its own SSH auth key Our analysis report shows our executable compound sample submission that executes the first two shell script payloads #MalwareAnalysis #ThreatDetection #Sandboxing

🚨 🎣 #Phishing remains one of the most persistent threats and attackers are constantly evolving their tactics. Bruno Humic from #teamVMRay dives into the technical depths of trending phishing campaigns, dissecting phishing kits like #CarPhish, #EDG, #Tpass, and #Mamba2FA. https://bit.ly/4gk0dZY 🔍 What you’ll find in the article: ✉️  An in-depth analysis of how these phishing kits are designed to trick the users, from their phishing logics and behaviors, to evasion tactics and fake login screens. 🛡️ Technical insights into the evolution of phishing tactics and what makes these kits so dangerous. 👉 Check out the full blog post here: https://bit.ly/4gk0dZY #Cybersecurity #MalwareAnalysis #Phishing #ThreatDetection #sandboxing

Everyone won again in the recent #MITRE ATT&CK Enterprise Evaluation, with almost 100% detections. Remarkable results, though, come at the cost of reporting innocent behavior, too. At #VMRay, we help SOC teams filter out noise caused by False Positives. Try our automated #EDR integrations: https://lnkd.in/d7VJsfYn

🔔 Your biweekly dose of #ThreatIntelligence is here! Our latest #CTI Newsletter is out, packed with insights to keep you ahead of the curve. 🛡️ Here’s what we’re highlighting this time: 🛠 Key Picks from Security Reports: - #DataExfiltration tools used by #ransomware operators - #BlackBasta adopting #ZBot and #DarkGate - #SecretBlizzard leveraging #Amadey bots - The rise of #LOLBins, and updated on #CAPA 🔍 Deep-Dive Threat Analyses: #Sandboxing reports on the #malware families mentioned on the newsletter, hand-picked from VMRay's threat feed on: • #DarkGate • #CobaltStrike • #AgentTesla • #Lumma Stealer • #Socks5systemz • #Amadey • #ZBot Our biweekly newsletter delivers concise, actionable insights focused on malware trends and in-depth threat analysis—so you’re always prepared for what’s next. #CyberThreats #MalwareAnalysis #Phishing #CyberSecurity

📢 We’ve just published the latest installment of our Detection Highlights blog series! 🚀 https://bit.ly/41Cc7to In this edition, Izabela Komorowska takes you through the November updates from our #Labs team, covering everything from #voicemail #phishing detection to new #YARA rules and advanced threat identifiers. Here’s a quick snapshot of what’s inside: 🔍 New Threat Identifiers for - detecting process cloning via #vfork() • spotting usage of the #Powershell -NoProfile command line parameter • identifying obfuscated inputs in #macOS osascript 📞 Fake voicemail phishing detection with Auto UI 🛠️ New #YARARules for • #DCRat • #Phorpiex • known vulnerable drivers (BYOD) • #SnipBot 🌐 Get the full breakdown and insights here: https://bit.ly/41Cc7to #CyberSecurity #ThreatDetection #MalwareAnalysis #PhishingDetection

📢 Stay ahead of evolving threats in 2025: Join our year-end Detection Highlights #webinar! https://lnkd.in/dS5qzz6s As we approach 2025, cyber attackers are sharpening their #evasion tactics. In our upcoming Detection Highlights Webinar on December 17th, we’ll unveil our latest advancements that we have engineered to combat sophisticated threats: 🔍 New threat identifiers: Detect complex techniques like #ProcessDoppelgänging and #malware that self-deletes using #AlternateDataStreams (ADS). 📜 Enhanced #ThreatDetection: Uncover tactics like Windows event log clearing, used by attackers to cover their tracks. 🛠️ Powerful #YARA rules & #MalwareConfiguration extractors: Identify malware families like #AsyncRAT, #Amadey, #Guloader, #Remcos, and #Trickbot ✉️ Smarter #phishing detection: Explore new Smart Link Detonation triggers for pinpoint accuracy against stealthy phishing threats. Our speakers—Patrick Staubmann, Hüseyin Fatih Akar, and Ertugrul Kara—will guide you through these updates and explain how they empower your security team to tackle advanced threats with confidence. 👉 Register now: https://lnkd.in/dS5qzz6s #CyberSecurity #MalwareAnalysis

📸 Snapshots from #CyberThreat2024 in #London. 🛡️✨ Ertugrul Kara and Patrick Staubmann took the main stage to share VMRay’s latest research on #cybersecurity threats and the advanced, evasive techniques used by #malware and #phishing campaigns. 💡🔍 Meanwhile, at our desk, we showcased how VMRay’s innovative technologies empower security teams to overcome their toughest challenges, with hands-on demos that sparked insightful discussions. A huge thank you to everyone who joined our sessions and stopped by to connect with us. Collaborating with the cybersecurity community is always a highlight! #CyberThreat2024 #Cybersecurity #ThreatIntelligence #MalwareAnalysis #PhishingDefense #ThreatDetection #TeamVMRay

📸 Snapshots from #CyberThreat2024 in #London. 🛡️✨ Ertugrul Kara and Patrick Staubmann took the main stage to share VMRay’s latest research on #cybersecurity threats and the advanced, evasive techniques used by #malware and #phishing campaigns. 💡🔍 Meanwhile, at our desk, we showcased how VMRay’s innovative technologies empower security teams to overcome their toughest challenges, with hands-on demos that sparked insightful discussions. A huge thank you to everyone who joined our sessions and stopped by to connect with us. Collaborating with the cybersecurity community is always a highlight! #CyberThreat2024 #Cybersecurity #ThreatIntelligence #MalwareAnalysis #PhishingDefense #ThreatDetection #TeamVMRay

🌟 Bochum - A hub for #cybersecurity #innovation: Dr. Carsten Willems, our CEO, recently shared his insights in an interview with connect professional as part of their “IT Location Bochum” series. In the interview, Carsten reflects on why #Bochum - and the #Ruhr region as a whole—provided the ideal foundation for VMRay, as a groundbreaking cybersecurity startup. “First and foremost, the Ruhr-Universit��t Bochum should be mentioned, which has a strong focus on #IT security and offers well-educated students, world-class research and collaborations. Bochum also benefits from the high density of universities in the Ruhr area and the dynamic ecosystem of universities, established companies, startups, scale-ups as well as the committed city and economic development agency. Last but not least, Bochum is a friendly, digital and down-to-earth city, embedded in a metropolis of millions." 📖 Read the full interview (in German) to explore how Bochum continues to shape the future of cybersecurity: https://lnkd.in/e5njJv89 #Cybersecurity #Innovation #ITSecurity #Bochum #RuhrRegion #TechLeadership

📢 Mark your calendars for December 12! Join us for an exclusive #CPE-eligible webinar, "From analysis to insights: Enhancing #government threat models with #malware insights," hosted by our partner Carahsoft. 🎯 In this session, Ertugrul Kara and Shyam Pema will explore critical #GovernmentSecurity threat models, diving deep into: ✅ How advanced threat analysis uncovers adversary structures and techniques. ✅ Practical steps to strengthen #proactive defense strategies. ✅ Why understanding malware behavior and communication is essential for defending government networks. 🔐 Protecting government networks requires clear, actionable insights into evolving threats. This webinar will provide the tools and knowledge to stay one step ahead. Register now: https://lnkd.in/d3JRz5cd #GovernmentSecurity #MalwareAnalysis #ThreatIntelligence #CyberDefense #Webinar