ANY.RUN's new expert Q&A

Expert Q&A: nao_sec
Follina Zero-day Vulnerability

First of all, thank you for joining our expert Q&A. You are one of the mystical research groups out there. And we are very excited to have you in ANY.RUN Blog. 

Could you tell us more about the group? What is nao_sec? We guess that Sec is for security, but what about Nao? What does it stand for? 

nao_sec: nao_sec is a combination of  “Nao Tomori” and “Security.” Our roots are in a CTF team called “Team TomoriNao,” which was composed of members who loved the heroine of the Japanese anime “Charlotte,” “Nao Tomori.” Team TomoriNao is no longer active, but nao_sec is a branch of Team TomoriNao.

nao_sec consists of 4 specialists: two researchers, an analyst, and a developer. How was your team created? And why do you сall yourself, independent group?

nao_sec: Initially, nao_sec was a Twitter account created by kkrnt to pass the time during university spring vacation. His university research topic was countermeasures against Drive-by Download attacks, and he used it to gather and disseminate threat information. Later, his friends began to support his activities and joined the team. nao_sec was a hobby for students.

Today, all of us work for our respective companies, but nao_sec’s activities are still independent from them. By keeping our distance from all companies, we are free to do what we do.

Being free is the highest priority for us.

Chief Researcher of nao_sec

You are famous for detecting new malware cases. How do you look for them? And what samples do you find interesting?

nao_sec: Our area of interest is not wide. We focus on targeted attacks in East Asia and web-based malware-related attacks. And we love the brand new. We spend a lot of time on interesting discoveries. We especially like Public Submissions on ANY.RUN. We use various search filters to narrow down what is of interest to us.

Sometimes malware discoveries seem like a race. But mostly, you finish the first. How do you manage to detect anomalies first? How is it for you to be always the first one?

nao_sec: For us, finding interesting samples is random. We visually check about 100 samples a day, and sometimes we don’t find anything for months. Still, we like the process.

How much data do you look through until you get something significant? ANY.RUN also has a large database of samples. 

nao_sec: We use several services but spend the most time with ANY.RUN. We have been using ANY.RUN since the beta-test in 2017.

The sandbox has a large amount of data that doesn’t exist in other services. That includes the samples themselves and, most importantly, all the data when it works. We are always grateful for the great data on the service. 

How ANY.RUN sandbox can help to detect new malware samples? 

nao_sec: No other sandbox offers interactive operations with a sophisticated UI/UX like ANY.RUN. It also has a variety of features. For example, it has the feature to identify malware families and extract config. Also important are the detection results of good rules such as ET Pro.

Additionally, the automatic tagging is excellent. We use these features to determine if it is known or unknown. It is very important that we don’t have to reanalyze what is known.

On May 27th, 2022, nao_sec identified a suspicious Word document uploaded from a Belarus IP address. It turned out to be “Follina,” a new zero-day vulnerability in Microsoft Office. And neither Microsoft nor any antivirus programs were aware of this exploit.

How did you discover Follina CVE-2022-30190? And what is special about this new zero-day vulnerability?

nao_sec: As mentioned above, we prefer targeted attacks and web-based attacks. Among them, we especially like attacks that exploit vulnerabilities in web browsers, such as the Drive-by Download attack.

Recently, CVE-2021-40444 has become popular. We were actively collecting samples that exploited CVE-2021-40444. The one that caught on was a sample that exploits Follina.

The sample loaded a web page by Microsoft Word in a similar way as the sample that exploited CVE-2021-40444, but it used the ms-msdt scheme to execute PowerShell. For us, the technique was unknown.

How long does Follina zero-day vulnerability exist? When did you notice the first tracks of its exploitation? 

nao_sec: As of 2020, a paper on the ms-msdt scheme was published, but we didn’t know about it. As far as we know, the earliest sample of a Follina exploit is from early April 2022; there are older test samples on VirusTotal, but the actual exploit code (HTML/PowerShell) can be seen in early April 2022. We found out about Follina on May 27, 2022. In fact, we had found a related sample in mid-April, but the web server was not responding at that time, and we could not observe the actual attack code.

Do any APT groups use the vulnerability now? Or to deliver malware? Can you say what malware family is delivered more often? 

nao_sec: APT groups associated with China and Russia are exploiting Follina. We are observing a variety of malware, most notably CobaltStrike.

Do you think that Follina CVE-2022-30190 is the next Stuxnet?  What effect will it have on the future of cybersecurity? 

nao_sec: Follina reminded us of the breadth of attack directions in Windows. It is not enough for us to only focus on macros. There will be more unexpected attacks like Follina. We must be flexible and cautious.

Are you working on a new project now?

nao_sec: Yes, we have several projects underway. Some of them are threat research and analysis projects, and some are development projects.

Cybersecurity is a dynamic sphere: new malicious programs, techniques, and tools. Could you share your thoughts on the current state of cybersecurity?

nao_sec: We believe it is important to always remember to update recognition for cybersecurity. Attackers are constantly trying to get behind our assumptions. In order to nullify their tearful efforts, we must approach cyber security with more integrity and doggedness than they do.

Are there any cybersecurity trends that you observe right now? 

nao_sec: Whether state-sponsored or crime, attackers are refining the division of labor between automatic and manual. The flexibility of human-led attacks is the most feared threat.

In terms of attack origins, we are seeing more attacks originating from vulnerabilities and misconfigurations of external assets such as VPNs and RDPs than from malware origins.

Also, threat actors these days are much more likely to use commercial penetration tools and share Exploit and malware. This makes analysis more difficult.

And for the final question – what is cybersecurity for you?  

nao_sec: It has only been about five years since we first stepped into the world of cybersecurity. But even in these five years, the world has constantly been moving, and threats that we could not have imagined five years ago are continually emerging. It inspires us more than anything else. Cybersecurity is something that drives us crazy.

Thank you for spending time answering our questions and for the work that you are doing. Good luck with finding new threats so that we can fight them together!  

Notify of
Inline Feedbacks
View all comments