First of all, thank you for joining our expert Q&A. You are one of the mystical research groups out there. And we are very excited to have you in ANY.RUN Blog. <\/p>\n\n\n\n
nao_sec:<\/strong> nao_sec <\/a>is a combination of \u201cNao Tomori\u201d and \u201cSecurity.\u201d Our roots are in a CTF team called \u201cTeam TomoriNao,\u201d which was composed of members who loved the heroine of the Japanese anime \u201cCharlotte,\u201d \u201cNao Tomori.\u201d Team TomoriNao is no longer active, but nao_sec is a branch of Team TomoriNao.<\/p>\n\n\n\n nao_sec: <\/strong>Initially, nao_sec was a Twitter account created by kkrnt to pass the time during university spring vacation. His university research topic was countermeasures against Drive-by Download attacks, and he used it to gather and disseminate threat information. Later, his friends began to support his activities and joined the team. nao_sec was a hobby for students. Today, all of us work for our respective companies, but nao_sec’s activities are still independent from them. By keeping our distance from all companies, we are free to do what we do. Being free is the highest priority for us.<\/strong><\/p>\nChief Researcher of nao_sec<\/em><\/cite><\/blockquote>\n\n\n\n nao_sec: <\/strong>Our area of interest is not wide. We focus on targeted attacks in East Asia and web-based malware-related attacks. And we love the brand new. We spend a lot of time on interesting discoveries. We especially like Public Submissions<\/a> on ANY.RUN. We use various search filters to narrow down what is of interest to us. nao_sec: <\/strong>For us, finding interesting samples is random. We visually check about 100 samples a day, and sometimes we don’t find anything for months. Still, we like the process.<\/p>\n\n\n\n nao_sec: <\/strong>We use several services but spend the most time with ANY.RUN<\/a>. We have been using ANY.RUN since the beta-test in 2017. The sandbox has a large amount of data that doesn’t exist in other services. That includes the samples themselves and, most importantly, all the data when it works. We are always grateful for the great data on the service. nao_sec: <\/strong>No other sandbox offers interactive operations with a sophisticated UI\/UX like ANY.RUN<\/a>. It also has a variety of features. For example, it has the feature to identify malware families and extract config. Also important are the detection results of good rules such as ET Pro. Additionally, the automatic tagging is excellent. We use these features to determine if it is known or unknown. It is very important that we don’t have to reanalyze what is known. On May 27th, 2022, nao_sec identified a suspicious Word document uploaded from a Belarus IP address. It turned out to be “Follina,” a new zero-day vulnerability in Microsoft Office. And neither Microsoft nor any antivirus programs were aware of this exploit.<\/strong>nao_sec consists of 4 specialists: two researchers, an analyst, and a developer. How was your team created? And why do you \u0441all yourself, independent group?<\/strong><\/h4>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n\n
You are famous for detecting new malware cases. How do you look for them? And what samples do you find interesting?<\/strong><\/h4>\n\n\n\n
<\/p>\n\n\n\nSometimes malware discoveries seem like a race. But mostly, you finish the first. How do you manage to detect anomalies first? How is it for you to be always the first one?<\/strong><\/h4>\n\n\n\n
How much data do you look through until you get something significant? ANY.RUN also has a large database of samples. <\/strong><\/h4>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nHow ANY.RUN sandbox can help to detect new malware samples? <\/strong>
<\/h4>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n