{"id":2839,"date":"2022-09-20T06:18:00","date_gmt":"2022-09-20T06:18:00","guid":{"rendered":"\/cybersecurity-blog\/?p=2839"},"modified":"2022-12-14T07:25:44","modified_gmt":"2022-12-14T07:25:44","slug":"how-we-discovered-prevented-a-recent-img-based-malware-attack","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/","title":{"rendered":"How We Discovered and Prevented an IMG-Based Malware Attack"},"content":{"rendered":"\n

Malicious actors always seek new techniques and methods to gain a foothold in networks. One of the tried-and-true methods, phishing, continues to be utilized as a primary method. Recently, my company has seen an uptick in phishing IMG-based attacks that contain attached malware<\/a>. 
<\/p>\n\n\n\n

However, instead of attacking a single person, the attackers have pivoted to sending emails to support shared mailboxes with targeted subjects based on the perceived use case. This has brought about some interesting new malware that left my team very intrigued by how it was able to evade initial detection by our EDR solution. Today, I’ll share how we discovered and prevented this attack.<\/p>\n\n\n\n

IMG-Based Malware Attack<\/h3>\n\n\n\n

The method of exploiting\/bypassing the IMG-based malware attacks is interesting. While using an IMG file, it could bypass some of the security mechanisms used for downloaded files like this MITRE ATT&CK<\/a> technique: https:\/\/attack.mitre.org\/techniques\/T1553\/005\/<\/a>. 
<\/p>\n\n\n\n

Within about two weeks, we encountered two different versions of the same attack, one utilizing an approach that interacted with the user and a follow-up that could deploy silently. 
<\/p>\n\n\n\n

Additionally, the first phishing email that was a part of each of these attacks was able to bypass the O365 machine learning and analysis<\/a>. However, multiple other attacks with identical payloads were detected<\/a> and quarantined before getting to the end users\u2019 mailboxes. 
<\/p>\n\n\n\n

Before getting into some of the analysis, we, as a company, evaluated the need to allow users to send and receive ISO\/IMG files going forward. We expect this is a temporary fix, and the malicious actors will pivot to another approach.
<\/p>\n\n\n\n

Malware analysis use case <\/h3>\n\n\n\n

Here is the analysis and events that led to the detection and termination of the attack chain.
<\/p>\n\n\n\n

The first stage<\/strong><\/h4>\n\n\n\n

The initial download of the file was not detected as malicious, and it was able to place a zone.identifier ADS on the files, similar to the following:<\/p>\n\n\n\n

\"The
The initial download of the file<\/em><\/figcaption><\/figure>\n\n\n\n

It was not until the user interacted with the document, a .pdf.img file, that an EDR alert was triggered based on behavioral actions taken with Powershell. The user was most likely unable to detect that this was an odd file due to a setting in their file explorer. Then they went to open what they thought was a supporting doc file to a case submitted via the shared mailbox.<\/p>\n\n\n\n

\"Malicious
Malicious supporting doc file<\/em><\/figcaption><\/figure>\n\n\n\n

If the user had configured their system to show file extensions, they might have noticed this was an iso image. However, since they missed this, users clicked to open and started the payload deployment to the system.<\/p>\n\n\n\n

\"Malicious
Malicious supporting image file<\/em><\/figcaption><\/figure>\n\n\n\n

At this step, the user was not paying attention to this strain of malware, as it did pop up a warning for them to accept the actions.<\/p>\n\n\n\n

The second stage <\/strong><\/h4>\n\n\n\n

A few days later, the second train of malware came through that was able to bypass this pop-up. In this attack, with the same initial config as the first, the ADS was not written to the files contained in the IMG\/ISO containers, allowing them to execute without running. And because the EDR solution did not detect these files, the malware execution downloaded the IMG\/ISO containing the malicious files and mounted them without being detected.<\/p>\n\n\n\n

\"Initial
Initial malware popup<\/em>
<\/figcaption><\/figure>\n\n\n\n

What was ultimately detected by the EDR was a Powershell command that called out to a website for additional files. In this case, the malicious command reversed the address to attempt to bypass search and detect mechanisms. Because this was not a standard action (running Powershell) for this user, the EDR managed to identify and stop the attack at this point in the chain.<\/p>\n\n\n\n

\"
 The sample\u2019s malicious command<\/em>
<\/figcaption><\/figure>\n\n\n\n

Similar samples in ANY.RUN  <\/h3>\n\n\n\n

I found tasks with similar behavior in Public Submissions<\/a> of ANY.RUN service<\/a>. Going through such tasks gives additional ability to re-run tasks and take a closer look at how malware behaves in infected systems. I watched execution flow, file creation, and registry changes to determine what new rules may be created for our EDR system.<\/p>\n\n\n\n

\"Sample\u2019s
Sample\u2019s process tree <\/em><\/figcaption><\/figure>\n\n\n\n

Check the sample<\/a> and try to analyze it by yourself! <\/p>\n","protected":false},"excerpt":{"rendered":"

Malicious actors always seek new techniques and methods to gain a foothold in networks. One of the tried-and-true methods, phishing, continues to be utilized as a primary method. Recently, my company has seen an uptick in phishing IMG-based attacks that contain attached malware.  However, instead of attacking a single person, the attackers have pivoted to […]<\/p>\n","protected":false},"author":1,"featured_media":2971,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[34,63],"class_list":["post-2839","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis","tag-phishing"],"acf":[],"yoast_head":"\nDiscovered and Prevented IMG-Based Malware Attack<\/title>\n<meta name=\"description\" content=\"ANY.RUN's guest author has seen an uptick in phishing IMG-based attacks that contain attached malware. Here is how he discovered and prevented it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nathaniel Cole\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/\"},\"author\":{\"name\":\"Nathaniel Cole\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How We Discovered and Prevented an IMG-Based Malware Attack\",\"datePublished\":\"2022-09-20T06:18:00+00:00\",\"dateModified\":\"2022-12-14T07:25:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/\"},\"wordCount\":710,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\",\"phishing\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/\",\"name\":\"Discovered and Prevented IMG-Based Malware Attack\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2022-09-20T06:18:00+00:00\",\"dateModified\":\"2022-12-14T07:25:44+00:00\",\"description\":\"ANY.RUN's guest author has seen an uptick in phishing IMG-based attacks that contain attached malware. Here is how he discovered and prevented it.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malicious History\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/history\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How We Discovered and Prevented an IMG-Based Malware Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN's Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Nathaniel Cole\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/nathaniel-cole.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/nathaniel-cole.jpeg\",\"caption\":\"Nathaniel Cole\"},\"description\":\"Nathaniel Cole is a Chief Information Security Officer with 15 years of experience building & running modern security programs. He writes a cybersecurity advice column for business leaders at NetworkAssured.com\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Discovered and Prevented IMG-Based Malware Attack","description":"ANY.RUN's guest author has seen an uptick in phishing IMG-based attacks that contain attached malware. Here is how he discovered and prevented it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/","twitter_misc":{"Written by":"Nathaniel Cole","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/"},"author":{"name":"Nathaniel Cole","@id":"https:\/\/any.run\/"},"headline":"How We Discovered and Prevented an IMG-Based Malware Attack","datePublished":"2022-09-20T06:18:00+00:00","dateModified":"2022-12-14T07:25:44+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/"},"wordCount":710,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis","phishing"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/","name":"Discovered and Prevented IMG-Based Malware Attack","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2022-09-20T06:18:00+00:00","dateModified":"2022-12-14T07:25:44+00:00","description":"ANY.RUN's guest author has seen an uptick in phishing IMG-based attacks that contain attached malware. Here is how he discovered and prevented it.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-we-discovered-prevented-a-recent-img-based-malware-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malicious History","item":"https:\/\/any.run\/cybersecurity-blog\/category\/history\/"},{"@type":"ListItem","position":3,"name":"How We Discovered and Prevented an IMG-Based Malware Attack"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN's Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Nathaniel Cole","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/nathaniel-cole.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/nathaniel-cole.jpeg","caption":"Nathaniel Cole"},"description":"Nathaniel Cole is a Chief Information Security Officer with 15 years of experience building & running modern security programs. He writes a cybersecurity advice column for business leaders at NetworkAssured.com","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2839"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=2839"}],"version-history":[{"count":1,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2839\/revisions"}],"predecessor-version":[{"id":2972,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2839\/revisions\/2972"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/2971"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=2839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=2839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=2839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}