{"id":5282,"date":"2023-06-30T07:34:47","date_gmt":"2023-06-30T07:34:47","guid":{"rendered":"\/cybersecurity-blog\/?p=5282"},"modified":"2025-03-11T12:19:19","modified_gmt":"2025-03-11T12:19:19","slug":"monthly-updates-june","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/monthly-updates-june\/","title":{"rendered":"Monthly Updates: New Detection Rules, Increased Threat Coverage, and More\u00a0"},"content":{"rendered":"\n

We’re excited to launch a new monthly update format that gives you a closer look into the work we’ve done in the last 30 days.  <\/p>\n\n\n\n

In addition to releasing several new features, this past month, here at ANY.RUN<\/a>, we focused on improving threat detection, adding new rules and contributing to the ET Labs community. <\/p>\n\n\n\n

Let\u2019s jump right in \u2014 there\u2019s a lot of ground to cover.  <\/p>\n\n\n\n

Product updates <\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n
    \n
  1. Residential Proxy <\/strong>You can now assign a home user\u2019s IP to virtual machines<\/a> and change the location, making it easier to work with geo-targeted samples and evade detection.  <\/li>\n<\/ol>\n\n\n\n
      \n
    1. Updated default browsers.<\/strong> On Windows 10 and 11 machines, we\u2019ve changed the default web browser to Edge, instead of the previously used Internet Explorer. <\/li>\n<\/ol>\n\n\n\n
        \n
      1. Downloadable memory dumps. <\/strong>You can now download memory dumps and analyze them locally. This option is available under the “Advanced details” section of the process window. <\/li>\n<\/ol>\n\n\n\n
        \"\"<\/figure>\n\n\n
        \n
        \"\"
        Downloadable<\/strong><\/strong> memory dumps<\/strong><\/figcaption><\/figure><\/div>\n\n\n

        Malware config extractors  <\/h2>\n\n\n\n

        We\u2019ve added 4 new extractors<\/strong> to the sandbox: 
         <\/p>\n\n\n\n

        PrivateLoader<\/strong> <\/h3>\n\n\n\n

        Privateloader<\/a> is a loader that distributes a wide variety of malware types. Some samples are covered by VMprotect. All of PrivateLoader\u2019s important strings are encrypted with an XOR key. We\u2019ve implemented a fix which now allows you to extract C2 and payload. <\/p>\n\n\n\n

        Typhon<\/strong> <\/h3>\n\n\n\n

        Typhon<\/a> is an info stealer. A year ago, the revamped second version of V2 Reborn was launched. This iteration involved a complete overhaul of the code, and now it boasts an expanded set of anti-analysis features such as process detection, emulation, and virtual machine capabilities, among others. Moreover, it presents a broad array of methods for data theft. <\/p>\n\n\n\n

        \"Typhon
        Typhon malware configs<\/figcaption><\/figure>\n\n\n\n

        <\/p>\n\n\n\n

        LaplasClipper<\/strong> <\/h3>\n\n\n\n

        LaplasClipper<\/a> is designed to monitor cryptocurrency wallet addresses on a victim’s clipboard. When it identifies an address, it communicates this information to the C2. The server then generates a similar wallet address and replaces the original one on the victim’s clipboard. <\/p>\n\n\n\n

        <\/p>\n\n\n\n

        \"LaplasClipper\u2019s
        LaplasClipper\u2019s network traffic <\/figcaption><\/figure>\n\n\n\n

        LummaStealer<\/strong> <\/h3>\n\n\n\n

        We’ve introduced the capability to detect and extract configurations of LummaStealer<\/a>, an information-stealing malware that targets data from browsers, wallets, and more. <\/p>\n\n\n\n

        It communicates with its command and control (C2) server via a POST request along the \/c2sock route, carrying data in multipart\/form-data format, and sends information such as HWID, LummaID, PKZIP with stolen data, and an obscure PID. <\/p>\n\n\n\n

        In recent times, we’ve come across variants of Lumma Stealer<\/a> written in C++, likely wrapped with Pascal\/Delphi in a manner similar to Inno Setup. We’ve noticed a surge in the number of samples in .pif format. Inside the original .exe file (which is sometimes Inno Setup), there lies an encrypted and obfuscated script (akin to AutoIt) that is extracted to the %temp% directory. This script then produces a .pif file (which is in actuality a PE file), which subsequently executes.\u00a0<\/p>\n\n\n\n

        A new variant has emerged as well. In the past, the configuration was stored internally within the malware. However, it is now delivered from the C2 server. The malware accesses its C2 server via the \/c2conf route and receives a base64 response, which contains a 32-byte XOR key and an encrypted JSON. <\/p>\n\n\n\n

        Here are some useful links if you want to dive deeper into this malware: <\/p>\n\n\n\n

          \n
        1. \u0421heck the example of the new sample <\/a><\/li>\n<\/ol>\n\n\n\n
            \n
          1. Download script <\/a><\/li>\n<\/ol>\n\n\n\n

            AgentTesla<\/strong>‘s updates<\/h3>\n\n\n\n

            AgentTesla<\/a> is a prominent spyware strain that has been making rounds in the cyber threat landscape for several years. It is essentially a keylogger and information stealer, often used by cybercriminals to extract sensitive data, such as login credentials, system information, and credit card details. We completely updated the malware’s config extractor.<\/p>\n\n\n\n

            YARA rules <\/h2>\n\n\n\n

            We released YARA rules that detect gh0stbins<\/a> and zgrat<\/a> <\/p>\n\n\n\n

            New Malware and Threat Detection Rules <\/h2>\n\n\n\n