Cyber attackers never stop inventing new ways to compromise their targets. That’s why organizations must stay updated on the latest threats.
Here’s a quick rundown of the current malware and phishing attacks you need to know about to safeguard your infrastructure before they reach you.
Zero-day Attack: Corrupted Malicious Files Evade Detection by Most Security Systems
The analyst team at ANY.RUN recently shared their analysis of an ongoing zero-day attack. It has been active since at least August and still remains unaddressed by most detection software to this day.
The attack involves the use of intentionally corrupted Word documents and ZIP archives with malicious files inside.
VirusTotal shows 0 detections for one of the corrupted files |
Due to corruption, security systems cannot properly identify the type of these files and run analysis on them, which results in zero threat detections.
Word will ask the user if they want to restore a corrupted file |
Once these files are delivered to a system and opened with their native applications (Word for docx and WinRAR for zip) they get restored, presenting the victim with malicious contents.
The ANY.RUN sandbox is one of the few tools that detect this threat. It allows users to manually open corrupted malicious files inside a fully interactive cloud VM with their corresponding apps and restore them. This enables you to see what kind of payload the file contains.
A restored document with a phishing QR code analyzed inside the ANY.RUN sandbox |
Check out this sandbox session featuring a corrupted Word document. After recovery, we can see that there is a QR code with an embedded phishing link.
ANY.RUN’s Interactive Sandbox marks the document and its contents as malicious |
The sandbox automatically identifies malicious activity and notifies you about this.
Try ANY.RUN’s Interactive Sandbox to see how it can speed up and improve your malware analysis.
Get a 14-day trial to test all of its advanced features for free →
Fileless Malware Attack via PowerShell Script Distributes Quasar RAT
Another notable recent attack involves the use of a fileless loader called Psloramyra, which drops Quasar RAT onto infected devices.
ANY.RUN identifies PSLoramyra and its malicious actions |
This sandbox session shows how, after taking initial foothold on the system, Psloramyra loader employs a LoLBaS (Living off the Land Binaries and Scripts) technique to launch a PowerShell script.
A process tree in ANY.RUN showing the entire execution chain |
The script loads a malicious payload dynamically into memory, identifies and utilizes the Execute method from the loaded .NET assembly, and finally injects Quasar into a legitimate process like RegSvcs.exe.
The ANY.RUN sandbox logs all network activity and identifies Quasar’s C2 connection |
The malware functions entirely within the system’s memory, ensuring it leaves no traces on the physical disk. To maintain its presence, it creates a scheduled task that runs every two minutes.
Abuse of Azure Blob Storage in Phishing Attacks
Cybercriminals are now hosting phishing pages on Azure’s cloud storage solution, leveraging the *.blob[.]core[.]windows[.]net subdomain.
Attackers use a script to fetch information about the victim’s software, such as the OS and browser, which is on the page to make it appear more trustworthy. See example.
Fake login form asking the user to enter their info |
The objective of the attack is to trick the victim into entering their login credentials into a fake form, which are then collected and exfiltrated.
Emmenhtal Loader Uses Scripts to Deliver Lumma, Amadey, and Other Malware
Emmenhtal is an emerging threat that has been involved in several campaigns over the past year. In one of the latest attacks, criminals utilize scripts to facilitate the execution chain that involves the following steps:
- LNK file initiates Forfiles
- Forfiles locates HelpPane
- PowerShell launches Mshta with the AES-encrypted first-stage payload
- Mshta decrypts and executes the downloaded payload
- PowerShell runs an AES-encrypted command to decrypt Emmenhtal
Entire execution chain demonstrated by ANY.RUN’s Interactive sandbox |
The Emmenhtal loader, which is the final PowerShell script, executes a payload — often Updater.exe — by using a binary file with a generated name as an argument.
This leads to infection by malware families like Lumma, Amadey, Hijackloader, or Arechclient2.
Analyze Latest Cyber Attacks with ANY.RUN
Equip yourself with ANY.RUN’s Interactive Sandbox for advanced malware and phishing analysis. The cloud-based service provides you with a safe and fully-functional VM environment, letting you freely engage with malicious files and URLs you submit.
It also automatically detects malicious behavior in real time across network and system activities.
- Identify threats in < 40 seconds
- Save resources on setup and maintenance
- Log and examine all malicious activities
- Work in private mode with your team
Get a 14-day free trial of ANY.RUN to test all the features it offers →