A look at the offensive and defensive angles.  What is WebDav?  Attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods. One type of server attackers can leverage is WebDAV (Web Distributed Authoring and Versioning) — a file transfer protocol built on top of HTTP.  In this article, we’ll explore how an attack is carried out from the offensive perspective, and then examine how to detect and defend against it defensively.  First, we’ll simulate an attack using a WebDAV server targeting ..read more

Introduction In order to understand malware comprehensively, it is essential to employ various analysis techniques and examine it from multiple perspectives. These techniques include behavioral, network, and process analysis during sandbox analysis, as well as static and dynamic analysis during reverse engineering. I (Lena aka LambdaMamba), prefer to begin with sandbox analysis to understand the malware’s behavior. The insights from sandbox analysis provide a foundational understanding of what to anticipate and what specific aspects to investigate during the reverse engineering process. Recogn ..read more

Every now and then, you come across a situation where you need to get hands-on to understand how an exploit or malware works and then create a detection rule. Plus, there are times when it’s essential for the attacking machine to be on the local network to capture network traffic or utilize its own detection tools.  In this article, we’ll show you how to set up a working environment to gather IOCs and write detection rules, using CVE-2024-21413 as an example. We’ll walk you through integrating the ANY.RUN virtual machine into a local VPN network for this purpose. To do this, we’ll:  ..read more

We’re super excited to introduce Mizuho (@morimolymoly2 on X) today, a software engineer and malware analyst making their debut on the ANY.RUN blog. In today’s article, Mizuho guides us through surface, dynamic, and static analysis of DCRat. Let’s dive in. In this article, I’ll guide you through the analysis process of DCRat using ANY.RUN.  This powerful malware has been available since 2018. Despite its low $5 price tag, it offers a wide array of malicious functions, such as full backdoor access to Windows systems, collection of sensitive personal information like usernames, passwords, a ..read more

As a preface  In the modern world, it is rare to encounter purely clean malware during analysis. Malware code is commonly modified to hinder researchers from analyzing and decompiling it.  Software that alters code to hinder analysis is known as obfuscators. Some are designed to mutate machine code, targeting malware primarily developed using C/Asm/Rust, while others modify IL (Intermediate Language) code generated by .NET compilers.  This series of articles will delve into modern techniques employed by obfuscators like .NET Reactor and SmartAssembly, which are widely favored by ..read more

Malware is constantly evolving to become more evasive, destructive, efficient, and infectious. There are numerous families of malware, each with its own unique characteristics. These different families of malware can work together in a symphonious manner to deliver a powerful infection. For instance, the stealer malware can exfiltrate data before the ransomware encrypts the files.  In this blog post, we’re diving into a recent case of something I started calling a “malware symphony.” It’s a way to describe how different types of malware can work together, sort of like instruments in an or ..read more

Editor’s note: The current article was originally published on May 13, 2021, and updated on January 26, 2024.  Today we face a growing number of cyberattacks. Analysts can use the intrusion detection system to identify, minimize, and stop threats. In this post, we cover one of the industry’s leading IDS, along with a use case, so you can have a full picture of how ANY.RUN identifies malware.  Intrusion Detection System IDS is security software that checks the network for suspicious behavior. If something unusual happens, it sends a warning message about it. Moreover, the system allow ..read more

In this article, we’re analyzing one of the most unusual crypters— PureCrypter, and a multifunctional stealer — PureLogs. We’ll look at several examples and identify patterns among Pure-malware families, and also explain how to detect PureCrypter and PureLogs.  Why did we decide to undertake this analysis?  While analyzing Public Submissions, we came across several interesting samples. We were intrigued by unusual traffic that showed signs of encryption operations on executable files with short keys, as well as TCP connections with high entropy in the connections.  Inside, all s ..read more

ANY.RUN interactive sandbox excels in analyzing malware that evades automated solutions, which means that we always have a supply of interesting samples. Trusted by top security teams worldwide, the ANY.RUN malware sandbox sees over 14,000 sample submissions daily from our community.  Our malware analysts at ANY.RUN use this — and other resources — to continuously scan the threat landscape. Make sure to follow our ambassador Jane and ANY.RUN’s official page on Twitter for interesting findings and timely updates. But in case you missed some of recent posts, this article compiles our notabl ..read more

RisePro is a malware-as-a-service info-stealer, first identified in 2022. Recently, we’ve detected a spike in it’s activity and decided to conduct an investigation, which led to interesting findings.  RisePro is a well-documented malware, but we quickly realized that the network traffic patterns of our samples did not match the existing literature. It seemed like we had a new version on our hands.  Further analysis revealed that RisePro changed the way it communicates with C2 and that it has gained new capabilities — in particular, remote-control functions, making it capable of ..read more