DUBAI, DUBAI, UNITED ARAB EMIRATES, December 5, 2024 /EINPresswire.com/ -- The cybersecurity team at ANY.RUN has shared an in-depth look at a new zero-day attack method that leverages corrupted files to evade detection systems. This detailed analysis demonstrates how attackers manipulate archives, office documents, and other files to bypass security measures.

𝐎𝐯𝐞𝐫𝐯𝐢𝐞𝐰 𝐨𝐟 𝐭𝐡𝐞 𝐀𝐭𝐭𝐚𝐜𝐤

A typical scenario for this zero-day attack follows 5 steps:

1. Attackers 𝗺𝗮𝗻𝗶𝗽𝘂𝗹𝗮𝘁𝗲 𝘁𝗵𝗲 𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗼𝗳 𝗮𝗿𝗰𝗵𝗶𝘃𝗲𝘀 𝗮𝗻𝗱 𝗪𝗼𝗿𝗱 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁𝘀 to corrupt them.

2. The corrupted files are then 𝗱𝗶𝘀𝘁𝗿𝗶𝗯𝘂𝘁𝗲𝗱 𝗮𝘀 𝗲𝗺𝗮𝗶𝗹 𝗮𝘁𝘁𝗮𝗰𝗵𝗺𝗲𝗻𝘁𝘀.

3. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 𝗳𝗮𝗶𝗹 𝘁𝗼 𝗱𝗲𝘁𝗲𝗰𝘁 𝗮𝗻𝘆 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗰𝗼𝗻𝘁𝗲𝗻𝘁 as they cannot scan compromised files, allowing them to reach their targets.

4. When a user opens the corrupted file with its native application, like Word, the application's 𝗯𝘂𝗶𝗹𝘁-𝗶𝗻 𝗿𝗲𝗰𝗼𝘃𝗲𝗿𝘆 𝗺𝗲𝗰𝗵𝗮𝗻𝗶𝘀𝗺𝘀 𝗿𝗲𝘀𝘁𝗼𝗿𝗲 𝘁𝗵𝗲 𝗳𝗶𝗹𝗲'𝘀 𝗰𝗼𝗻𝘁𝗲𝗻𝘁.

5. Once recovered, the file presents the victim with malicious content like QR codes with 𝗽𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗹𝗶𝗻𝗸𝘀 𝗶𝗻 𝗱𝗼𝗰𝘅 𝗳𝗶𝗹𝗲𝘀.

𝐇𝐨𝐰 𝐂𝐨𝐫𝐫𝐮𝐩𝐭𝐞𝐝 𝐅𝐢𝐥𝐞𝐬 𝐁𝐲𝐩𝐚𝐬𝐬 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐒𝐲𝐬𝐭𝐞𝐦𝐬

The research highlights that 𝗺𝗼𝘀𝘁 𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗮𝗻𝗱 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗲𝗱 𝘁𝗼𝗼𝗹𝘀 𝗹𝗮𝗰𝗸 𝘁𝗵𝗲 𝗿𝗲𝗰𝗼𝘃𝗲𝗿𝘆 𝗳𝘂𝗻𝗰𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 found in applications like Microsoft Word. This prevents them from accurately identifying the type of corrupted files, resulting in detection failures.

For instance, submitting a corrupted file to VirusTotal, which aggregates verdicts from numerous security solutions, shows 𝘇𝗲𝗿𝗼 𝘁𝗵𝗿𝗲𝗮𝘁 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀 𝗳𝗼𝗿 𝗺𝗼𝘀𝘁 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘀𝘆𝘀𝘁𝗲𝗺𝘀.

𝐇𝐨𝐰 𝐀𝐍𝐘.𝐑𝐔𝐍 𝐒𝐚𝐧𝐝𝐛𝐨𝐱 𝐇𝐞𝐥𝐩𝐬 𝐭𝐨 𝐈𝐝𝐞𝐧𝐭𝐢𝐟𝐲 𝐂𝐨𝐫𝐫𝐮𝐩𝐭𝐞𝐝 𝐌𝐚𝐥𝐢𝐜𝐢𝐨𝐮𝐬 𝐅𝐢𝐥𝐞𝐬

ANY.RUN's interactive sandbox plays a crucial role in identifying these threats. It allows users to manually open corrupted files 𝗺𝗮𝗻𝘂𝗮𝗹𝗹𝘆 𝗼𝗽𝗲𝗻 𝗰𝗼𝗿𝗿𝘂𝗽𝘁𝗲𝗱 𝗳𝗶𝗹𝗲𝘀 𝘄𝗶𝘁𝗵𝗶𝗻 𝘁𝗵𝗲𝗶𝗿 𝗻𝗮𝘁𝗶𝘃𝗲 𝗮𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 inside a safe virtual environment. Once these files are opened, the 𝘀𝗮𝗻𝗱𝗯𝗼𝘅 𝗾𝘂𝗶𝗰𝗸𝗹𝘆 𝗶𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗲𝘀 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 and notifies users.

For example, when a corrupted .docx file is opened with Microsoft Word in the sandbox, the application successfully recovers the file, revealing a QR code with a phishing link. The sandbox 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗰𝗮𝗹𝗹𝘆 𝗱𝗲𝘁𝗲𝗰𝘁𝘀 𝘁𝗵𝗶𝘀 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆, providing valuable insights for cybersecurity professionals.

Learn more about how this zero-day attack works on a technical level on ANY.RUN’s blog.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN provides interactive malware analysis tools trusted by over 500,000 cybersecurity professionals worldwide. With powerful features for real-time behavioral analysis, ANY.RUN helps identify threats, reduce investigation time, and provide actionable insights for incident response.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
X
LinkedIn

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.