Analysts often face an overwhelming number of threats daily, each demanding a detailed examination to understand its behavior and potential impact.
When alerts start piling up, manually analyzing each one becomes time-consuming and puts your team under pressure.
Fortunately, these threats can be handled faster and more efficiently with automated malware analysis. By automating various tasks, you can uncover threats quicker, minimize errors, and free up your team to focus on more critical work.
Let’s explore which attack vectors can be automated using tools like ANY.RUN’s interactive sandbox.
Analyzing Various Attack Scenarios
ANY.RUN’s sandbox now has an upgraded version of automated interactivity that can quickly identify and trigger the key stages of the kill chain.
This enhancement makes sure that the attack analysis keeps moving, fully detecting malicious activities without manual intervention.
These stages may include:
- Email attachments like archives and their contents
- QR codes embedded in documents and CAPTCHAs
- Rewritten links and multi-stage redirects
ANY.RUN’s Black Friday offers: Get Up to 3 licenses as a gift
CAPTCHAs: Solving Challenges Automatically
CAPTCHAs are often used by attackers to add an additional layer of complexity to malicious activity, requiring user interaction to proceed.
These challenges can hinder manual analysis by slowing down the investigation process.
In automated analysis sessions, CAPTCHAs are solved automatically without requiring any manual input. The analysis process continues smoothly, and all stages of the attack are executed.
For example, in this analysis session, CAPTCHAs encountered during a phishing attack are bypassed automatically, allowing the sandbox to detect and observe the subsequent steps in the attack chain.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
This approach simplifies the analysis and provides a complete view of the threat, saving analysts time and effort.
QR Codes: A New Gateway for Malware
QR codes have become popular in modern interactions, from payments to marketing. However, they are also a delivery mechanism for malware.
A malicious QR code can direct users to phishing sites or trick them into downloading malware onto their devices.
Cybercriminals often embed QR codes in documents. However, tools like ANY.RUN’s sandbox ensures these obstacles are bypassed during automated analysis sessions, uncovering the hidden threats.
As seen in this analysis session, the detection of malware doesn’t stop or require manual effort when encountering a QR code. The sandbox automatically detects and opens the embedded link, keeping the analysis session uninterrupted.
During the threat analysis, the sandbox also determines if the content is malicious and displays the verdict in the upper-right corner of the interface, saving both time and effort for analysts.
Email Attachments: The Classic Attack Vector
Email attachments continue to be a popular method for distributing malware. Threat actors often hide malicious payloads in files such as ZIP archives, requiring specific actions or multiple steps to execute the attack.
Automated analysis speeds up this process by extracting, opening, and observing the behavior of potential threats in a secure, isolated environment.
In the following sample, we see how easy it is to automate the analysis of email attachments with the help of an interactive sandbox.
With automated analysis, the sandbox extracts the ZIP file attached to the email. Then, it finds the Formbook executable inside the archive and runs it automatically to observe its behavior.
Blocked or rewritten links are commonly used by cybercriminals to bypass security filters. These links appear harmless but redirect to malicious destinations once clicked, making them a dangerous tool for phishing and malware delivery.
Automated analysis in a sandbox environment is ideal for handling such scenarios.
Tools like ANY.RUN can simulate user behavior, extract these hidden URLs, and follow them in a controlled environment. This process ensures that the final destination and any associated threats are exposed without putting real systems at risk.
For example, in a sandbox session analyzing a blocked phishing URL, the link appeared rewritten to Microsoft’s domain safelinks[.]protection[.]outlook[.]com with a warning indicating the link was malicious.
However, this block prevented further insight into the threat.
By enabling Automated Interactivity and rerunning the analysis, the sandbox bypassed the rewritten URL, allowing all stages of the attack to execute, including those requiring CAPTCHA-solving.
This revealed that the attack was conducted by the Storm-1575 threat actor using the DadSec phishing platform, as indicated by the associated tags.
Get Your Exclusive Black Friday Deals from ANY.RUN
Enhance your threat analysis capabilities with ANY.RUN’s powerful sandbox. Quickly analyze emails, files, and URLs to detect cyber threats.
With automated analysis, the sandbox takes care of every step, saving you time and delivering accurate insights without the need for manual input.
Black Friday Offers from ANY.RUN
Take advantage of special Black Friday deals, available until December 8:
- For individual users: Get 2 licenses for the price of 1.
- For teams: Receive up to 3 licenses plus an annual basic plan for Threat Intelligence Lookup, a searchable threat intelligence database from ANY.RUN -> Explore all offers today.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.