Multi-stage cyber assaults, characterised by their advanced execution chains, are designed to keep away from detection and trick victims right into a false sense of safety. Understanding how they function is step one to constructing a strong protection technique in opposition to them. Let’s study real-world examples of a few of the commonest multi-stage assault situations which might be energetic proper now.
URLs and Different Embedded Content material in Paperwork
Attackers regularly disguise malicious hyperlinks inside seemingly reliable paperwork, equivalent to PDFs or Phrase recordsdata. Upon opening the doc and clicking the embedded hyperlink, customers are directed to a malicious web site. These websites typically make use of misleading ways to get the sufferer to obtain malware onto their pc or share their passwords.
One other widespread sort of embedded content material is QR codes. Attackers conceal malicious URLs inside QR codes and insert them into paperwork. This technique forces customers to show to their cell units to scan the code, which then directs them to phishing websites. These websites usually request login credentials, that are instantly stolen by the attackers upon entry.
Instance: PDF File with a QR Code
To show how a typical assault unfolds, let’s use the ANY.RUN Sandbox, which provides a secure digital setting for finding out malicious recordsdata and URLs. Due to its interactivity, this cloud-based service permits us to interact with the system similar to on a regular pc.
Rise up to three ANY.RUN licenses as a present with a Black Friday supply→
To simplify our evaluation, we’ll allow the Automated Interactivity characteristic that may carry out all of the person actions wanted to set off assault or pattern execution mechanically.
 |
| Phishing PDF with malicious QR code opened within the ANY.RUN sandbox |
Take into account this sandbox session, which encompasses a malicious .pdf file that incorporates a QR code. With automation switched on, the service extracts the URL contained in the code and opens it within the browser by itself.
 |
| The ultimate phishing web page the place victims are supplied to share their credentials |
After a number of redirects, the assault takes us to the ultimate phishing web page designed to imitate a Microsoft web site. It’s managed by menace actors and configured to steal customers’ login and password information, as quickly as it’s entered.
 |
| Suricata IDS rule recognized a phishing area chain throughout evaluation |
The sandbox makes it doable to look at all of the community exercise occurring through the assault and see triggered Suricata IDS guidelines
After finishing the evaluation, the ANY.RUN sandbox offers a conclusive “malicious exercise” verdict and generates a report on the menace that additionally features a listing of IOCs.
Multi-stage Redirects
Multi-stage redirects contain a sequence of URLs that transfer customers via a number of websites, finally resulting in a malicious vacation spot. Attackers typically make the most of trusted domains, equivalent to Google’s or widespread social media platforms like TikTok, to make the redirects seem reliable. This technique complicates the detection of the ultimate malicious URL by safety instruments.
Some redirect phases could embrace CAPTCHA challenges to stop automated options and filters from accessing malicious content material. Attackers may also incorporate scripts that test for the person’s IP tackle. If a hosting-based tackle, generally utilized by safety options, is detected, the assault chain will get interrupted and the person is redirected to a reliable web site, stopping entry to the phishing web page.
Instance: Chain of Hyperlinks Resulting in a Phishing Web page
Here’s a sandbox session exhibiting the whole chain of assault ranging from a seemingly reliable TikTok hyperlink.
 |
| TikTok URL containing a redirect to a Google area |
But, a better look reveals how the complete URL incorporates a redirect to a reliable google area.
 |
| ANY.RUN mechanically solves the CAPTCHA transferring on to the subsequent stage of the assault |
From there, the assault strikes on to a different web site with a redirect after which to the ultimate phishing web page, which is, nevertheless, protected with a CAPTCHA problem.
 |
| Faux Outlook web page meant for stealing person information |
Due to superior content material evaluation, the sandbox mechanically solves this CAPTCHA, permitting us to look at the faux web page designed to steal victims’ credentials.
E mail Attachments
E mail attachments proceed to be a prevalent vector for multi-stage assaults. Prior to now, attackers regularly despatched emails with Workplace paperwork containing malicious macros.
At present, the main target has shifted to archives that embrace payloads and scripts. Archives present a simple and efficient technique for menace actors to hide malicious executables from safety mechanisms and enhance the trustworthiness of the recordsdata.
Instance: E mail Attachment with Formbook Malware
In this sandbox session, we are able to see a phishing e-mail that incorporates a .zip attachment. The service mechanically opens the archive, which has a number of recordsdata inside.
 |
| Phishing e-mail with an archive |
With Good Content material Evaluation, the service identifies the principle payload and launches it, which initiates the execution chain and permits us to see how the malware behaves on a stay system.
 |
| Suricata IDS rule used for detecting FormBook’s connection to its C2 |
The sandbox detects FormBook and logs all of its community and system actions, in addition to offering an in depth menace report.
Get Your Black Friday Deal from ANY.RUN
Analyze suspicious emails, recordsdata, and URLs within the ANY.RUN sandbox to rapidly determine cyber assaults. With Automated Interactivity, the service can carry out all the required evaluation steps by itself, saving you time and presenting you solely with crucial insights into the menace at hand.
 |
| Black Friday supply from ANY.RUN |
ANY.RUN is at present providing Black Friday offers. Get yours earlier than December 8:
- For particular person customers: 2 licences for the value of 1.
- For groups: As much as 3 licences + annual fundamental plan for Risk Intelligence Lookup, ANY.RUN’s searchable database of the most recent menace information;
See all provides and check the service with a free trial at present →
Conclusion
Multi-stage assaults are a major menace to organizations and people alike. A number of the commonest assault situations embrace URLs and embeds in paperwork, QR codes, multi-stage redirects, e-mail attachments, and archived payloads. By analyzing these with instruments like ANY.RUN’s Interactive sandbox, we are able to higher defend our infrastructure.
