Multi-stage cyber assaults, characterised by their advanced execution chains, are designed to keep away from detection and trick victims right into a false sense of safety. Figuring out how they function is step one to constructing a strong protection technique towards them. Let’s study real-world examples of a few of the commonest multi-stage assault eventualities which might be lively proper now.
URLs and Different Embedded Content material in Paperwork
Attackers continuously cover malicious hyperlinks inside seemingly professional paperwork, comparable to PDFs or Phrase information. Upon opening the doc and clicking the embedded hyperlink, customers are directed to a malicious web site. These websites typically make use of misleading ways to get the sufferer to obtain malware onto their laptop or share their passwords.
One other standard kind of embedded content material is QR codes. Attackers conceal malicious URLs inside QR codes and insert them into paperwork. This technique forces customers to show to their cell gadgets to scan the code, which then directs them to phishing websites. These websites usually request login credentials, that are instantly stolen by the attackers upon entry.
Instance: PDF File with a QR Code
To show how a typical assault unfolds, let’s use the ANY.RUN Sandbox, which presents a secure digital setting for finding out malicious information and URLs. Because of its interactivity, this cloud-based service permits us to interact with the system similar to on a regular laptop.
Rise up to three ANY.RUN licenses as a present with a Black Friday provide→
To simplify our evaluation, we’ll allow the Automated Interactivity characteristic that may carry out all of the consumer actions wanted to set off assault or pattern execution mechanically.
 |
| Phishing PDF with malicious QR code opened within the ANY.RUN sandbox |
Contemplate this sandbox session, which encompasses a malicious .pdf file that accommodates a QR code. With automation switched on, the service extracts the URL contained in the code and opens it within the browser by itself.
 |
| The ultimate phishing web page the place victims are provided to share their credentials |
After a couple of redirects, the assault takes us to the ultimate phishing web page designed to imitate a Microsoft web site. It’s managed by menace actors and configured to steal customers’ login and password knowledge, as quickly as it’s entered.
 |
| Suricata IDS rule recognized a phishing area chain throughout evaluation |
The sandbox makes it attainable to watch all of the community exercise occurring through the assault and see triggered Suricata IDS guidelines
After finishing the evaluation, the ANY.RUN sandbox gives a conclusive “malicious activity” verdict and generates a report on the menace that additionally features a listing of IOCs.
Multi-stage Redirects
Multi-stage redirects contain a sequence of URLs that transfer customers by means of a number of websites, in the end resulting in a malicious vacation spot. Attackers typically make the most of trusted domains, comparable to Google’s or standard social media platforms like TikTok, to make the redirects seem professional. This technique complicates the detection of the ultimate malicious URL by safety instruments.
Some redirect levels might embrace CAPTCHA challenges to forestall automated options and filters from accessing malicious content material. Attackers may additionally incorporate scripts that verify for the consumer’s IP deal with. If a hosting-based deal with, generally utilized by safety options, is detected, the assault chain will get interrupted and the consumer is redirected to a professional web site, stopping entry to the phishing web page.
Instance: Chain of Hyperlinks Resulting in a Phishing Web page
Here’s a sandbox session displaying your entire chain of assault ranging from a seemingly professional TikTok hyperlink.
 |
| TikTok URL containing a redirect to a Google area |
But, a more in-depth look reveals how the complete URL incorporates a redirect to a professional google area.
 |
| ANY.RUN mechanically solves the CAPTCHA shifting on to the subsequent stage of the assault |
From there, the assault strikes on to a different web site with a redirect after which to the ultimate phishing web page, which is, nevertheless, protected with a CAPTCHA problem.
 |
| Pretend Outlook web page supposed for stealing consumer knowledge |
Because of superior content material evaluation, the sandbox mechanically solves this CAPTCHA, permitting us to watch the pretend web page designed to steal victims’ credentials.
Electronic mail Attachments
Electronic mail attachments proceed to be a prevalent vector for multi-stage assaults. Up to now, attackers continuously despatched emails with Workplace paperwork containing malicious macros.
At the moment, the main focus has shifted to archives that embrace payloads and scripts. Archives present a simple and efficient technique for menace actors to hide malicious executables from safety mechanisms and improve the trustworthiness of the information.
Instance: Electronic mail Attachment with Formbook Malware
In this sandbox session, we will see a phishing e-mail that accommodates a .zip attachment. The service mechanically opens the archive, which has a number of information inside.
 |
| Phishing e-mail with an archive |
With Sensible Content material Evaluation, the service identifies the primary payload and launches it, which initiates the execution chain and permits us to see how the malware behaves on a reside system.
 |
| Suricata IDS rule used for detecting FormBook’s connection to its C2 |
The sandbox detects FormBook and logs all of its community and system actions, in addition to offering an in depth menace report.
Get Your Black Friday Deal from ANY.RUN
Analyze suspicious emails, information, and URLs within the ANY.RUN sandbox to shortly establish cyber assaults. With Automated Interactivity, the service can carry out all the required evaluation steps by itself, saving you time and presenting you solely with crucial insights into the menace at hand.
 |
| Black Friday provide from ANY.RUN |
ANY.RUN is at present providing Black Friday offers. Get yours earlier than December 8:
- For particular person customers: 2 licences for the value of 1.
- For groups: As much as 3 licences + annual primary plan for Menace Intelligence Lookup, ANY.RUN’s searchable database of the most recent menace knowledge;
See all presents and take a look at the service with a free trial at this time →
Conclusion
Multi-stage assaults are a big menace to organizations and people alike. A number of the commonest assault eventualities embrace URLs and embeds in paperwork, QR codes, multi-stage redirects, e-mail attachments, and archived payloads. By analyzing these with instruments like ANY.RUN’s Interactive sandbox, we will higher defend our infrastructure.
