Multi-stage cyber assaults, characterised by their advanced execution chains, are designed to keep away from detection and trick victims right into a false sense of safety. Figuring out how they function is step one to constructing a strong protection technique in opposition to them. Let’s study real-world examples of among the most typical multi-stage assault eventualities which might be energetic proper now.
URLs and Different Embedded Content material in Paperwork
Attackers steadily conceal malicious hyperlinks inside seemingly legit paperwork, equivalent to PDFs or Phrase recordsdata. Upon opening the doc and clicking the embedded hyperlink, customers are directed to a malicious web site. These websites usually make use of misleading ways to get the sufferer to obtain malware onto their pc or share their passwords.
One other standard kind of embedded content material is QR codes. Attackers conceal malicious URLs inside QR codes and insert them into paperwork. This technique forces customers to show to their cell gadgets to scan the code, which then directs them to phishing websites. These websites usually request login credentials, that are instantly stolen by the attackers upon entry.
Instance: PDF File with a QR Code
To show how a typical assault unfolds, let’s use the ANY.RUN Sandbox, which presents a secure digital surroundings for learning malicious recordsdata and URLs. Because of its interactivity, this cloud-based service permits us to have interaction with the system similar to on a normal pc.
Stand up to three ANY.RUN licenses as a present with a Black Friday provide→
To simplify our evaluation, we’ll allow the Automated Interactivity characteristic that may carry out all of the person actions wanted to set off assault or pattern execution mechanically.
 |
| Phishing PDF with malicious QR code opened within the ANY.RUN sandbox |
Contemplate this sandbox session, which contains a malicious .pdf file that comprises a QR code. With automation switched on, the service extracts the URL contained in the code and opens it within the browser by itself.
 |
| The ultimate phishing web page the place victims are provided to share their credentials |
After a couple of redirects, the assault takes us to the ultimate phishing web page designed to imitate a Microsoft web site. It’s managed by risk actors and configured to steal customers’ login and password information, as quickly as it’s entered.
 |
| Suricata IDS rule recognized a phishing area chain throughout evaluation |
The sandbox makes it potential to look at all of the community exercise occurring in the course of the assault and see triggered Suricata IDS guidelines
After finishing the evaluation, the ANY.RUN sandbox offers a conclusive “malicious exercise” verdict and generates a report on the risk that additionally features a record of IOCs.
Multi-stage Redirects
Multi-stage redirects contain a sequence of URLs that transfer customers via a number of websites, finally resulting in a malicious vacation spot. Attackers usually make the most of trusted domains, equivalent to Google’s or standard social media platforms like TikTok, to make the redirects seem legit. This methodology complicates the detection of the ultimate malicious URL by safety instruments.
Some redirect phases might embody CAPTCHA challenges to forestall automated options and filters from accessing malicious content material. Attackers may also incorporate scripts that test for the person’s IP handle. If a hosting-based handle, generally utilized by safety options, is detected, the assault chain will get interrupted and the person is redirected to a legit web site, stopping entry to the phishing web page.
Instance: Chain of Hyperlinks Resulting in a Phishing Web page
Here’s a sandbox session displaying the complete chain of assault ranging from a seemingly legit TikTok hyperlink.
 |
| TikTok URL containing a redirect to a Google area |
But, a more in-depth look reveals how the complete URL incorporates a redirect to a legit google area.
 |
| ANY.RUN mechanically solves the CAPTCHA shifting on to the following stage of the assault |
From there, the assault strikes on to a different web site with a redirect after which to the ultimate phishing web page, which is, nevertheless, protected with a CAPTCHA problem.
 |
| Faux Outlook web page supposed for stealing person information |
Because of superior content material evaluation, the sandbox mechanically solves this CAPTCHA, permitting us to look at the pretend web page designed to steal victims’ credentials.
Electronic mail Attachments
Electronic mail attachments proceed to be a prevalent vector for multi-stage assaults. Prior to now, attackers steadily despatched emails with Workplace paperwork containing malicious macros.
At present, the main focus has shifted to archives that embody payloads and scripts. Archives present a simple and efficient methodology for risk actors to hide malicious executables from safety mechanisms and enhance the trustworthiness of the recordsdata.
Instance: Electronic mail Attachment with Formbook Malware
In this sandbox session, we are able to see a phishing e-mail that comprises a .zip attachment. The service mechanically opens the archive, which has a number of recordsdata inside.
 |
| Phishing e-mail with an archive |
With Good Content material Evaluation, the service identifies the principle payload and launches it, which initiates the execution chain and permits us to see how the malware behaves on a dwell system.
 |
| Suricata IDS rule used for detecting FormBook’s connection to its C2 |
The sandbox detects FormBook and logs all of its community and system actions, in addition to offering an in depth risk report.
Get Your Black Friday Deal from ANY.RUN
Analyze suspicious emails, recordsdata, and URLs within the ANY.RUN sandbox to shortly establish cyber assaults. With Automated Interactivity, the service can carry out all the mandatory evaluation steps by itself, saving you time and presenting you solely with a very powerful insights into the risk at hand.
 |
| Black Friday provide from ANY.RUN |
ANY.RUN is presently providing Black Friday offers. Get yours earlier than December 8:
- For particular person customers: 2 licences for the worth of 1.
- For groups: As much as 3 licences + annual fundamental plan for Menace Intelligence Lookup, ANY.RUN’s searchable database of the most recent risk information;
See all presents and check the service with a free trial at this time →
Conclusion
Multi-stage assaults are a big risk to organizations and people alike. A few of the most typical assault eventualities embody URLs and embeds in paperwork, QR codes, multi-stage redirects, e-mail attachments, and archived payloads. By analyzing these with instruments like ANY.RUN’s Interactive sandbox, we are able to higher defend our infrastructure.