How to Analyse an Advanced Phishing Attack with ANY.RUN Threat Intelligence Lookup

An advanced phishing attack typically involves sophisticated tactics such as compelling email and website replicas that are often tailored to specific targets.

These attacks may use social engineering techniques to manipulate victims into revealing sensitive information and installing malware.

Cybersecurity researchers at ANY.RUN recently unveiled a proper guide to analyzing an advanced phishing attack with Threat Intelligence Lookup.

ANY.RUN Threat Intelligence Lookup provides contextual search online and via API. We index and analyze data from millions of public interactive analytical sessions, or “tasks,” that our community of over 300,000 academics and 300 organizations performs in the ANY.RUN sandbox.

Technical Analysis

Multitudes of opportunities can be unlocked with the help of this new tool that helps maximize threat intelligence. The search capabilities of this new tool enhance the search abilities and provide precise security incident responses.

The online Threat Intel Lookup service of ANY.RUN with API access scans millions of community tasks which links the isolated indicators to specific threats for your security team.

Even with the help of Threat Intel Lookup, you can also check the new IP in logs. Besides this, it also enables us to find sandbox matches fast, often naming malware families and providing related data like ports, URLs, and hashes.

ANY.RUN Threat Intelligence Lookup

Try ANY.RUN Yourself with a 14-day Free Trial

Threat Intelligence Lookup centralized repository of millions of IOCs extracted from ANY.RUN’s extensive database of interactive malware analysis sessions. ANY.RUN Threat Intelligence: Search for linked IOCs using over 30 fields .

Request a Demo For Free

How to Explain a Strange Command Line

In an event, the employee alerted security of a phishing attempt, which opened a suspicious Office attachment that enabled Macros, which triggered the alarm.

While examining the IDR logs, cybersecurity analysts discovered the highlighted PowerShell process with $codigo. Analysts without Threat Intelligence Lookup might search online, wasting time.

Searching ‘ImagePath:powershell’ AND ‘CommandLine:$codigo’ reveals multiple $codigo-related command lines. The events tab shows ‘stegocampaign’ tags that suggest a possible cyberattack.

Moreover, cybersecurity researchers affirmed that they are progressing aggressively, but they still need more refinement to their search.

IDR logs hint at a suspicious connection on port 2404, which is uncommon in their network.

The updated search reveals fewer tasks which is mostly tied to Remcos malware, a notorious Remote Access Trojan often utilizing PowerShell. 

Finding the Family of Malware

Researchers are making progress, but they still need to fine-tune their search. Based on the information from the IDR logs, it appears that a machine that is potentially infected is connected to port 2404. This port is not commonly used in our network infrastructure.

Threat Intelligence Lookup uncovers malicious IPs linked to the tasks that aid in further investigating malware behavior.

Confirm Remcos’ presence by merging the network rule name with the IP (RuleName: remcos AND DestinationIp: 107.172.31.178). While the ANY.RUN’s Threat Intelligence Lookup entrusts cybersecurity analysts,. 

Utilizing IP Address for Investigating Remcos

 Write a query combining a network rule name with the IP address associated with port 2404. In addition, researchers narrow down the search to display tasks from the past week. This is how it will appear: Rule name: “remcos” and destination IP: “107.172.31.178”

The example above shows one way that ANY.RUN’s Threat Intelligence Lookup can be very useful for cybersecurity experts.

Currently, it’s offering a trial with 20 search queries for existing Searcher plans or above clients. However, you can reach ANY.RUN for customer plans and subscriptions.