How Cybersecurity Analysts Investigate Emerging Malware Threats

Threat Intelligence Lookup

Cyber attackers these days are getting smarter and sneakier. They’re using advanced techniques to break into systems or steal sensitive data, making it harder than ever to detect and analyze emerging threats. This is why cybersecurity analysts are also stepping up their game, using advanced tools and services like ANY.RUN’s Threat Intelligence (TI) Lookup.

With these services, cybersecurity professionals can access a wealth of information about specific threats and dive into real-world examples to uncover and neutralize these tricky attacks. 

Let’s explore how analysts use services like TI Lookup to investigate emerging threats more effectively and efficiently.

Why Analysts Use TI Lookup for Threat Investigations

TI Lookup is a real game changer for analysts, as it offers a central hub of detailed threat data to streamline malware investigations. This data is gathered from millions of malware analysis sessions conducted in the ANY.RUN’s interactive sandbox. With over 40 customizable search parameters, analysts can uncover relevant threat data with precision and flexibility.

Try TI Lookup with a free trial and get a Black Friday offer to double your search requests

Here’s how it helps:

1. Enhanced Threat Identification

TI Lookup gives analysts access to an extensive database of IPs, domains, file names, process artifacts, and more. This wealth of information ensures they can quickly identify and connect Indicators of Compromise (IOCs) to known malware campaigns or emerging threats.

Threat Intelligence Lookup
Homepage of ANY.RUN Threat Intelligence Lookup

2. Powerful and Flexible Search Options

The advanced search options allow users to tailor their investigations with highly customizable parameters:

  • Single IOC searches: Analysts can quickly find specific URLs, file hashes, IPs, or domain names.
  • Event fields: They analyze logged activities such as registry paths, process names, and command lines.
  • Combined search: With TI Lookup, it’s easy to dive into the malware lifecycle by correlating IOCs across infection stages in the same session.
  • Wildcard queries: Analysts can use partial information to uncover hidden connections when dealing with incomplete threat data.
IOCs displayed in TI Lookup for a specific query
IOCs displayed in TI Lookup for a specific query

3. Fully Interactive Analysis inside Cloud Environment

One of the key benefits of TI Lookup is its integration with a fully interactive cloud-based malware sandbox, setting it apart from traditional automated tools. This interactivity empowers analysts to investigate malware in real-time, directly engaging with malicious files and processes.

TI Lookup interactive home page
TI Lookup interactive home page

This interactive feature is powered by over 14,000 daily analysis sessions run by ANY.RUN’s global community of 500,000+ researchers, constantly updating the Threat Intelligence Database with real-world data.

How Analysts Investigate Emerging Threats Using TI Lookup

Cybersecurity analysts use tools like ANY.RUN’s TI Lookup to find and connect important details when investigating new and evolving threats. 

Here are three real-world examples that demonstrate how the tool is used to stay ahead of attackers:

Checking suspicious IP addresses

One of the common ways analysts use TI Lookup is to investigate suspicious IP addresses flagged by network alerts. 

For instance, if a machine in the network connects to an IP like 162[.]254[.]34[.]31, analysts can use TI Lookup to check if the IP has been involved in malware activity.

By entering the query:

Search query: destinationIP:”162.254.34.31″

The tool identifies the IP as malicious and links it to the AgentTesla malware family. TI Lookup doesn’t just confirm the threat, it also provides related details such as processes, files, and even sandbox sessions where this IP was previously detected.

TI Lookup flags the IP address as malicious
TI Lookup flags the IP address as malicious and gives additional info

Identifying a Malware Family

Analysts can also use TI Lookup to identify malware by searching for unique indicators like mutexes. For example, the Remcos malware creates specific synchronization objects (mutexes) that can be used to trace its activity.

By entering the query:

Search query: syncObjectName:”RMC-“

TI Lookup retrieves a list of mutexes associated with Remcos and provides access to related sandbox sessions.

Identifying a malware family with TI Lookup
Identifying a malware family with TI Lookup

Identifying Malware Using a File Path

Sometimes a suspicious file path can be the key to identifying malware. For example, analysts can investigate the following path:

Search query: filePath:”\\Start Menu\\Programs\\Startup\\{*}.lnk”.

This query connects the file path to DarkVision RAT and reveals related sandbox sessions. Analysts can access additional context, such as triggered IDS rules and sandbox data, to understand how the malware operates and what actions it performs during execution.

darkvision
List of files that match the query and events with the tag “darkvision”

Black Friday Exclusive: Double Your TI Lookup Search Requests

TI Lookup promotion

ANY.RUN’s TI Lookup provides instant access to threat intelligence, helping you get context on malware and phishing campaigns and enrich your investigations with relevant samples, domains, and other indicators with ease.  

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.