Obfuscation is a technique widely used by cybercriminals, Advanced Persistent Threat (APT) groups, and even red-teaming operations. APTs, in particular, rely on obfuscation to remain undetected within networks for extended periods. However, modern malware, ransomware, and Living-off-the-Land (LotL) attacks also employ obfuscation techniques to evade conventional detection systems. Understanding how to detect these obfuscated threats is critical to modern threat hunting and incident response.

Real-World Example: Obfuscation in Cyber Attacks

A recent attack highlights how obfuscation is strategically used to bypass security measures. Cybercriminals leveraged invoice-themed phishing emails to distribute malware such as Venom RAT, Remcos RAT, XWorm, and NanoCore RAT through a multi-stage infection chain:

1. Phishing Email with Malicious SVG Attachment: The email contained an attachment that, when clicked, initiated the attack.
2. Use of BatCloak and ScrubCrypt: These tools obscure the malware, preventing detection by signature-based security systems.
3. Execution of Venom RAT and Additional Malware: The malware deploys persistence mechanisms to anchor itself within the system while bypassing security protections like AMSI and ETW.
4. Data Theft and System Control: Venom RAT grants attackers remote access to the infected system, loads additional plugins, and exfiltrates sensitive data, including cryptocurrency wallet information.

This case demonstrates how modern cyberattacks leverage obfuscation to infiltrate IT environments undetected.

Common Obfuscation Techniques

Threat actors use various techniques to disguise malware and malicious activities:

• Code Obfuscation: Encrypting or scrambling malicious code to evade signature-based detection.
• Packing & Encoding: Using packers and crypters (e.g., ScrubCrypt) to obscure malware.
• Steganography: Concealing malicious code within seemingly benign files.
• Living-off-the-Land (LotL) Attacks: Exploiting legitimate system tools such as PowerShell and WMI for malicious purposes.
• Traffic Obfuscation: Concealing malicious communication within legitimate cloud services or encrypted tunnels.

Why Traditional Security Tools Fail

Many Endpoint Detection and Response (EDR) and Antivirus (AV) solutions rely on signatures or heuristic algorithms to detect threats. However, modern obfuscation techniques are designed specifically to circumvent these mechanisms. The major weaknesses of conventional security tools include:

• Polymorphic Malware: Constantly changes its code with each infection, rendering signature-based detection ineffective. Attackers use this technique to bypass antivirus solutions and distribute new malware variants continuously.
• Obfuscation via Legitimate Tools: Threat actors abuse trusted system tools such as PowerShell and WMI to execute malicious code. Since these tools are essential components of modern operating systems, their activity often appears benign, allowing them to bypass traditional security measures.
• Memory-Only Malware: Some threats reside exclusively in memory without leaving traces on disk. Many security solutions primarily scan files rather than analyzing volatile memory or process behavior, making it extremely difficult to detect such attacks.
• Multi-Stage Infection Chains: Cyberattacks increasingly use multi-stage installations, where an initially harmless file is executed to later retrieve and deploy additional malicious payloads. This strategy complicates detection since the actual malware may only activate after several steps.
• Bypassing Security Mechanisms: Many modern malware families are engineered to disable or evade security features such as AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows), allowing them to operate stealthily even on systems protected by advanced EDR solutions.

How THOR Uncovers Hidden Cyber Threats

Understanding how to detect obfuscated threats requires more than reactive detection or simple IOC matching. While traditional EDR and AV solutions rely on recognizing known signatures, THOR leverages YARA-, Sigma-, and anomaly-based detection methods to identify hidden attacks and trace their origins. With that, Nextron’s THOR employs cutting-edge threat-hunting techniques to expose even the most sophisticated obfuscated threats. These advanced techniques go beyond static signature recognition and actively identify behavioral anomalies, suspicious patterns, and hidden attack indicators that would otherwise remain undetected.

As an on-demand forensic scanner, THOR inspects file systems, memory, logs, and system artifacts during scheduled or manually triggered scans. Its detection capabilities rely on a combination of YARA rules, Sigma rules, and anomaly detection techniques designed to uncover obfuscated activity and behavioral deviations indicative of compromise. Unlike conventional tools that depend solely on predefined threat intelligence, THOR applies a curated set of generic detection rules that surface suspicious patterns—even those associated with novel or previously unknown threats—by highlighting inconsistencies, misuse of legitimate tools, and traces typically missed by AV or EDR solutions.

Why THOR Is the Ultimate Threat Hunting Solution

• Identifies hacker tools, malware outputs, and customized threats that evade traditional signature-based detection.
• Requires no installation – runs portably, remotely, or through the ASGARD Management Center.
• Uses anomaly-based detection to uncover even unknown threats.

Gaining Visibility: The Key to Defeating Obfuscated Threats

Obfuscation is one of the most powerful techniques employed by modern attackers. However, with THOR, even well-hidden threats can be exposed. By combining YARA, Sigma, and behavioral anomaly analysis, Nextron provides a robust cybersecurity solution for rapidly identifying compromised systems.

Have you checked your IT environment for hidden threats? Try THOR now! 🚀

We are excited to announce that THOR 10.7 will become the new default scanner version for ASGARD users starting Thursday, November 28th, 2024.

This update introduces significant performance enhancements, including faster scan times, improved archive handling, and refined resource management. ASGARD-managed scans initiated after this date will default to THOR 10.7 unless configured otherwise, ensuring that all customers benefit from the latest detection capabilities and optimizations. Existing scheduled group scans will continue using their previously configured scanner versions (typically THOR 10.6), with clear warnings and options to update to the new version.

Key Features in THOR 10.7

• Memory-Mapped File Scanning: Enhanced speed and reduced I/O bottlenecks.
• Improved JSON Reporting: More detailed and structured output. (details)
• Selective Initialization: Advanced selectors and filters to streamline scans. (details)
• Email Parsing: Scans email formats like .eml and .msg for embedded threats.
• Enhanced Archive Scanning: Support for .cab, .7z, .gzip, and recursive nested archive scanning.
• Bulk Scanning Optimization: Improved throughput for large-scale scanning.
• Refined HTML Report Generation: Lower memory usage and reduced CPU load during processing.
• Unified YARA Rule Sets: A single rule set with namespaces for higher performance.
• Configurable Color Schemes and Output Encryption: Enhanced customization and security. (details)
• Output Encryption at Runtime (details)

New Features in THOR 10.7: Enhancements and Flexibility

Enhancing Detection and Efficiency with Memory-Mapped Scanning

One of the most impactful improvements in THOR 10.7 is the introduction of memory-mapped file scanning, which significantly accelerates scans and reduces disk I/O. This new approach improves overall performance by leveraging memory for file access, allowing scans to complete faster while decreasing wear on disks. For most environments, these improvements will result in more efficient scanning with minimal configuration changes.

To ensure that THOR 10.7 operates reliably across diverse environments, users have options to tailor memory usage:

• Disable memory mapping with the --nommap flag, which may be useful for systems with strict memory limitations, though this comes at the cost of slower scans.
• Fine-tune resource control: ASGARD adjusts THOR’s resource settings dynamically, optimizing scan reliability for both high-performance and resource-constrained systems.

Initialization Filters and Selectors

With THOR 10.7, the Init Selector and Init Filter functionalities offer unparalleled flexibility in customizing scans. These options enable users to focus on specific threat campaigns or exclude less relevant rules for tailored scanning workflows.

For example:

• Use --init-selector to target specific threats or campaigns:

  --init-selector MOVEit
  --init-selector RANSOM,Lockbit
  

• Use --init-filter to exclude rules you don’t need:

  --init-filter PUA_TeamViewer

These filters apply to rule names, tags, and descriptions, offering granular control over signature selection. Combined with the --print-signatures or --print-signatures-json flags, users can verify selected or excluded rules, ensuring precision in their scans. This feature is particularly useful for targeted threat investigations, optimizing performance while maintaining detection accuracy.

JSON Enhancements and the Road Ahead

THOR 10.7 introduces the JSON format version 2, offering significant improvements to the structure and usability of scan outputs. This new format enhances compatibility with modern forensic tools and workflows, making it easier to extract and analyze critical information. Users can activate JSON version 2 with the following flags:

--jsonfile --jsonv2

While JSON version 2 represents a major step forward, it is also a transitional format. The upcoming release of THOR 11 will feature an even more comprehensive JSON format version 3 (or version 2.1). This future iteration will incorporate fully nested structures and lists, ensuring seamless integration with advanced tools like SIEM systems and Cribl configurations. These enhancements will provide greater detail and flexibility for in-depth investigations and automated workflows.

Organizations adopting JSON version 2 in THOR 10.7 will benefit immediately from its improvements and find the transition to the next version in THOR 11 straightforward, ensuring continuous compatibility and advanced functionality.

Email Parsing and Enhanced Archive Scanning

THOR 10.7 expands its capabilities with improved support for email and archive scanning:

• Email Parsing: THOR can now scan .eml and .msg email formats, detecting malicious attachments and embedded threats. This feature ensures more thorough coverage of phishing-related attacks and email-borne threats.
• Enhanced Archive Handling: Support for .cab, .7z, and .gzip files, as well as recursive scanning of nested archives, allows users to detect threats hidden in complex compressed file structures. These improvements streamline the process of analyzing large datasets or artifact collections, ensuring no malicious content is overlooked.

Together, these features strengthen THOR’s ability to detect threats hidden in commonly abused file formats, making it a powerful tool in comprehensive compromise assessments and incident investigations.

Effects of Changes for ASGARD Customers

THOR 10.7 introduces a more adaptive resource management approach in ASGARD to reduce scan failures caused by memory constraints. Previously, ASGARD enforced a strict 2GB memory cap, which occasionally caused scan interruptions even on systems with ample available memory.

With the updated mechanism:

• ASGARD evaluates memory usage dynamically, terminating THOR scans only if the process exceeds 2GB and uses more than 50% of the system’s total memory. This ensures scans proceed smoothly on high-memory systems while protecting systems with limited resources.
• The “Ignore Memory Limit” option allows customers to completely bypass these checks, enabling scans to continue regardless of memory usage.

Existing group scans will retain their current THOR versions (e.g., 10.6) but can be updated to 10.7. Starting November 28th, all new scans—including single and group scans—will default to THOR 10.7, ensuring customers benefit from the latest features and optimizations.

Configuring THOR 10.7 for Limited Hardware Resources

For systems operating under tight hardware constraints, users can disable memory mapping with the --nommap flag. While this option reduces memory usage, it may lead to slower scan speeds and increased disk activity. For most ASGARD-managed environments, we recommend keeping memory mapping enabled to fully leverage THOR 10.7’s performance improvements. This flexibility allows users to adapt the scanner to diverse operational requirements without compromising its core functionality.

End-of-Support Announcements

• THOR 10.6: The current stable version will reach its end-of-life (EOL) on April 30, 2025. Users are encouraged to upgrade to THOR 10.7 to ensure continued support and access to the latest features.
• Legacy Systems Support: The upcoming THOR 11 TechPreview will discontinue support for older operating systems, including Windows 7, Windows 8, Windows 2008 R2, and Windows 2012. Customers relying on these platforms can continue using THOR Legacy with a legacy license to maintain scanning capabilities.

Conclusion

The release of THOR 10.7 as the default version for ASGARD represents a significant step forward in detection capabilities, efficiency, and reliability. With faster scans, reduced disk I/O, and customizable resource controls, THOR 10.7 is designed to perform optimally across diverse environments. While existing group scans will continue using their configured scanner versions, we recommend upgrading to THOR 10.7 to take full advantage of its advanced detection capabilities and optimizations.

Starting November 28th, all new scans will default to THOR 10.7, ensuring your organization is equipped with the latest and most robust scanner available. Embrace this opportunity to enhance your detection workflows and strengthen your security posture with THOR 10.7.

We’re excited to announce a significant update to THOR, our comprehensive digital forensic scanner, which now extends multi-threading capabilities to both the standard version and THOR Lite. Previously exclusive to our forensic lab license holders, this enhancement allows users across all versions to leverage multiple CPU cores to expedite their scans.

Multi-threaded scanning is now available in THOR TechPreview 10.7.15 and THOR Lite 10.7.15 for both standard and free licenses.

Adjusting the number of threads in THOR is straightforward and adaptable. By default, THOR operates with a single thread—a decision made to prioritize system load and stability over scan speed. Users can specify the number of threads using the --threads flag; for example, --threads 2 sets it to two threads.

However, two other options may prove more practical, considering the actual number of CPU cores available.

Using --threads 0 configures THOR to utilize all available cores. Note that this setting can significantly load the system, potentially affecting other applications or services.

Alternatively, setting the number of threads to a negative value lets users reserve some cores for other tasks. For instance, --threads -4 would use all cores except four. If a system has only four cores, then only one core would be used for THOR.

New Lab License Feature: Audit Trail

We’re pleased to introduce a new feature for our lab license holders, with more exciting updates on the horizon. The feature, called “Audit Trail,” can be activated during a scan using the --audit-trail flag. This generates a comprehensive log file in JSON format, capturing detailed output for each module and documenting every element that THOR interacts with during a scan.

The Audit Trail feature is currently available in TechPreview version 10.7. The output format isn’t finalized yet, as it will be refined for THOR v11, but this early version allows you to explore the kinds of elements it includes. The audit trail is ideal for forensic analysts conducting manual investigations, providing a detailed record of the scan process.

We’re also developing tools to further enhance the audit trail’s utility. These tools will help transform the data for use with your preferred timeline tools and enable correlations within its contents. For example, you can analyze whether a file was created within a relevant time frame, executed shortly after, and is still running as a process.

The German BSI Alert: A Critical Warning

The BSI’s alert brings to light the precarious state of Microsoft Exchange servers across Germany, with around 37% of systems found to be critically vulnerable. This includes outdated versions such as Exchange 2010 and 2013, which make up 12% of the installations and have not been updated since October 2020 and April 2023, respectively. Additionally, nearly 28% of the servers running newer versions like Exchange 2016 and 2019 are missing essential patches for critical security flaws that could be exploited in remote code execution attacks.

The BSI’s warning about the vulnerabilities in Microsoft Exchange servers in Germany highlights a crucial aspect of cybersecurity: the inadequacy of relying solely on patching, especially for systems that have been exposed online. The alert reveals that a significant percentage of these systems remain critically vulnerable due to outdated versions or missing patches for known security flaws. This situation indicates that, while patching is a necessary step in cybersecurity maintenance, it is not sufficient on its own. For systems that have been exposed to the internet and potentially compromised before the application of patches, conducting a thorough compromise assessment is an essential next step. This assessment determines the extent of any breach and the presence of attackers within the network, guiding the necessary response to secure the compromised systems.

We just launched THOR-Cloud Lite our new free, lightweight and easy to deploy on-demand compromise assessment scanner. Allowing you to access your scans and reports from everywhere at any time. Licensing, scan campaigns and reports everything is conveniently managed in the new web-based user interface.

Easy Setup – Powerful Features

Previously scanning with THOR required manual setup and additional on premise systems. With THOR Cloud we completely eliminated the need for on premise systems and additional agents. The entire client setup is handled by the new THOR Cloud launcher, a single application to setup the THOR scanner on your devices.

The THOR scanner includes over 20,000 pre-built signatures designed to detect various traces of hacking activity, THOR ensures thorough analysis and the identification of potential security threats. THOR and the THOR Cloud launcher support Windows, Linux and MacOS, to ensure coverage for all kinds of environments.

Campaigns are managed through our web-based interface, allowing for easy configuration and convenient management from a centralized location. The campaign overview shows scan status, results for current and previous scans allowing for quick initial assessment. Campaigns offer a variety of options like setting up one-time or recurring scans.

THOR Cloud’s scans offer in-depth insights, serving as a valuable second opinion on security events. Each scan generates various output files, including an HTML report that provides a prioritized view of the scan log.

This helps analysts quickly investigate and qualify security events, which can expedite analysis, reduce the need for further manual investigations, and optimize resource allocation. Thereby making it an ideal extension to support your SIEM or EDR analysts.

Easy To Use And Integrate

THOR Cloud is built with usability and accessibility in mind, offering step by step guides and extensive documentation for end users and developers. With the guided setup you can simply follow along to deploy THOR Cloud in your environment without any prior knowledge.

All features present in the interface are easily accessible via an API, ensuring seamless integration with your existing solutions, whether you want to automate workflows, integrate with existing systems (SIEM/EDR), or build custom applications. Everything is possible with our powerful API.

Video

In the following recorded video session, we delve into the essence of THOR Cloud and offer a concise demonstration of the platform:

(if you can’t see the embedded video, here is a direct link)

Conclusion & Get Started

In conclusion, THOR Cloud is a game-changer for on-demand security scans and compromise assessments. It offers simplicity, accuracy, and ease of integration, while reducing management and deployment efforts.

Sign up for a free THOR Cloud Lite account here.

The free version of THOR Cloud includes the THOR Lite scanner and the open source signature set. A full version including the enterprise-grade THOR scanner with our full signature set will be launching in Q1 2024.

Check out the THOR Cloud product page for more information.

Enhance your cybersecurity skills by learning how to craft precise YARA rules. Witness the full prowess of the THOR scanner in action, integrated seamlessly with the ASGARD Management Center – our flagship centralized management platform designed for effortless scan management, advanced incident response capabilities, and much more. Plus, experience firsthand how our Analysis Cockpit can dissect and interpret findings, offering invaluable insights.

Discover the synergy of our enterprise-grade tools and visualize what a comprehensive deployment looks like in real-world scenarios. It’s a hands-on experience not to be missed!

Exclusive Discounts for Our Community:

• THOR Lite Subscribers: Enjoy a whopping 30% off on the training fees. Just apply the discount code NextronThorLite at checkout or click here for direct access.
• Existing Nextron Customers: We value your trust! Contact us and avail an exclusive 50% discount on the training.
• Law Enforcement and Government Agencies: In our commitment to fortifying cybersecurity defenses at all levels, this training is absolutely free for you. Please reach out to us directly for details on how to avail of this offer.

In this blog post, we address a critical security concern and explore methods for evaluating potential compromises on devices like Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core using THOR or the free THOR Lite YARA and IOC scanners.

Recently, a severe remote unauthenticated API access vulnerability, known as CVE-2023-35078, has been identified in Ivanti Endpoint Manager Mobile. This vulnerability, previously branded as MobileIron Core, poses a significant threat to the security of organizations relying on this software.

If you found our previous blog post on performing compromise assessments on NetScaler / Citrix ADC Appliances with THOR helpful, then you’ll find this guide invaluable for evaluating potential compromises on your Ivanti EPMM / MobileIron Core appliances. Let’s dive in and learn how to gain deeper insights into potential compromises through remote scans.

Prerequisites

• Define “Enable Secret” via MICS dashboard
  • https://<mi-core>:8443/mics/mics.html#settings:mi-cli
  • Settings –> CLI –> “Change Enable Secret”
• SSH to Core and create “misupport” user
  • ssh admin@<mi-core> (login with admin password, same  as with WebUI access)
  • $> enable
  • $> configure terminal
  • $> service support will output the one-time-password:
    One-time-password for account misupport set to AsdfGhJkL job 93 at Tue Jul 25 14:14:00 2023 misupport user session will be expire in 30 minutes.

Mounting the Remote File System via SSH

First we create a new folder and mount the remote file system to that local folder:

sudo mkdir -p /mnt/remotefs
sudo sshfs -o reconnect misupport@<mi-core>:/ /mnt/remotefs

The -o reconnect option makes sure to reconnect the session on unstable networks.

Scanning the Mount Point with THOR Lite

With THOR Lite we can now run a so-called “Filescan” on the mounted drive.

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/remotefs

The following scan is much more intense as it scans every single file regardless of its extension or type. Scanning every file usually leads to much longer scan times and higher network load (be careful when using the --intense flag).

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/remotefs --intense

Scanning the Mount Point with THOR

With a full featured THOR and a so-called Lab license we can use the –virtual-map flag to virtually map the folder /mnt/remotefs to / internally. This means that signatures and filename patterns that make use of the virtual and not the actual path. We can also define a hostname that will appear in the log file using the -j flag. Otherwise the log would always contain the hostname of the scanning workstation.

sudo ./thor-linux-64 -a FileScan --alldrives -p /mnt/remotefs

Using the full version, we would use a different flag combination for a more intense scan of the remote system. The full version with a lab license allows us to use the --lab flag.

sudo ./thor-linux-64 --lab -p /mnt/remotefs --virtual-map /mnt/remotefs:/ -j my-ns-hostname

The --lab flag automatically activates the intense scan mode that checks every file, multi-threaded scanning, deactivates resource control and some other flags that can be useful in a lab scanning scenario.

Example Match

The provided screenshot demonstrates an illustrative match of an CVE-2023-35078 exploitation attempt. This attack’s specific rule is accessible in THOR and the free THOR Lite version. 

Specific Detection Rules

YARA

All the rules and IOCs have been shared in the free version of our scanner named THOR Lite

• LOG_EXPL_Ivanti_EPMM_MobileIron_Core_CVE_2023_35078_Jul23_1
• MAL_WAR_Ivanti_EPMM_MobileIron_Mi_War_Aug23
• MAL_WAR_Ivanti_EPMM_MobileIron_LogClear_JAVA_Aug23

Hash IOCs

The hash IOCs used in THOR and THOR Lite can be found here.

We created the log detection rule by analyzing a report that was shared under TLP:AMBER with affected parties. The rule relies on the URI path and the status code returned by a successfully exploited service.

The rule to detect the successful exploitation of the vulnerability looks like this:

The other rules are based on samples mentioned in the CISA report.

Other Notes

• Scans over SSH mounts can take longer than usual
• A network disconnect only pauses the scan, a forced “umount” crashes the scanner
• We tested network disconnects of 1 and 5 minutes. After a reconnect THOR just resumes the scan where it left off

Conclusion

As the frequency and complexity of cyberattacks continue to rise, ensuring the security of Internet-facing devices becomes paramount. By incorporating YARA rules from THOR into compromise assessment scans, users can bolster their cybersecurity defense and remotely identify potential threats on devices like Invanti EPMM / MobileIron Core and others.

Additionally, the ability to extend this coverage to unsupported devices opens up new possibilities for safeguarding critical systems. Adopting these cutting-edge cybersecurity practices will undoubtedly prove instrumental in mitigating risks and protecting digital assets in an ever-evolving threat landscape.

Advantages of the full THOR version

Apart from the usual advantages of the full THOR version over THOR Lite, there are a few more reasons to use the full version in this scenario:

• Use multiple instances on a single source system to scan many different remote systems at the same time
• Use virtual drive mapping to allow for additional detection opportunities
• Set a custom host name that appears in the log files (helpful when you scan many different targets)

If you’re interested in the full version, contact us using the “Get Started” button in the upper right corner. 

We are thrilled to unveil THOR 10.7.8, the latest version of our advanced persistent threat (APT) scanner, which brings a host of powerful features to enhance threat detection and analysis. In this blog post, we will highlight some of the notable additions that make THOR 10.7.8 an invaluable tool in the fight against sophisticated adversaries.

Current JSON output format (v1)

New JSON output format (v2)

Some of the listed features are already available in the released version 10.7.6.
The release is planned for week 26. 

On June 1st, the vendor of MOVEit Transfer, previously known as Ipswitch but now called Progress, announced the discovery of a critical security vulnerability that has been exploited. MOVEit is an enterprise software utilized by numerous organizations globally for secure managed file transfer. According to Shodan, an internet search engine, there are currently over 2,500 servers publicly accessible on the open Internet running MOVEit.

You can find more information on the threat in the vendor’s advisory and the following articles by TrustedSec, Huntress Labs and Mandiant:

Upon initial awareness of the compromise, we initiated our own investigation and promptly released a series of detection rules to our public repositories. These Indicators of Compromise (IOCs) and YARA rules were immediately accessible to users of THOR Lite.

While having detection mechanisms in place is a positive step, assessing the situation and ensuring that no system in the network has been impacted by the threat is often a challenging task.

To facilitate this process and perform a rapid scan of your own environment at no cost, one option is to utilize the THOR Lite scanner. By employing this tool, you can leverage the rules mentioned earlier and swiftly evaluate your network for potential threats.

Email content:

Flags to Consider

If you are scanning virtual machines or systems that experience constant high load from other processes, it can be beneficial to utilize the “–nosoft” and “–nolowprio” flags. These flags allow THOR to run with the same process priority as any regular process, helping to ensure that the scan operates smoothly alongside other ongoing processes.

If you are interested in scanning recently created files and log entries, these flags direct THOR to exclusively scan elements that have been created or modified within the past 150 days. Any file or event log entry older than that timeframe will be ignored, resulting in a significantly smaller set of elements being scanned.

To minimize the impact on end users working on a system during the scanning process, you have the option to reduce the CPU usage of the scanner to, for example, 30%. By doing so, you can prevent them from noticing the scan by decreasing the overall system load and fan noise.

Recommended CommandLine Flags for this Use Case

If a regular scan takes an excessive amount of time, we recommend utilizing the following command line flags to expedite the scan process by limiting it to the changes that have occurred within the last 150 days:

thor64-lite.exe --nolowprio --lookback 150 --global-lookback

To minimize CPU usage and make it as inconspicuous as possible for end users working on the scanned systems, employ the following command:

thor64-lite.exe --lookback 150 --global-lookback --cpulimit 35

Update the Signatures

To ensure that THOR always operates with the latest set of signatures related to the MOVEit exploitation, we are continuously working on enhancing and updating them. To incorporate the newest signatures, utilize the following command:

thor-lite-util.exe upgrade

Interpreting the Scan Results

During the scan you’ll see several messages in green and blue colours. Warning and alert messages use a yellow or red color. But don’t worry when you notice a message of that color. Remember that THOR is a scanner that highlights malicious and suspicious elements for review by an administrator or forensic analyst. Not everything shown as a “warning” message has to be a real threat.

After the scan finishes, users can find an HTML report in the program folder that lists all findings. 

We recommend searching the HTML report for the “MOVEit” keyword and only review matches with the specific IOCs and YARA rules related to this activity.

THOR Lite is able to detect various forensic artefacts:

• The dropped ASPX web shell
• The compiled ASPX web shell in caches (even if attackers removed the .aspx file)
• Exploitation in the web server log files
• Access to webshell in web server log files
• Suspicious file types or extensions in the reported staging directories

Signatures 

The subsequent listings display all the publicly available signatures that we have created and implemented in THOR Lite to identify malicious activity.

YARA (public)

WEBSHELL_ASPX_MOVEit_Jun23_1
WEBSHELL_ASPX_DLL_MOVEit_Jun23_1
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2

SIGMA (public)

Emerging Threat Folder: CVE-2023-34362-MOVEit-Transfer-Exploit

Rule Title: Potential MOVEit Transfer CVE-2023-34362 Exploitation
UUID: c3b2a774-3152-4989-83c1-7afc48fd1599

Rule Title: MOVEit CVE-2023-34362 Exploitation Attempt – Potential Web Shell Request
UUID: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b

IOCs

Filename IOCs
filename-iocs.txt @ signature-base

Hash IOCs
hash-iocs.txt @ signature-base

C2 IOCs
c2-iocs.txt @ signature-base