Lastline Defender and Analyst Hosted Release Notes

Version 2023.2

New Features

  • Due to a change in our email hosting service, we will be changing the sender address for emails sent to customers from no-reply@lastline.com to no-reply@vmware.com. Customers should make appropriate adjustments to spam filters and tools to accept emails from this new address. The exact date of the change will be announced in advance on our status page: https://lastline.statuspage.io/
  • To ensure a satisfactory level of security, it is not advisable to use Windows 7. As a consequence, testing the maliciousness of files in this environment is no longer deemed relevant. Therefore, we have decided to gradually phase out the analysis of files on Windows 7. With this latest release, file analysis on Windows 7 will become optional. All analysis on Windows 7 will cease by the end of the year.

Detection Improvements

  • LLAM-9586: Improved detection of Git credential stealers
  • LLAM-9587: Improved detection of WiFi credential stealers
  • LLAM-9980: Improved detection of NTDLL unhooking evasion
  • LLAM-9589: Improved detection of FileZilla credential stealers
  • LLAM-9590: Improved detection of Cyberduck credential stealers
  • LLAM-9979: Improved detection of NTDLL unhooking evasion
  • LLAM-10077: Improved detection of Xdr33 Backdoor
  • LLAM-10236: Improved detection of Disdroth trojan
  • LLAM-10237: Detection of Telegram bot (informational)
  • LLAM-10241: Improved detection of PolyRansom malware
  • LLAM-10328: Improved detection of malwares related to 3CX Supply Chain Attack
  • LLAM-10338: Improved detection of Obfuscated Asyncrat
  • LLAM-10440: Improved detection of Keyplug malware
  • LLAM-10447: Improved detection of Amadey malware
  • LLAM-10469: Improved detection of a Downloader
  • LLAM-10473: Improved detection of Mirai MooBot
  • LLAM-10474: Improved detection of CrimsonRAT
  • LLAM-10475: Improved detection of Nukesped malware
  • LLAM-10505: Improved detection of the RokRat Powershell starter.
  • LLAM-10516: Improved detection of Python Stealer
  • LLAM-10518: Improved detection of Qakbot
  • LLAM-10519: Improved detection of ClipBanker
  • LLAM-10525: Improved detection of Ransomwares
  • LLAM-10529: Improved detection of Nokoyawa ransomware
  • LLAM-10545: Improved detection of Kimsuky malware
  • LLAM-10546: Improved detection of Parite malware
  • LLAM-10555: Improved detection of Rootkits
  • LLAM-10561: Improved detection of Ligolo hacktool
  • LLAM-10562: Improved detection of Nanodump hacktool
  • LLAM-10563: Improved detection of BlackCat ransomware
  • LLAM-10570: Improved detection of Buhti ransomware
  • LLAM-10571: Improved detection of Earthworm hacktool
  • LLAM-10595: Improved detection of malicious LNK files executing PowerShell
  • LLAM-10597: Improved detection of malicious LNK files executing msiexec.exe
  • LLAM-10615: Improved detection of Bruteforce hacktool
  • LLAM-10651: Improved detection of Clipper dropper
  • LLAM-10671: Improved detection of Mirai Condi Botnet
  • LLAM-10672: Improved detection of PyCrypter
  • LLAM-10685: Improved detection of Meduza Stealer
  • LLAM-10686: Improved detection of WarHawk backdoor
  • LLAM-10668: Improved detection of Emeka Crypter
  • LLAM-10693: Improved detection of IcedID trojan
  • LLAM-10695: Improved detection of Bandit stealer
  • LLAM-10704: Improved detection of Invicta Stealer
  • LLAM-10735: Improved detection of Spyder trojan
  • LLAM-10762: Improved detection of Boxter Downloader

Bug Fixes and Improvements

  • ASDK-572: The sensor component that submits files to the Lastline backend (RAPID) was allocated additional memory as a result of needing to process larger files. In addition, this component was configured to silently refresh its service periodically to prevent memory from being consumed when no longer required. This should address out of memory errors and restarts of this component that had sometimes been present in the previous release.
  • LLAM-10326: Reduced False Positives in script behavior analysis.
  • SENT-3742: A bug introduced in earlier releases was preventing the static network configuration of an appliance running on VMware virtual machines, forcing the network configuration to use DHCP. The problem is now fixed.
  • USER-5829: Addressed issue where pages were not loading properly in Chrome browser.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1370

Distribution Upgrade

Sensor version 1220 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 1370, you must be running Bionic as the operating system distribution. You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded. For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

2023.1.2 2023.2.1