Thursday, November 18, 2021

Uncovering brandjacking with VirusTotal

 Malicious activity comes in all kinds of colors and flavors, sometimes abusing users’ trust by impersonating well known brands to get their private data, install malware or any other form of scam. At VirusTotal we analyze more than 3 million distinct URLs daily obtaining not only AV verdicts from more than 70 different vendors but also extracting as much data as possible including headers, cookies and HTML meta tags. This data is indexed and related to other observables we keep in our database, which is an excellent way to track malware infrastructure but also to find other forms of fraudulent activity. Indeed, many of our customers use VirusTotal daily to monitor brand abuse and fraudulent impersonation.

In this post we will describe how VirusTotal served to investigate the Anniversary brand abuse campaign by our good friends from Hispasec.


How to start our investigation


In this particular case, the campaign was distributed mostly using WhatsApp messages, where the victims were encouraged to share with their contacts links similar to the following ones:

hxxp://mayhx[.]cn/adidas-mo

hxxp://luby3a0[.]cn/r2eizhga/adidas-mo


These domains seem to be randomly generated. Now, starting from this information, how can we start an investigation in VirusTotal? There are a few handy VTI modifiers we can leverage:


  • Tracker: Many websites use different ads trackers, which we will try to find inside the HTML body of the analyzed URL. If two websites share the same ad tracker, it usually means they’re owned by the same person. You can use this modifier to find URLs where we found the same tracker. Example VTI search: entity:url tracker:G-J151F98PH2




  • Main_icon_dhash: Here we will find other websites having the same favicon. In this case, VirusTotal will calculate the favicon’s hash for us and do a fuzzy search to find similar ones. Example VTI search: entity:url main_icon_dhash:4932332b178e4d20



It seems we have several ideas to start our search with. As you have probably already realized, values used in the previous example VTI searches correspond to the two malicious websites we started our analysis with. Some of them are extremely precise for a given search (such as the response sha256), while others, like the favicon, title and path look interesting for any automatically generated infrastructure. However one of the key elements for this investigation was the tracker, as it identifies the website owner. 

Let’s first check the prevalence of all these different elements among VirusTotal:


Description

Value

VTI search

Items found

Google Tag Manager tracking ID

G-J151F98PH2

entity:url tracker:G-J151F98PH2

13.91K

HTML title

🎉Adidas 70th Anniversary!🎊

entity:url title:"🎉Adidas 70th Anniversary!🎊"

35.79K

URL path

adidas-mo

entity:url path:adidas-mo

24.44K

Favicon

Cute pink heart

entity:url main_icon_dhash:4932332b178e4d20

1.22M

Response body SHA256

e839c5398c1fe08dde3a4b0ffb39fd6b6a7c6dcab9d5477b0dfdfe8d62bcd77b

entity:url response_sha256: e839c5398c1fe08dde3a4b0ffb39fd6b6a7c6dcab9d5477b0dfdfe8d62bcd77b

5.74K


The number of found items is pretty high, which could either mean this is a large campaign or the values are not really representative. Combining three of the criteria listed above (title, tracker and path) in a single search returns 13.86K results, confirming it is a huge campaign. We can add some extra modifier like p:5+ (detected as malicious by at least 5 different AV vendors) for a total of 11.02K, confirming our suspicions. 


Leveraging VT Graph


Another way to start our investigation would be taking advantage of VT Graph. This would put on the table all the elements related to the IOCs we have to start our investigation with, giving us a good idea of the dimension and of the elements of interest. 


The graph helps us visualize what both URLs share in common, as well as a bunch of additional ones that also share the same tracker ID. In particular, there are a couple of common javascript libraries detected as malicious by several AV vendors that look interesting for our investigation. We can open their VirusTotal report in the links below: 

https://www.virustotal.com/gui/file/a29fa70847eb0cba146b247f7d4549575b04edd588628b23a473c69c87e5c887/detection

https://www.virustotal.com/gui/file/ee3f8cc642a94e667d5f885691ecbc70d5d49869d36d905d96f19391117fa084/detection


We don’t need to download any of these files to analyze them, as happily VirusTotal allows us to check their content at the content tab in the file’s report.


Indeed, when doing that there are several very significant strings that seem highly related to the campaign we are investigating, such as “var project = "adidas-mo";”.  We can simply click on this string to find any other files that include the very same content:

https://www.virustotal.com/gui/search/content%253A%2522var%2520project%2520%253D%2520%255C%2522adidas-mo%255C%2522%253B%2522/files

This results in hundreds of libraries that were used by attackers, most likely in this very same campaign. Displaying a LARGE number of elements in a graph is probably not the best idea, but nevertheless this is how it looks like:


This gives us a very quick idea on how clustered this campaign is. We can pivot all this data to obtain the full infrastructure used in the campaign. For large automated processes like this one, we also recommend using our API or vt-client.


It all started with a couple of URLs


Having a large malware database creating relationships among all indicators and allowing pivots using any of them has its advantages. You never know what is the particular criteria that would be the key element for a particular investigation, in this case both “tracker” and “path” proved to be very useful. Visualizing information is also one of the most powerful methods to quickly understand what is most relevant from the data you are working with, allowing you to quickly focus on the most important elements. 


Both methods shown in this post are some ideas to use when tracking brandjacking or any other fraudulent activity, if you have any other favorite methods you use for your investigations and you want to share with us please do not hesitate to contact us.


Happy hunting!


Thursday, November 04, 2021

Automate and Augment Case Management, Threat Intelligence and Enrichment

One of the most usual use cases for integrating Threat Intelligence into your security stack revolves around enriching threat data. This helps incident responders, SOC analysts and threat intel teams properly assess how bad the situation is and what to do next. Unfortunately, many times the data we use for alert triaging is too simplistic. Threat intelligence should be compliant, actionable, relatable and easy! But also provide the full needed context when needed.


In our previous post we introduced VT Augment as our solution to help integrate VirusTotal full contextual data into 3rd-party products. Swimlane was one of the first to integrate VT Augment into their solution, and today we want to discuss how to leverage such integrations into your day to day operations.


But before we continue, we encourage you to join us next November 10, 2021 at 4pm UTC for our joint webinar with Swimlane to learn more on this topic.

Automating response to threats


Orchestration, automation and response (SOAR) capabilities are adopted and required in most security stacks. They allow to automate common tasks such as enriching threat alerts, and to also automate the response when integrating with additional tools. For the examples in this post, we will be using Swimlane, which integrates VirusTotal. 


A typical case would be automating the answer provided when facing suspicious indicators (hash, URL, IP or domain) showing up in our detection systems. For instance, a first simple approach for quick triage would be we creating a workflow based on the number of AV detections just to make sure the incident will be automatically remediated before proceeding with a deeper investigation, if needed:




It could be that these first signals are not strong enough to make an educated decision. Analyst would need to have additional context which in this case is provided by VT Augment. The following capture shows how VirusTotal enriches the domain information available for the analyst, showing IPs it resolved, detected URLs and Whois information, among others:  



Depending on the type of IOC there will be different information available. For instance, for a suspicious file an analyst might be interested in checking for specific AV verdicts in order to understand what kind of threat it represents. Other less technical information such as the first time it was seen in VirusTotal can also be useful to understand if we are handling a potential new threat.


Integrating contextual threat intelligence where needed


VirusTotal integrates with dozens of vendors. Some notable examples include CrowdStrike Falcon which uses a dedicated plugin, or Google Workspace Alert Center. Ultimately, VT Augment and VT API allow integration with any system helping organise workflows to properly respond to any threat.


 

Threat Intelligence data should be relevant in the context it is being used. Automating routine tasks using the right indicators helps mitigate most cases automatically. This should be complemented with providing all the relevant information at the fingertips of the analysts to make the right decisions. 


We keep working on providing contextual threat intelligence data that makes a difference to our partners in the security industry. If you need help integrating VirusTotal in your product, please let us know.


Happy hunting!


Wednesday, October 27, 2021

Introducing VirusTotal MSSP Program: Differentiate and become indispensable with preventive capabilities

Today we are excited to announce our VirusTotal MSSP partner program, providing partners a competitive advantage to differentiate and enrich their security offering with world-class crowdsourced intelligence.

Before we continue, you can find full information of the program on our program website, and we invite you to attend our kick-off webinar next November 17th, 5pm CET.

Now, let’s go into further details on the program.



It seems we can we help


The MDR market is expected to reach $2.2B by 2025. At the same time, and according to market studies, there seems to be an increasing client frustration coming from MSSPs providing suboptimal services that do not cover their customers’ main needs. Moreover, end-clients are also more likely to consolidate services with a single provider, meaning that failure to address certain use cases results in lost accounts. Threat Intelligence helps generate preventative capabilities and superior context that MSSPs can leverage to match and exceed customer expectations.

This new program allows MSSPs to integrate the full power of VirusTotal into their offering, supercharging not only their client-facing services, but also their internal operations. As an example, MSSPs can now leverage the VT AUGMENT widget to display VirusTotal advanced context in their offerings in a compliant and revenue-generating manner. 


Palo Alto Networks survey data shows that SOC analysts are only able to handle 14% of alerts generated by security tools, this is even more challenging for MSSP analysts, who have to deal with incidents coming from multiple customer networks. VirusTotal can power alert enrichment for orchestration and automatic triage, resulting in increased productivity and SOC operator efficacy, helping MSSP teams make more accurate decisions, faster. 


A true partnership


VirusTotal has become synonymous with crowdsourced Threat Intelligence. As part of our program, MSSPs can leverage VirusTotal’s brand in their sites, collaterals, research reports, events, etc. Similarly, participants will be featured in our public MSSP partners portal, generating trust and visibility. 



We also invite MSSPs to collaborate on crowdsourcing of {YARA, SIGMA, IDS} rules or other investigations and insights. This is a simple avenue to showcase technical expertise, raise brand awareness and even to attract top talent. 

If you need additional information, please check the dedicated website, kick-off webinar and as usual, feel free to reach out through virustotal.com/contact.

Happy hunting!

Wednesday, October 20, 2021

, , , , , ,

VirusTotal Multisandbox += Microsoft Sysinternals

We welcome the new multisandbox integration with Microsoft sysinternals. It was also recently announced on the sysinternals blog as part of their 25th anniversary. This industry collaboration will greatly benefit the entire cybersecurity community helping put the spotlight on indicators of compromise that may be seen if malware is detonated within your own environment.


In their own words:

"The new Microsoft Sysinternals behavior report in VirusTotal, including an extraction of Microsoft Sysmon logs for Windows executables (EXE) on Windows 10, is the latest milestone in the long history of collaboration between Microsoft and VirusTotal. Microsoft uses VirusTotal reports as an accurate threat intelligence source, and VirusTotal uses detections from Microsoft Defender Antivirus and Microsoft Sysinternals Autoruns, Process Explorer and Sigcheck tools. This cross-industry collaboration has a significant impact on improving customers protection. " says Andi Comisioneru, Group Program Manager, Cloud Security, Microsoft.


Let's take a look at a few example reports. For example in the file with sha256 1bb93d8cc7440ca2ccc10672347626fa9c3f227f46ca9d1903dd360d9264cb47

Here we see a report from Microsoft sysinternals sysmon with DNS resolutions, process tree and shell commands:





From the DNS resolution seen, we can make use of VT-Graph to pivot on other samples that also resolve the same hostname.



For our second example let's look at 1247bb4e1d0aa5aec6fadccaac6e898980ac33b16b69a4aa48fc6e2fb570141d.  Here we see a suspicious email address contained within some files written to the disk:





If we wish to pivot on that, we can search for other similar samples with the same modus operandi with a search query like:
behaviour_files:@tutanota.com



Finally our last example is:

4bb1227a558f5446811ccbb15a7bfe3e1f93fce5a87450b2f2ea05a0bca36bb2. This sample is a coinminer that stores a dropped file in %USERPROFILE%\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

It also registers a scheduled task on logon. It is possible to find other samples doing the same thing with the following intelligence query:
behaviour_processes:"\"AppData\\Microsoft\\Telemetry\\sihost32.exe\""

For more ways to search, see documentation on the available file search modifiers.
 

Happy hunting!


Monday, October 04, 2021

Ransomware in a global context

 Today we are proud to announce our very first VirusTotal Ransomware Activity Report. This initiative is designed to help researchers, security practitioners and the general public better understand the nature of ransomware attacks by sharing VirusTotal’s visibility. 

We are also organizing a series of webinars describing the main findings of our research, so please join us for the session that works better for you:



October 5th (APAC-friendly timezone): https://bit.ly/3lZuS3K

October 6th (Americas and EMEA-friendly timezone): https://bit.ly/3APK49S

October 7th (Public Sector edition): https://bit.ly/3ERXioS


We encourage you to read the full report, but below you can find some of the main findings

  • Since 2020, users from more than 140 countries have submitted ransomware samples to VirusTotal. 
  • During this time, at least 130 different ransomware families have been active.
  • Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran and the UK are the 10 most affected territories based on the number of submissions to VirusTotal. 
  • Activity among the most spread ransomware families comes and goes, but there is a baseline of activity of around 100 not-so-popular ransomware families that never stops.
  • According to our observations, it seems that in most cases attackers prepare fresh new samples for their campaigns.
  • In July 2021 we observed a wave of the new variant of Babuk ransomware.
  • GandCrab was the most active family in early 2020, before its prevalence decreased dramatically in the second half of the year. 

You can download the full report here


Now, how to transform all this information into something actionable we could use to protect from ransomware attacks? In this blog post we will not go over the content of the report itself. We want to discuss ideas we can use to proactively defend ourselves.


Monitoring Ryuk campaigns

The report contains insights on ransomware families and artifacts associated with their attacks. As an example, we can use this information to prioritize enforcing new security policies in our network based on the most active families. 

For instance, a first approach would be checking if any sample related to these campaigns has landed in our network. Let’s use the Ryuk ransomware family as an example. The following VirusTotal Intelligence query will help us find Ryuk PE samples with at least 10 AV detections submitted since January 2021:

"engines:ryuk  fs:2021-01-01+ (type:peexe or type:pedll) p:10+"

Given this query returns more than 9k results, we can use the VT API or the VT-PY programming interfaces. An easy way to do it would be using Jupyter Notebooks to create our custom report using some fancy graphics. We have created a couple of notebooks here and here implementing some examples using the VT-PY interface we will describe below. 

Let’s use one of the notebooks as an example where we want to list all the hashes submitted during a specific period of time related to the ransomware family we are monitoring. We basically iterate the results of the VT Intelligence query, resulting in 9426 hashes we will store in a log file.


Monitoring Babuk

Another idea would be to collect IOCs (Indicators Of Compromise) related to these campaigns, in this case identified as malicious by at least 5 antivirus engines. Here we could get all the suspicious URLs, domains and IP addresses contacted by the malware samples, or we could retrieve URLs used at different stages of the attack. This can be done with the following VT Intelligence query:

"engines:babuk  fs:2021-07-01+ (have:contacted_domains or have:contacted_ips) p:5+"

For instance, the second Jupyter notebook searches for all the domains and IP addresses contacted by Babuk since July 2021 with at least 5 positives. We can later use these IOCs to block their access in our EDR, firewall or web proxies, avoiding any attempt to contact them.


Distribution vector and spreading

It is always a good idea protecting ourselves at the initial stages of an attack. We can monitor the infrastructure used for distribution of any campaign making use of our itw (“in the wild”) tag. Additionally, we can also search for files executing or containing malware related to the campaign we monitor. These queries will help us to block any malicious infrastructure as well as to detect samples distributing the malware we monitor. This can be done with the following VT Intelligence query:

"engines:gandcrab fs:2020-02-01+ fs:2020-05-01- (type:peexe or type:pedll) have:in_the_wild"

VTI Search Link

We have also created a script available in one of the aforementioned Jupyter Notebooks showing the list of distribution vectors related to Gandcrab ransomware.

Another interesting angle is understanding what exploits a specific threat campaign is using for spreading. We can do that using the tag:exploit  modifier in our VT Intelligence query. For example: 

"engines:gandcrab fs:2020-02-01+ fs:2020-05-01- (type:peexe or type:pedll) tag:exploit"

This modifier would return those samples that are suspected to contain an exploit. This can be used to list the top countries that submitted samples related to this particular malware family containing exploits.

The same approach can be taken on a typical vulnerability management use case. One of the Jupyter notebooks provides the top list of exploited vulnerabilities related to a malware family.


Are we in trouble?

Another common approach is checking if our brand has been abused in any phishing campaign or if our infrastructure hosted any component of the attack. The following VT Intelligence query will search from any embedded domain or URLs used in recent Cerber campaigns, including URLs used for storing malware samples (itw urls):  

"engines:cerber fs:2021-06-01+ (embedded_domains:my_domain OR embedded_urls:my_domain OR itw:my_domain)"


What’s next?

The information provided by the VirusTotal community can be used to proactively monitor and protect against ransomware attacks. Some additional ideas on how to use VirusTotal in this direction can be found below:

  • Global Threat Intelligence. Once we know what are the most common ransomware signatures and its generic behavior, we can use this information to monitor future samples, for instance:

"p:10- fs:2021-09-01+ (engines:ransom or engines:crypto) AND tag:persistence and tag:detect-debug-environment AND tag:checks-network-adapters AND tag:long-sleeps AND tag:direct-cpu-clock-access"

VTI Search Link

This query:

  • Searches for files with less than 10 detections: p:10- 

  • Searches for samples submitted since September 2021: fs:2021-09-01+ 

  • Filters in only those samples that AV vendors or Sandbox providers identify as potential ransom or crypto attacks: (engines:"ransom" or engines:"crypto")

  • Takes into account only those tags that are most common among the ransomware samples we have seen in this report: tag:"persistence" and tag:"detect-debug-environment" AND tag:"checks-network-adapters" AND tag:"long-sleeps" AND tag:"direct-cpu-clock-access"

We can focus on files that are potentially exploiting some vulnerability. We can search for them using the “exploit” tag.

​​"p:10- fs:2021-09-01+ (engines:ransom or engines:crypto) AND tag:exploit"

VTI Search Link

  • Advanced Threat Services. VirusTotal extensively uses YARA. Indeed, we developed our own vt YARA module. This allows to easily translate our previous VT Intelligence searches to a YARA rule like the one below:


We can find these YARA rules at the end of this post.

To sum up, it is equally important to understand global ransomware trends as to be able to do something about it. In this post we went through different use cases discussing some ideas on how to implement a live cybersecurity threat monitoring system, which can be a game changer for our current security architecture. 

At VirusTotal we will keep sharing both our visibility as well as best practices to protect against new attacks and to keep our world a little bit safer. As always, we are happy to hear from you.

Happy hunting!



Appendix - YARA rules


import "vt"
rule find_potential_ransomware_files
{
meta:
     description = "Detects potential ransomware related files"
        author = "VT Team"
        reference = "https://blog.virustotal.com/"
       date = "2021-10-04"
        vt_search = "p:10- fs:30+ (engines:ransom or engines:crypto) AND tag:persistence and tag:detect-debug-environment AND tag:checks-network-adapters AND tag:long-sleeps AND tag:direct-cpu-clock-access"
vt_link = "https://www.virustotal.com/gui/search/p%253A10-%2520fs%253A30%252B%2520(engines%253A%2522ransom%2522%2520or%2520engines%253A%2522crypto%2522)%2520AND%2520tag%253A%2522persistence%2522%2520and%2520tag%253A%2522detect-debug-environment%2522%2520AND%2520tag%253A%2522checks-network-adapters%2522%2520AND%2520tag%253A%2522long-sleeps%2522%2520AND%2520tag%253A%2522direct-cpu-clock-access%2522/files"
condition:
     (for any engine, signature in vt.metadata.signatures :
            (signature contains "crypto")    
            or
          for any engine, signature in vt.metadata.signatures :
            (signature contains "ransom"))
        and
        for any tag in vt.metadata.file_type_tags : (tag == "persistence") and
        for any tag in vt.metadata.file_type_tags : (tag == "detect-debug-environment") and
        for any tag in vt.metadata.file_type_tags : (tag == "checks-network-adapters") and
        for any tag in vt.metadata.file_type_tags : (tag == "long-sleeps") and
        for any tag in vt.metadata.file_type_tags : (tag == "direct-cpu-clock-access") and
        vt.metadata.analysis_stats.malicious < 10
}
rule find_potential_ransomware_exploits
{
meta:
     description = "Detects potential ransomware related files using exploits"
        author = "VT Team"
        reference = "https://blog.virustotal.com/"
       date = "2021-10-04"
        vt_search = "p:10- fs:30+ (engines:ransom or engines:crypto) AND tag:exploit"
vt_link = "https://www.virustotal.com/gui/search/p%253A10-%2520fs%253A30%252B%2520(engines%253Aransom%2520or%2520engines%253Acrypto)%2520AND%2520tag%253Aexploit/files"
condition:
     (for any engine, signature in vt.metadata.signatures :
            (signature contains "crypto")
          or
          for any engine, signature in vt.metadata.signatures :
            (signature contains "ransom"))
        and
        for any tag in vt.metadata.file_type_tags : (tag == "exploit") and
        vt.metadata.analysis_stats.malicious < 10
}