Friday, January 28, 2022

, , , ,

VIrusTotal Multisandbox += SecneurX


VirusTotal welcomes SecneurX to the multi-sandbox project. This new behavioral analysis platform is helping provide additional details on Windows executables, Office documents, and Android APKs.

In their own words:

SecneurX Advanced Malware Analysis (SnX) platform provides visibility and context into advanced threats with its extensive malware analysis & detection capabilities. The analysis platform is based on a unique architecture that emulates an enterprise environment for analyzing the most evasive and concealed malware. It performs both static and dynamic behavior analysis of different file types (.doc, .pdf, .msg, .eml, .xlsx, .exe, .ppt, .csv, .apk etc.) and generates a detailed report describing the malware behavior. Extracted Indicators of compromise (IOCs) and human-readable behavior reports can be used to augment existing intelligence data and help to give "context" about IPs, domains, URLs, Registry, Process activity, file names, and hashes.

On VirusTotal you can find the SecneurX reports on the Behavior tab:

Let's take a deeper look at some interesting samples showcasing SecneurX capabilities:

EXE file which spreads via SMB protocol

602b3c6dba465a535293d06ff498354a6a5631299f8edbaba4bec7d4df98e1e6

This EXE is a crypto mining worm that uses exploits to steal credentials and spreads laterally to other machines in the network. It communicates with its CNC and transfers its malicious binary through SMB protocol to other machines on the local network.

Click on the full report icon, to see the SecneurX detailed report.
A few interesting points in the full report are highlighted:


VirusTotal enterprise customers may search other samples on VirusTotal that use this firewall command you can use the behaviour_processes file search modifier in a query similar to:

behaviour_processes:"netsh firewall add portopening tcp 65533 DNSd"

An example searching for scheduled tasks:

behaviour_processes:"schtasks /create /ru system"




Email with attached password-protected XLS spreadsheet which launches PowerShell


This email message contains an attached password-protected XLS spreadsheet which when triggered launches a Living of the Land attack using an obfuscated PowerShell script to download a second-stage attack payload. SecneurX extracts and executes them




Within the process tree we can see powershell commands to create a TLS connection, You can search VirusTotal to find other samples using this technique with a query like behaviour_processes:"System.Net.SecurityProtocolType" and behaviour_processes:powershell


Android App (APK) with multi-stage payload downloader showing Joker malware behavior

The APK: 1e2c99c68390baefa7d9eba4a429f9b009aa4ade281909831fa2c50a944ae5ab downloads malicious payload via HTTP. In this VT-Graph view we can investigate how it is related to other malware samples.

Excel spreadsheet abusing the legacy equation editor to execute a custom payload

This excel spreadsheet https://www.virustotal.com/gui/file/1a022d0240a252df61e043a2a17a0a41da0dfb94c3e3de8d0a9f4d411559cfa3/behavior/SecneurX exploits Office’s legacy equation editor to download a remote artifact and execute it



We welcome this new addition to VirusTotal, SecneurX will help put the spotlight on malware. Happy hunting.

Friday, January 07, 2022

Monitoring malware abusing CVE-2020-1599

CVE-2020-1599 is a vulnerability that can be abused by adding data (that will be later executed) to the signature section of a file, for instance appending a VB script. Unfortunately, Microsoft signature chain certification will not detect that the signature was modified and accept the file as legitimately signed, which can be used to avoid security checks. This is all described in this blog post by our colleagues at Checkpoint, also explaining how ZLoader is using this technique for persistence in recent campaigns.

A non-malicious file abusing this technique can be found here. The file is not malicious per se, as it simply opens the calc.exe utility.

This malicious technique can be mitigated as described here

In order to monitor any additional malware abusing this vulnerability, we decided to create a YARA and run a VirusTotal Livehunt, so we will get notified any time a new suspicious file shows up in VirusTotal:

import "pe"
import "vt"

rule CVE-2020-1599_suspicious_signed {

meta:
      author = "@fcojsantos"
      created = "2022.01.07"
      reference = "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/"

strings:
      $script = "<script" nocase
      $script2 = "language" nocase
      $script3 = "vbscript" nocase

condition:
      pe.is_pe
      and pe.number_of_signatures > 0
      and not for all i in (0..pe.number_of_signatures - 1): (
      
      pe.signatures[i].valid_on(pe.timestamp)
      )
// Searches for script literal from the signature offset on
      and $script in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)
      and $script2 in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)
      and $script3 in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)
      and for any tag in vt.metadata.tags : ( tag == "signed" )
}

This YARA searches for suspicious script-related strings appended to the signature. However, YARA cannot check the certificate chain that confirms if the signature itself is valid or not, it only checks that the certificate exists. And here is where the YARA’s vt module comes to the rescue.

In this case, the last condition ‘for any tag in vt.metadata.tags : ( tag == "signed" )’ will check that there exists at least one “signed” tag for the file, meaning that Microsoft Windows WinVerifyTrust function confirms this is a fully valid signature (it is not, as it abuses CVE-2020-1599).

Now, armed with this, we can find several interesting samples abusing this vulnerability that we added to a VT collection.

Additionally, we were interested in understanding how these files were distributed. We created a small graph to visualize any distribution vectors:

In addition to teamworks455[.]com (already listed as malicious in Checkpoint’s blog post), we found commandaadmin[.]com distributing similar malware. You can monitor any malware distributed in the wild by these domains with the following VT intelligence query:

entity:file (itw:commandaadmin or itw:teamworks455)

This query returns some of the indicators already published by Checkpoint plus a few new ones that might be interesting to take a look at.

We hope this post will be useful to understand how we can quickly monitor and do some hunting every time attackers use new techniques. Happy hunting!

Thursday, December 16, 2021

VT Collections Swiss army knife

Since we announced VirusTotal Collections we are really grateful for the warm adoption we received from the VirusTotal community (please remember to help us gather your feedback using the following form). Indeed, we already observed very interesting content leveraging the potential of collection, like the LOG4SHELL: potential IOC collection by our colleague Jesus Toledano.

Several users contacted us interested in learning an easy way to create a collection using the command line. We just implemented this functionality in our vt-cli utility. In case you are not familiar with it, vt-cli is one of our command line tools and it supports many of the features available in the GUI. Back to creating our collection with the command line, you can use something like:

cat ioc-list.txt | vt-cli collection create -n “Collection Name” -

Vt-cli can also assist you to get relevant information from any existing collection. In the example you can find in the video below, we create a collection starting from two suspicious IP addresses and we later get the last analysis stats from them:

Not only that, we already implemented this functionality for you and you can find it ready to use in the following links both for Python and Go.

Finally, keep in mind there is a fully documented REST API that you can use in the same way you use the rest of VirusTotal APIs.

Happy hunting!


Monday, December 13, 2021

VirusTotal += Vir.IT

We welcome the Vir.IT eXplorer PRO by TG Soft to VirusTotal. In the words of the company:

"TG Soft is an Italian cyber-security company. Since 1992, TG Soft has been analyzing computer viruses and malware both in order to understand how malware operates and to develop software to identify, remove and provide real-time anti-malware protection. TG Soft’s VirIT eXplorer PRO AntiVirus suite is designed for Microsoft Windows operating systems. Since 2015 VirIT eXplorer PRO suite includes Anti-Ransomware technologies to block unknown ransomware attacks by advanced behavioural and heuristic monitoring. TG Soft through its C.R.A.M. (Anti-Malware Research Centre) collects, classifies, analyzes and recognizes today’s malware families and threats."

Vir.IT has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates 
this Anti-Malware Certification Testing Report by ICSA Labs.

Tuesday, November 30, 2021

Introducing VirusTotal Collections

TL;DR: Threat researchers use Pastebin and similar sites to share sets of IoCs among themselves. We believe there is a more actionable and contextualized way to perform this task, enter VirusTotal Collections. Help us shape the future of IoC collections with the what’s next form.

Collective knowledge is key for the success of us all in the industry. For this reason, we paved the way to give a voice to our community by providing them the mechanisms to (annotate and share) comments on VT observables. Time evolves and now most investigations go beyond one observable, quickly adding up several indicators of compromise (IOCs) for one single incident . With many security researchers sharing their findings in blog posts and tweets, it’s getting hard to keep track of all these data inputs. Moreover, these investigations change over time bringing more difficulty into reporting the new findings. 

To fill that gap, today, we are releasing VirusTotal Collections. A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags. 

Collection owners can update these by adding or removing IoCs. They are public via our UI and API, and they can be shared using their permalink. This makes it a very convenient way of linking to listings of IoCs in blog posts, research reports and the like.

All our community generated content, including comments, graphs and collections will contribute to the Community section of file, URL, domain and IP address reports. This means that if a security researcher creates a Collection with a file in it, if you visit the file report you will see the collection in the community section.


You can create IoC collections in the VirusTotal home page, under the SEARCH tab.

Let’s take collaboration one step forward, we hope you enjoy it and we invite you to shape the future of this new functionality in our what’s next form.

Happy Hunting!

Monday, November 29, 2021

Insights on ransomware attacks

Our first “Ransomware in a global context” report offered an overview on how ransomware attacks evolved since 2020, highlighting GanCrab’s supremacy in 2020 and its rebranding as REvil with a different targeting. On the bright side, law enforcement agencies have been very active conducting dozens of operations in the last months, including the arrest of several REvil affiliates.  

We wanted to reflect on this and other recurrent questions we received since the publication of our report with our colleague Vlad Stolyarov from Google’s Threat Analysis Group (TAG)  to help provide some further insights into them.You can also find some of the answers and great additional content in our beloved Cloud Security Podcast by Anton Chuvakin and Tim Peacock Episode 45 “VirusTotal Insights on Ransomware Business and Technology”.

Alright, let’s go check some of the most popular questions we received.


Can you provide more details on the geographical distribution of the samples? How is it possible the US is not the main target?

Well, North America remains the most targeted region by number of ransomware samples according to our visibility. 

What we show in the report is the difference between the normal average submission of samples from any given territory and ransomware submissions. We did our best to filter out automatic submissions or any other systems that could alter the real spreading, but obviously there can be exceptions. In the case of Israel, we believe the dramatic increase is a combination of being highly targeted by ransomware and several security companies or experts submitting to VirusTotal. 


Why was GandCrab the most popular family in 2020? Does it continue to be the biggest one by number of samples?

GandCrab was one of the most successful groups implementing the Ransomware-as-a-Service (RaaS) distribution model. Indeed, anyone could sign up on their portal to be an ”affiliate”, getting a significant commission from each ransom payment made by victims. This made this actor very successful, which created a snowball effect where ransomware affiliates preferred GandCrab over other RaaS programs as branding matters in the ransomware business. Despite the fact that several versions of GandCrab had cryptographic flaws, with free decryptors available on the NoMoreRansom project website, it remained popular. That didn’t stop this actor making (as they claimed on forums) more than 150$M in a year.  

Now, GandCrab RaaS program is believed not to be active since mid-2019, and yet VirusTotal still sees a large number of samples detected as GandCrab, even in 2021. Why? Our hypothesis is as follows:

1) Many TTPs (Tactics, Techniques and Procedures), initially popularized by GandCrab were later weaponized by other, unrelated commodity ransomware families. Antivirus engines, however, largely continue to associate and detect samples utilizing these TTPs as GandCrab.

2) While it was still active, GandCrab employed a number of distribution mechanisms. In addition to the more traditional vectors such as malspam, it used trojanized software, torrent sites, and a wormable network exploit EternalBlue to infect machines in the organization’s network.

Actors behind GandCrab have since moved on and are now believed to be related to the infamous REvil/Sodinokibi Ransomware-as-a-Service, which shares big portions of code and other indicators such as PDB strings with GandCrab. “Rebranding” of GandCrab as REvil/Sodinokibi follows a general trend in ransomware where many actors have switched from targeting individuals to larger corporate organizations in the past two years.

REvil, following GandCrab’s footsteps became very popular and is infamously known for several high-profile attacks: triple extortion attack on Quanta Computer who is an Apple supplier, threatening to release confidential information on unpublished products; JBS, a large meat processing company; Kaseya supply chain attack affecting multiple managed service providers and their customers.

On latest news, some REvil affiliates were recently arrested by law enforcement, following a coordinated takedown operation with an infrastructure takeover. Around the same time BitDefender published a free universal decryptor. As a result, REvil Ransomware-as-a-Service announced it’s shutdown and we have yet to see if they will resurface under a different name, once again.


What are double extortion schemes?

Ransomware actors use double or even triple extortion schemes as an additional method to force victims to pay ransom. In a double extortion scheme, in addition to encrypting victim’s data, attackers also exfiltrate critical data and threaten to publish it unless the victim pays. Under triple extortion schemes, ransom demands may also be directed at a victim's clients or suppliers. At the same time, further pressure points such as Denial-Of-Service attacks, or direct leaks to the media, are also brought into the mix.

 

Is there any ransomware malware on macOS?

Ransomware on macOS is possible, but much less frequent than in other platforms. One example would be the (opportunistic) EvilQuest/ThiefQuest family discovered in mid-2020, which had ransomware functionality, although it’s not clear if that was the main goal. ThiefQuest is also a very representative example of ransomware on macOS - despite only demanding 50$ payment in Bitcoin, the wallet specified in the ransom note had received exactly zero transactions, meaning no user had decided to pay to get their files decrypted (well, that, and the fact that free decryptor is also available).
There are several potential explanations to this: 

  • targeting corporate victims is far more profitable than targeting individuals, and most organizations are still using Windows-based environments. 

  • low level of expertise and experience in writing macOS malware amongst ransomware developers.

  • What about ransomware on Linux?


It exists! BlackMatter and REvil both have versions for Linux. As more organizations are investing in virtual machines and file backup servers, ransomware groups are increasingly developing Linux variants, targeting specifically VMWare ESXi and NAS servers - this increases the likelihood of victim organizations paying the ransom as they have no way of restoring data or their infrastructure.


Do we expect exploits and 0days to become more popular in ransomware attacks?

Yes, but with a catch. Traditionally, office exploits (not necessarily 0days) were always popular amongst financially motivated actors and this is not unique to ransomware. In addition to that, profit from a successful ransomware attack is often enough to buy a 0day or two, but what’s the point of burning expensive 0days on individual users (even if they are employees of a large organization), when phishing is just as effective? On the other hand, we’re seeing an increasing amount of interest in remote vulnerabilities targeting server software - anything from VPN to mail servers and domain controllers. But to each rule there are exceptions: a recent example would be a remote code execution vulnerability in MSHTML, CVE-2021-40444, which was used as a 0day from a Word document in a Big-Game-Hunting (BGH) campaign in September to deploy ransomware.

You can use VirusTotal Intelligence to monitor samples related to CVE-2021-40444 using the following query: “tag:cve-2021-40444”.   


Any info/insight on how ransomware operates internally" and why it works so well [for them]?

Ransomware groups are organized criminal activity with people working weekdays, 9 to 5. “Employees” have clear roles and responsibilities such as IT support, system administrators or developers. As crazy as it sounds, some employees might be unaware of who they’re working for. This description fits well for the biggest actors who previously used to be in Point-of-Sale/Banking/Carding areas, like FIN7, who are also attributed as operators of the DarkSide/BlackMatter RaaS.


As a final note, we recommend checking our original post to find more details on how to monitor ransomware activity before being hit. We will continue sharing relevant malware related information to keep our world a little bit safer. As always, we are happy to hear from you.


Happy hunting!


Thursday, November 18, 2021

Uncovering brandjacking with VirusTotal

 Malicious activity comes in all kinds of colors and flavors, sometimes abusing users’ trust by impersonating well known brands to get their private data, install malware or any other form of scam. At VirusTotal we analyze more than 3 million distinct URLs daily obtaining not only AV verdicts from more than 70 different vendors but also extracting as much data as possible including headers, cookies and HTML meta tags. This data is indexed and related to other observables we keep in our database, which is an excellent way to track malware infrastructure but also to find other forms of fraudulent activity. Indeed, many of our customers use VirusTotal daily to monitor brand abuse and fraudulent impersonation.

In this post we will describe how VirusTotal served to investigate the Anniversary brand abuse campaign by our good friends from Hispasec.


How to start our investigation


In this particular case, the campaign was distributed mostly using WhatsApp messages, where the victims were encouraged to share with their contacts links similar to the following ones:

hxxp://mayhx[.]cn/adidas-mo

hxxp://luby3a0[.]cn/r2eizhga/adidas-mo


These domains seem to be randomly generated. Now, starting from this information, how can we start an investigation in VirusTotal? There are a few handy VTI modifiers we can leverage:


  • Tracker: Many websites use different ads trackers, which we will try to find inside the HTML body of the analyzed URL. If two websites share the same ad tracker, it usually means they’re owned by the same person. You can use this modifier to find URLs where we found the same tracker. Example VTI search: entity:url tracker:G-J151F98PH2




  • Main_icon_dhash: Here we will find other websites having the same favicon. In this case, VirusTotal will calculate the favicon’s hash for us and do a fuzzy search to find similar ones. Example VTI search: entity:url main_icon_dhash:4932332b178e4d20



It seems we have several ideas to start our search with. As you have probably already realized, values used in the previous example VTI searches correspond to the two malicious websites we started our analysis with. Some of them are extremely precise for a given search (such as the response sha256), while others, like the favicon, title and path look interesting for any automatically generated infrastructure. However one of the key elements for this investigation was the tracker, as it identifies the website owner. 

Let’s first check the prevalence of all these different elements among VirusTotal:


Description

Value

VTI search

Items found

Google Tag Manager tracking ID

G-J151F98PH2

entity:url tracker:G-J151F98PH2

13.91K

HTML title

🎉Adidas 70th Anniversary!🎊

entity:url title:"🎉Adidas 70th Anniversary!🎊"

35.79K

URL path

adidas-mo

entity:url path:adidas-mo

24.44K

Favicon

Cute pink heart

entity:url main_icon_dhash:4932332b178e4d20

1.22M

Response body SHA256

e839c5398c1fe08dde3a4b0ffb39fd6b6a7c6dcab9d5477b0dfdfe8d62bcd77b

entity:url response_sha256: e839c5398c1fe08dde3a4b0ffb39fd6b6a7c6dcab9d5477b0dfdfe8d62bcd77b

5.74K


The number of found items is pretty high, which could either mean this is a large campaign or the values are not really representative. Combining three of the criteria listed above (title, tracker and path) in a single search returns 13.86K results, confirming it is a huge campaign. We can add some extra modifier like p:5+ (detected as malicious by at least 5 different AV vendors) for a total of 11.02K, confirming our suspicions. 


Leveraging VT Graph


Another way to start our investigation would be taking advantage of VT Graph. This would put on the table all the elements related to the IOCs we have to start our investigation with, giving us a good idea of the dimension and of the elements of interest. 


The graph helps us visualize what both URLs share in common, as well as a bunch of additional ones that also share the same tracker ID. In particular, there are a couple of common javascript libraries detected as malicious by several AV vendors that look interesting for our investigation. We can open their VirusTotal report in the links below: 

https://www.virustotal.com/gui/file/a29fa70847eb0cba146b247f7d4549575b04edd588628b23a473c69c87e5c887/detection

https://www.virustotal.com/gui/file/ee3f8cc642a94e667d5f885691ecbc70d5d49869d36d905d96f19391117fa084/detection


We don’t need to download any of these files to analyze them, as happily VirusTotal allows us to check their content at the content tab in the file’s report.


Indeed, when doing that there are several very significant strings that seem highly related to the campaign we are investigating, such as “var project = "adidas-mo";”.  We can simply click on this string to find any other files that include the very same content:

https://www.virustotal.com/gui/search/content%253A%2522var%2520project%2520%253D%2520%255C%2522adidas-mo%255C%2522%253B%2522/files

This results in hundreds of libraries that were used by attackers, most likely in this very same campaign. Displaying a LARGE number of elements in a graph is probably not the best idea, but nevertheless this is how it looks like:


This gives us a very quick idea on how clustered this campaign is. We can pivot all this data to obtain the full infrastructure used in the campaign. For large automated processes like this one, we also recommend using our API or vt-client.


It all started with a couple of URLs


Having a large malware database creating relationships among all indicators and allowing pivots using any of them has its advantages. You never know what is the particular criteria that would be the key element for a particular investigation, in this case both “tracker” and “path” proved to be very useful. Visualizing information is also one of the most powerful methods to quickly understand what is most relevant from the data you are working with, allowing you to quickly focus on the most important elements. 


Both methods shown in this post are some ideas to use when tracking brandjacking or any other fraudulent activity, if you have any other favorite methods you use for your investigations and you want to share with us please do not hesitate to contact us.


Happy hunting!