Wednesday, April 20, 2022
Monday, April 18, 2022
VirusTotal Multisandbox+= ELF DIGEST
In the words of the founder Tolijan Trajanovski:
ELF DIGEST is a cloud-based Linux malware analysis service provided to security researchers, analysts, and academics. The service performs static, behavioral, and network analysis to extract IoCs and IoAs. The static analysis searches for IoCs in the strings and may also identify obfuscation in the form of string encoding and executable packing. The behavioral analysis can recognize various malicious actions, including VM detection, anti-debugging, persistence, process injection, loading of kernel modules, firewall configuration changes, and others. The network analysis can identify C2 endpoints, resolved domains, HTTP requests, and port scanning. In addition, ELF DIGEST utilizes the open-source malware labeling tool AvClass to determine the most probable malware family the analyzed sample belongs to. The currently supported CPU architectures include ARMv5, ARMv7, MIPS, x86 and x86_64. The detailed findings of the analysis are presented in an aggregated view and can be also downloaded as a JSON report.
Let's take a deeper dive on some samples:
Botnet on ARM with iptables kernel modules
In
the shell commands we can observe the iptables firewall
stopped and tables flushed. This would allow the malware to
communicate without the firewall obstructing it.
The linux kernel modules being loaded, which are most likely
related to the iptables command line interactions.
Mozi botnet with bittorrent
ELF DIGEST, uploads the PCAP network traffic capture. When sandboxes or users upload PCAPs to VirusTotal, we analyze them with snort and suricata, using rules from community contributors.
Other Interesting samples to have a look at:
- Mirai 19907fba39b0065fea0047b533d3d1f61d46c49e8ad78f65f7ad6d5d906d2d7b
- Service Scanning: cd02800b747b27a65382132770c77823304404dc0611917a21b423727d058ae1
- A coin miner detecting its environment: 6f445252494a0908ab51d526e09134cebc33a199384771acd58c4a87f1ffc063
Tuesday, March 15, 2022
VT4Browsers++ Any indicator, every detail, anywhere
Don’t feel like reading? Check out a demo video showcasing how VirusTotal’s browser extension is now able to contextualize alerts from your SIEM.
12 years ago I wrote the very first version of the VirusTotal browser extension, now called VT4Browsers. A lot has changed since then, among other things, much smarter colleagues (Ana Tinoco and Camilo Benito) took on the development and kept improving it, including this major release.
Up until now, the extension mostly focused on easing the task of analyzing files and URLs with VirusTotal. For instance, upon downloading a file it asks whether you would like to scan it with over 70 antivirus/nextgen/EDR solutions. Similarly, retrieving the reputation for a link that you are about to follow is as easy as right-clicking on it.
VT4Browsers is getting a major revamp (v4.0) mostly intended for security analysts, incident responders and threat researchers. It can now leverage your API key to automatically identify IoCs (hashes, domains, IPs and URLs) in websites of your choice and enrich them with threat reputation and context from VirusTotal, through a single pane of glass experience.
VirusTotal’s detection score is injected next to the corresponding IoC, as a visual triage data point. Upon clicking on the detection ratio, a side panel kicks in with the full context for the IoC, served with our VT AUGMENT widget. All this happens within the original website, as if it were native functionality in the corresponding platform.
SOC analysts and other cybersecurity responders can now easily access threat reputation and context inside their SIEM, case management system and other tools of their choice, even when they do not have a built-in integration for VirusTotal. This results in faster, more accurate and more confident incident response.
Indeed, alert triage and incident response are two major VirusTotal use cases. These days security teams are increasingly concerned about missed threats due to lack of context. This is further exacerbated by two issues:
- Machine learning, artificial intelligence, heuristics, user entity behaviour analytics, generic signatures, anomaly detection and other fancy detection buzzwords - even when they work, they often generate more questions than answers. When they don’t work, they lead to noise and false positives.
- Even the most advanced security programs and defensive stacks are constrained by internal-only (corporate network) visibility. Meanwhile, threat actors operate globally, targeting other organizations. Much could be learned from their footprints.
Thanks to community crowdsourcing VirusTotal is in a unique position to address lack of context, let's look into it. SOCs are often confronted with cryptic alerts such as:
Beyond some internal sighting information (date, machine, user logged in) and a related IoC (IP address), nothing is known about the potential malware family/toolkit behind it, delivery vector, subsequent attack stages, additional threat campaign IoCs, attacker TTPs, threat actor, motivations, etc.
VirusTotal’s sandbox detonation information, passive DNS dataset, whois lookup history, threat graph, campaign collections, geo+time submission metadata, crowdsourced YARA rule detections, etc. transforms the aforementioned cryptic alert into something more like:
The good news is that connecting the dots has never been easier. The new VT4Browsers version bridges the contextualization gap in your existing security solutions and it is fully stack agnostic. It can work simultaneously with your SIEM, case management system and pretty much any other security solution web interface. The extension allows you to add certain platform domains and URLs to lists for persistent enrichment, which is very handy for tools that get used regularly. One-off contextualization via the right-click menu is also possible. Moreover, if you don’t feel like clicking, you can set up keyboard shortcuts. Two contextualization modes are available:
- Enrichment: Fully automatic - identifies IoCs within websites and automatically looks all of them up against VirusTotal, injecting context where appropriate. It consumes one API lookup per identified IoC.
- Highlighting: Manual - identifies IoCs within websites and adds a VirusTotal lookup trigger icon next to each of them. Contextualization will only happen when you click on the trigger icon. It consumes one API lookup each time you click on a trigger icon next to an IoC.
As described, the enrichment mode automatically performs an API lookup for each IoC, as a result, it is only recommended for premium API keys. Important: upon making any changes to the lists of domains/URLs to highlight or enrich, make sure that you reload the pertinent website so that the setting kicks in.
One more thing. This new version also adds additional right-click functionality allowing you to automatically parse out IoCs found in websites to look them up in bulk in VT INTELLIGENCE and VT GRAPH.
Make sure you check the documentation to get your environment set up and please pay close attention to the privacy settings for the pre-existing scanning functionality.
Shortcuts:
Install VT4Browsers in Chrome
Install VT4Browsers in Firefox
VT4Browsers 4.0 documentation
Need a website to test the contextualization? VXVault is a nobrainer.
As usual, we want to make sure that future functionality meets user needs, share your feedback and get to see your suggestions in the next release!
Happy hunting threat contextualizing!
Monday, March 14, 2022
YARA "dotnet" module now available for Livehunt and Retrohunt
Good news for all threat hunters! As announced in our latest release notes, the “dotnet” YARA module is already available both for your Livehunt and Retrohunt rules. This module allows inspecting features and characteristics of .NET executable files, like GUIDs used, .NET assemblies metadata, resources and so on.
As an example, the following YARA rule published by AlienVault uses different features provided by the “dotnet” module for detecting Shrug ransomware:
import "dotnet"strings:
$bitcoin_address = "1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx"
condition:
uint16(0) == 0x5A4D and
The “dotnet” module is not exactly new: it has been growing its own fan club since YARA 3.6.0. However, it was not included in the default YARA build nor enabled in VirusTotal services… until now! You can find more information about this module in the official YARA documentation.
We want to use the opportunity to thank Wesley Shields, the module’s original author, for this great contribution to YARA.
We hope these changes will make life easier for the malware research community and, as usual, we would hear any feedback from you.
Happy hunting!
Wednesday, March 09, 2022
Meet our new improved VirusTotal Graph
TL;DR; We are publishing a new version of VirusTotal Graph that, among other things, supports VirusTotal Collections and provides a new filter engine to speed up your investigations.
Today we are proud to announce a new release of VirusTotal Graph, the tool to visually navigate the VirusTotal dataset and to create collaborative visual investigations. We heard all the feedback from the community to make VT Graphs even better.
Support for VT Collections
Moreover, when selecting the node it shows the main collection attributes and the possibility to pivot to their contained IOCs. This greatly helps adding both context and more elements to our current investigation without leaving the graph. The same behavior applies for referenced entities.
Additionally, we added the option to export your graph into a new collection in VirusTotal via the File menu. The collection will contain the files, URLs, domains and IP addresses present in your current graph.
Filter engine
One of the most requested features we received from the community’s feedback (send yours here) is the ability to filter out elements in VirusTotal graphs.
It is common to find yourself investigating large noisy graphs after multiple pivots and expansions. The VirusTotal dataset is very large and we want to help you find the needle in the haystack.
With that goal in mind, we are happy to introduce you to the new filters engine. You will find the filters icon at the right of the Search Bar.
For timestamps, you can find a timeline divided in buckets showing how many nodes are included in each of them. Use them to adjust your time window and filter nodes in the graph accordingly .
Each filter provides three options:
OR: When one or multiple OR conditions are selected, a node must match at least one of them to be visible.
AND: When one or multiple AND conditions are selected, a node must match all of them to be visible.
NOT: When one or multiple NOT conditions are selected, a node must not match any of them to be visible.
After a filter is applied the graph is updated automatically. Similarly, when the user clicks on “Removed filtered nodes” nodes not visible from the graph are removed and filters reset. You can start over again and re-play the filtering flow from there.
You can apply filters to all the nodes in the graph, a selection or nodes in a given relationship. To apply filters on specific nodes just select them. If the filter drawer is already open, it will be automatically refreshed.
Back to our initial investigation, we could filter IP addresses resolutions seen during the 2022 with at least one detection.
You can find full Filters engine documentation here.
We are really excited with this new version of VT Graph. We find it easier to use, and the new functionalities really help to make investigations much more agile and clean. VT Collections add nice extra context, and exporting investigations into Collections makes results more actionable and collaborative. We welcome everyone to give it a try and to keep sharing your feedback with us.
Happy hunting!
Thursday, February 10, 2022
MISP and VT Collections
At VirusTotal we are actively working on expanding integrations with the most popular tools used by the infosec community.
Today we are thrilled to announce tighter integration with MISP through our most recent feature to track threat campaigns and malware toolkits, VT Collections. We have created two new workflows:
- The ability to export VT Collections to STIX 2, a well-known threat intel exchange format.
- Functionality to create a collection from IoCs contained in a MISP Event.
This will allow the exchange of IoCs bidirectionally between MISP and VirusTotal.
VT Collection to MISP
You can export all IOCs contained in a collection using the top-right corner export icon, click on it and select Download all IoCs as STIX:
This will generate a json file that can be imported into MISP using the left menu option, Import from…
MISP Event to VT Collection
To tackle this part of the workflow we have developed a new MISP Module called VirusTotal Collections. This module uses the event exporting option to send IoCs to VirusTotal and create the collection.
To create a collection from a MISP Event you can use the Download as… button while inspecting an Event, choose VirusTotal Collections as an export format option.
After a few seconds you will get a text file confirming the export process has finished. In the text file you can find the url of the new collection.
And that’s it. If you are a MISP user, ping your MISP instance admin to activate the export module and tell us what you think about this integration in this form (2 minutes).
Stay tuned for more MISP contributions.
Happy Hunting!
Wednesday, February 09, 2022
Build a Champion SOC with VirusTotal and Palo Alto Networks Cortex XSOAR
With Palo Alto Networks’ Cortex XSOAR as your champion and VirusTotal as the sharpened blade, your SOC will decimate threats and reduce analyst strain. Together, VirusTotal and Cortex XSOAR enable your security and IT teams to discover context and solve incidents in a cost effective way.
Join us next March 31st for an expert-led discussion on leveraging threat intelligence in your SOC. Register here.
VirusTotal Cortex XSOAR packs enable you to:
Orchestrate custom threat feeds through Cortex XSOAR to perform live IoC matching and launch retroactive threat hunts from your SIEM or historical log archives.
Leverage improved and early detection with crowdsourced {Yara, SIGMA, IDS} threat reputation for files, domains, IPs, and URLs.
Streamline your triage process with prioritized SOC alerts based on severity and threat categories.
Inform your EDR platform by feeding it highly relevant and undetected threats identified with VirusTotal YARA.
Not only that. Our new improved VirusTotal packs allow you to create custom IOC feeds. You can simply create your own VT Hunting Livehunt rules and feed them into XSOAR. Here you can learn how:
Check out the four XSOAR VirusTotal content packs and discover which is right for you, and try one for free through the Cortex XSOAR Marketplace platform. New to Cortex XSOAR? Download the Community Edition to discover how VirusTotal and XSOAR can work for you!
Building a Champion SOC
The quest to best protect an organization requires several top-of-the-line weapons for an analyst to wield. To handle the daily torrent of alerts and threats, security teams need access to the sharpest, most up-to-date threat intelligence to provide the missing critical pieces of information like files, URLs, domains, and more. Unfortunately, security teams rarely have the time or resources to maintain a full arsenal of rich, ingestible intelligence.
To provide security teams with the best tools to combat threat actors, VirusTotal and Cortex XSOAR are thrilled to streamline threat intelligence through the Cortex XSOAR Marketplace. As one of the largest threat intelligence services in the world, VirusTotal is expanding its research, enrichment, and malware hunting capabilities to XSOAR - a market leading Security Orchestration Automation and Response platform for unified case management, automation, and real time collaboration.
With one click installation, your security team can easily and accurately pull the necessary context to surface threats in your system. Subscribe to VirusTotal from the XSOAR Marketplace to access the VirusTotal API directly for critical context regarding your incident response and alert management. With advanced orchestration from Cortex XSOAR, your SOC can create custom threat feeds and very easily plug them straight into your security stack to search for both current and retroactive breaches.
VirusTotal offers four content packs each with a monthly allotment of lookups. Starter gives 5,000 lookups per month, Respond gives 150,000, Enrich gives 1 million, and Triage gives 100 million. Leverage these powerful solutions to seamlessly enrich your alerts with cost-effective confidence. Furthermore, IoC matching is driven by the real-time view of the threat landscape as seen by VirusTotal, powered by millions of users each month. This unparalleled enrichment provides confident, accurate context for unrivaled global visibility into threats.
As a final note, please note that both Palo Alto Networks Cortex XSOAR Marketplace points customers and any other user can still provision custom premium API keys from VirusTotal and operate XSOAR with these. The new VirusTotal XSOAR packs do not replace existing workflows or licensing options.
Happy hunting!