Wednesday, August 10, 2022

VirusTotal += Google

Today, we are happy to announce that in addition to Google's URL scanning service (Safe Browsing), which has been integrated with VirusTotal, Google is now also providing a file scanning service to the VirusTotal community. In their own words:

"Google protects billions of users every day through its advanced threat detection and security capabilities. This integration with VirusTotal is one of multiple detection layers from Google to protect its users from malware and other malicious files."

Google has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-Comparatives, an AMTSO-member tester.

Tuesday, August 02, 2022

Deception at a scale

Continuing our initiative of sharing VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, we are proud to announce our “Deception at scale: How malware abuses trust” report. 

This time, we focused on different techniques used by malware to bypass defenses and make social engineering attacks more effective.

We encourage you to read the full report, but below you can find some of the main findings

  • Ten percent of the top 1,000 Alexa domains have distributed suspicious samples.
  • 0.1 percent of legitimate hosts for popular apps have distributed malware.
  • 87% of the more than one million signed malicious samples uploaded to VirusTotal since January 2021 have a valid signature.
  • In a growing social engineering trend, 4,000 samples either executed or were packed with legitimate apps installers.
  • There has been a steady increase in the number of malware visually mimicking legitimate applications, with Skype, Adobe Acrobat, and VLC comprising the top three.
  • 98% of samples, including legitimate installers in their PE resources, were malicious.
You can download the full report here
To help stop cyberattacks that rely on the malware that VirusTotal can track, we provide below the technical details that support our  conclusions presented in the report.


Abusing legitimate domains to distribute malware

One of the most effective social engineering techniques consists of hiding malware by packaging it into installation packages with legitimate software. This becomes a supply chain attack when attackers get access to the official distribution server, source code, or certificates.

We checked files submitted to VirusTotal and distributed from well-known legitimate domains. Below you can find an example how to obtain this information using VirusTotal Intelligence:


From the almost 80,000 unique files found, 78 of them were detected by more than 5% of antiviruses as potentially malicious. Here we list the top 5 most detected files:


SHA1
DR
Distribution URL
26/64
hxxps://global-download.acer[.]com/GDFiles/BIOS/Firmware/Firmware_Acer_103_A_A[.]zip
23/64
hxxps://dlcdnets.asus[.]com/pub/ASUS/GamingNB/FA506IV/BKXCR000_v014_20201013_EXE[.]zip
15/64
hxxps://dl.dell[.]com/FOLDER06606984M/1/Printer_E310dw_FW_Dell_A07_WIN[.]zip
11/59
hxxp://dl.dell[.]com/folder06109278m/1/dell_u2419hc_monitorfirmwareupdateutility_m3t107_mup[.]zip
10/63
hxxps://dlcdnets.asus[.]com/pub/ASUS/LCD%20Monitors/MB16AMT/MB16AMT_touchFW_vT3_for_MAC_10.15[.]zip

Execution Parents

Execution Parent is a VirusTotal’s in-house relationship, linking a file to its “parent” file (that was created during sandbox execution). This type of relationship can be visualized in the Relations tab, the image below shows the list of execution parents for a legitimate Telegram installer:


In this example, almost a half of all the Execution Parents for a legitimate installer seem malicious. We used this approach to find suspicious execution parents of legitimate installers. Below you can find top 5 of most detected execution parents with known distribution URLs:

Parent SHA1
DR
Distribution URL

Legit child

edf493140ccaba2ec6f340de3d3f1ab2d6c1651f

65/68

hxxp://192.210.173[.]40/files/loader2[.]exe

Google Chrome

4d6fe5d14dbd6f47e06ab901ff1c4170dec4cfd7

67/71

hxxps://uc1a9ed2ac0662c4ccfe1b1ab0b5.dl.dropboxusercontent[.]com/…

Malwarebytes

2dcedfdbcf527eb6680b4c4bce6f791b2681cae3

64/69

hxxp://192.227.158[.]110/im/kok[.]exe

Google Chrome

60822aaa3c451cebfecec1e2f11004367be998ae

64/71

hxxp://69.64.43[.]224/tsi[.]exe

Windows update

62d7c0cd150b107923429674bcc9246d1d8b0d6c

52/69

hxxp://103.249.34[.]183/Telegram[.]exe

Telegram


In order to monitor such activity, the following query provides legitimate Telegram installers having known execution parents. 


We might use this list of files to check if any of their execution parents look suspicious. This can be easily automated using VirusTotal’s API, you can find an example in Appendix I at the end of this post.

Compressed Parents

This is a similar approach to the previous one, with the difference that legitimate installers will be found bundled inside compressed files (ZIP,  RAR, but also other installer executables like NSIS, MSI, etc). Compressed Parents are also found in the Relations tab.

We found around 24% of Compressed Parents are detected as malicious by several antiviruses. Here are some examples of most detected Compressed Parents, with their known distribution URLs:

Parent SHA1
DR
Distribution URL
Legit child

5df092af805ffacba1dee39a432aa3c7836f4f35

57/69

hxxps://cdn[.]discordapp[.]com/attachments/791698781954506774/791699989772369930/ZoomInstaller[.]exe

Zoom

2e5b1d982ebcf07ba9c90b29b07f247f93d282e6

49/71

hxxp://aaaenterprises[.]co/download/Setup[.]exe

Brave

253d043f85e55100b79b632dd7b05c6237b196a3

45/67

hxxps://bit[.]ly/3kxKGtR

Malwarebytes

0854be1e84e5b204e06ece528bba459a32b93389

45/67

hxxps://updatebrowser[.]org/downloads/firefox/FirefoxInstaller.exe

Firefox

0fb43ccb3ec7878c0ef12f9e488accbbfbf1338b

40/67

hxxps://anonymousfiles[.]io/f/ProtonVPN_win_v1.16.1_-_Cracked_By_PC-RET.zip

ProtonVPN


The ProtonVPN sample from the above list is an interesting example. This iZIP archive contains three files: two executables and one text file.

The first executable has a high detection rate and it appears to be a Jigsaw ransomware sample. The second executable is the official ProtonVPN installer, as seen in the “ITW Urls” section in the Relations tab:


The last file is a text document with instructions for potential victims:


Malware visually disguised as legitimate software

VirusTotal can be an effective tool to search for visual similarities among files and websites, which is great for detecting malware stealing icons from legitimate apps.

We can follow the same way to reveal files abusing Telegram’s icon:


Typically, we’d want to first search for a legit Telegram installer and click on its icon when listed in VirusTotal intelligence to obtain the value of the main_icon_dhash. We can add additional file-specific search modifiers to the previous query, like “have:itw” to find how it is being distributed. 

We can use the same technique for finding all the URLs that use a given favicon (again Telegram). The following query does this, skipping a few parent domains we know are legitimate:


The fuzzy_domain keyword is another very useful search modifier. Based on Levenshtein Distance, it is perfect to find typosquatting attacks by listing all the misspelled domain names:


There are many additional modifiers we can leverage. You can find extended documentation here for domains, IP addresses, and URLs.


Exploiting valid certificates

Malware signed with a valid certificate might trick the user (and security software) to believe they are legit applications. The following query reveals more than one million suspicious files signed with valid certificates since 2021:


We can also filter by a specific Certificate Authorities. The following query finds suspicious samples signed by Microsoft Root CA ("Microsoft Root Certificate Authority") and detected by at least five antiviruses:



Conclusions

Our research helps us understand the dimension of the techniques discussed –  some of which are evidently growing in popularity. At the same time, we found some samples which seemed interesting enough to take a second look. 

It is equally important to know what techniques malware adopts to increase its effectiveness as it is to be able to do something about it. The analysis and description of the deception techniques described in the report, along with the implementation ideas shared in this post, will help to actively monitor and understand the evolution of future campaigns. 

At VirusTotal, we will keep sharing both our visibility and best practices to protect against new attacks and to keep our world a little bit safer. As always, we are happy to hear from you.

Happy hunting!


Appendix I

Example on how to use VirusTotal’s API to find suspicious execution parents of software distributed through a legitimate domain:

import requests
import json
import urllib

headers = {
    "Accept": "application/json",
    "x-apikey": '' # VT API key
}

def get_execution_parent(file_hash):
    """Returns file parents with more than 5 detections in VT.

    Args:
    file_hash: str, file to check.
    """
    url = f'https://www.virustotal.com/api/v3/files/{file_hash}/execution_parents'
    while url:
        response = requests.get(url, headers=headers)
        response.raise_for_status()
        data = response.json()
        for item in data['data']:
            try:
                positives = item['attributes']['last_analysis_stats']['malicious']
                if int(positives) > 5:
                    print(f'{item["attributes"]["sha256"]} - {positives}')
            Except KeyError:
                continue
        if 'links' in data and 'next' in data['links']:
            url = data['links']['next']
        else:
            url = None

def get_files_with_execution_parent(target_domain):
    """files found itw in a given domain having execution parent.

    Args:
    target_domain: str, domain to check
    """
    url = 'https://www.virustotal.com/api/v3/intelligence/search'
    while url:
        response = requests.get(url, headers=headers, params={'query': f'entity: file have: execution_parents itw: {target_domain}'})
        response.raise_for_status()
        data = response.json()
        for item in data['data']:
            get_execution_parent(item['attributes']['sha256'])
        if 'links' in data and 'next' in data['links']:
            url = data['links']['next']
        else:
            url = None

target_domain = 'target.legit-domain.com'
print(f'Checking suspicious execution parents for files downloaded from:{target_domain}')
print(f' [sha256] - [AV positives]')

get_files_with_execution_parent(target_domain)


Thursday, July 21, 2022

Threat-landscape of Financial attacks

Financial institutions have been a traditional target for all kinds of attacks. We wanted to understand what kind of malware families have been used against them in recent cases and track their evolution. It is not easy, though, having details on artifacts used in such attacks. 

Our approach was cross-checking OSINT data related to attacks targeting financial institutions with VirusTotal intelligence to shed some light on how these threats are evolving during 2022. We want to share some of the most interesting findings as well as providing some ideas on how you can use VirusTotal to track these attacks by yourself. 

You can also check our recorded webinar here


Top malware families

Starting from the collection of OSINT-obtained malware families used in attacks against financial institutions, we checked every family’s prevalence in VirusTotal based on the number of submissions in 2022. Submissions are an interesting metric to understand how spread a malware family is:

It is worth noting that some of these “malware families” might be legitimate artifacts used by attackers, typically for lateral movement as part of their TTPs or preferred toolset.

Indeed, Remcos (also known as RemcosRAT) is a commercial product offered as a legitimate Remote Control utility which has been part of  attackers’ toolsets since (at least) 2017. Some other top 15 malware families are deployed as part of the Golden Chicken malware as a service (MaaS): TerraRecon, Terra Loader, Terra Preter, TerraStealer, TerraTV and more_eggs. These have been used by multiple threat actors, mainly in targeted attacks against the financial sector. However, this can also be biased based on the OSINT publications used for this analysis. 

Back to RemcosRAT, it can be frequently seen deployed in combination with an exploit [1,2,3]. To monitor fresh RemcosRAT samples linked with exploits, you can use the following query in VirusTotal Intelligence:

When presented with a collection of samples after a search like the previous one, it is interesting to use the Commonalities Tool to find how many of these samples share characteristics such as vhash, contacted urls, domains and ip addresses. They also drop similar files and all samples use only 4 different compilation timestamps. Most likely, all of them are either part of the same campaign or part of a toolset/infrastructure heavily reused in different attacks.  

Another idea is selecting the samples we are interested in and displaying them in VT Graph, which helps visualizing relationships, filtering them out and selecting additional IOCs.

In this example let’s say we are only interested in malicious domains, URLs and IP addresses contacted by these samples, which we can filter out using the right panel.

To obtain the list of IOCs we can right click and select "Download nodes''. 

Adversaries and exploits

Based on the OSINT events we used for this research, we analyzed the number of lookups per adversary, with Lazarus group leading this ranking as (allegedly) responsible for 6 of the top top10 most searched financial-related malware families in 2022.

In terms of most frequently abused vulnerabilities, top five were published last year and are used for escalation of privileges, authentication bypassing and remote code execution: CVE-2021-41379, CVE-2021-28799, CVE-2021-40539, CVE-2021-44077 and CVE-2021-22941.

Actually, we could easily monitor fresh samples submitted to VirusTotal exploiting these vulnerabilities like this:

(tag:CVE-2021-41379 or tag:CVE-2021-28799 or tag:CVE-2021-40539 or tag:CVE-2021-44077 or tag:CVE-2021-22941) fs:2022-01-01+


Collections

Collections is a recently added feature in VirusTotal that can be really useful to monitor malware used in financial attacks. 

For instance, we can search for collections containing the "banker" string by using the following search query in VirusTotal Intelligence:
entity:collection banker

There are some search modifiers that can be used to list only files, urls, ip addresses or domains found in a collection: 
entity:file collection:threatfox_win_dridex
entity:url collection:threatfox_win_dridex
entity:ip collection:threatfox_win_dridex
entity:domain collection:threatfox_win_dridex

If we want to filter out based on who created the collection, we can use the "owner" search modifier:
entity:collection banker owner:Malpedia

Collections can also include targeted industries, which can be also specified in our query:
entity:collection targeted_industry:financial

Antivirus verdicts

Previously in this research we used IOCs known to have been used in attacks against financial institutions. From there we can find verdicts for the most used families and get additional samples. 

However it is also interesting to search for generic verdicts generally related to financial attacks. One example would be searching for the "banker" string, traditionally used by the AntiVirus industry to label malware involved in financial fraud, usually against banks’ customers. 

In this scenario we found that 59% of these “banking” samples also contained the string "ransom" in at least two distinct antivirus verdicts. During the two first months of 2022 we observed an increase in the number of lookups for “banking” samples. 

When checking top domains used for distributing “banking” samples in-the-wild during 2022, we find “discord” at the top of the list. The abuse of discord for malware distribution is something we already saw in our “2021 Malware Trends Report”. 

Regarding the use of exploits, it is easy to monitor “banker” malware exploiting recent vulnerabilities with a query as follows (note we exclude formats typically used to upload malware batches to VirusTotal):
engines:banker tag:cve-202* and not (type:zip or type:rar or type:7zip)

If we want to continuously monitor this activity, we can very easily translate this query into a Livehunt rule. This way we will get a notification for every new file uploaded to Virustotal that matches our search criteria:

import "vt"
rule banking_exploits {
meta:
author = "VirusTotal"
description = "This is a livehunt rule to continuously monitor banking samples implementing any exploit, excluding file formats used to VT batch uploads"
creation_date = "June 2022"
condition:
vt.metadata.new_file and
        for any engine, signature in vt.metadata.signatures : ( 
signature contains "banker" 
  ) 
  and
        for any tag in vt.metadata.tags : (
tag contains "cve-202" 
 ) 
 and 
        not (vt.metadata.file_type == vt.FileType.ZIP or
      vt.metadata.file_type == vt.FileType.RAR or
      vt.metadata.file_type == vt.FileType.SEVENZIP)
}

Conclusions

Defining financial threats is a complicated task, especially when many targeted attacks and actors consistently share TTPs and toolsets. The use of OSINT is a starting point to identify some malware families uniquely being used in these attacks, as well as double checking which additional generic tools are commonly seen for lateral movement.

The good news is that we can monitor all of the above to understand how attackers’ toolsets evolve and be ready for them. The fact that many attackers repeat and reuse the same malware families should also be an advantage in readiness. Finally, keeping an eye both on exploits being used and infrastructure for malware distribution is definitely something useful to avoid infection and malware distribution.

We hope the queries and examples provided in this post will help you monitor suspicious activity and understand how attackers evolve. As always, we are happy to hear from you additional ideas we can share with the community to detect and protect against cyberthreats.

Happy hunting !