Thursday, September 21, 2023

, , , , , ,

It's all about the structure! Creating YARA rules by clicking

Since we made our (extended) vt module available for LiveHunt YARA rules we understand it is not easy for analysts to keep in mind all the new potential possibilities - too many of them! Our goal is to make YARA rule creation as easy as possible while providing security experts everything they need to make even more powerful rules. Our recently published new YARA editor, which incorporates full syntax coloring and auto-complete while you develop your rule, is a first step.
However, we wanted to go further. We already discussed how you can use predefined templates (additionally you can check our Threat Hunting with VirusTotal - Episode 4 for further examples and ideas), but in this post we want to focus on a terrific new feature when creating rules using the “Structure” of any given object (file, URL, domain or IP).
“Structure” provides the full JSON containing all details VirusTotal knows for any given indicator. For instance, you can paste a file hash and you will get full details about its behaviour and metadata. What is better, you can simply click on any field you are interested in, and it will automatically included in a fresh new YARA rule in the editor - no need to remember how to get that particular field in the VT module anymore.
In case you are wondering, this also deals with all kinds of loops. If any of the selected fields needs to be iterated, the correct syntax will automatically be added to your rule.
Let’s check the different object types.

Files

For a file object you will find two different branches in the resulting JSON - behaviour and metadata.
The behaviour key is based on the sample execution in the sandbox. For example, you can create rules based on files written by the malware, files dropped, mutexes created, processes created, sigma results or ATT&CK MITRE results, among others.
Let’s suppose that we are interested in creating a new detection logic focused on some specific file written. In that case, we want to open the files_written section and then click on the file that we have observed as suspicious for our rule. Automatically, a new rule pops up with that condition (note that the loop condition was conveniently created for us too).
We can keep editing the rule to adapt it to our needs, like adding additional conditions to detect a specific string or path, another file name, etc.
If your security posture takes into account the ATT&CK MITRE matrix, maybe you want to create rules adding these fields in your logic, available under the key mitre_attack_techniques branch.
In addition to vt.behaviour, it is also possible to use vt.metadata to create a rule based on file metadata. Under the metadata key, we have a lot of interesting information that we can use to create our rule.
Probably one of the most interesting fields is "itw". Under this key, we can create rules based on ITW communications that we are interested in detecting whether related to IPs, domains or URLs.
For example, we may be interested in files that were downloaded ITW with response code 200, from the Discord CDN and that download binaries but more specifically DLLs.
Another interesting approach could be to hunt for files that are downloaded ITW, but with characteristics that could interest us in the whois of the domain from which it was downloaded. This could be interesting if we are monitoring certain domains that are being registered.
Metadata gives us multiple ways to play to create livehunt rules. From more complex rules using ITW applying filters related to domains, IPS or URLs to more basic things where we can include information from exiftool, submitters, fuzzy hashing, etc.
Combining the power of metadata and behaviour will result in a quality YARA rule!

URL

For URLs, under the “net” section in the VT module, you have the possibility to use the keys url, ip and domain as shown on the Netloc summary table. Any field available under these keys can be used to create your URL hunting rule.
Some of the features you can use to create your rule include URL response headers, downloaded and communicating files, URL path, domain whois, IP ASN, among others. Just by clicking on the fields you are interested in and adapting them to your needs, you can create a robust rule that helps you follow a campaign you are interested in investigating.
A use case could be that we were interested in discovering new URLs seen in VirusTotal, where the path meets a certain pattern, resolves to a certain network block and the domain registry is a registry known as commonly used to register malicious domains. Finally, to avoid noise we are interested just in new URLs.
Last rule can match for example an URL used by Gamaredon threat actor.

IP

The fields available for the IP entity can be found under the the ip key in VT.net. Here you can play with fields such as IP whois, communicating files, netblocks and others.
From here, we can add as much information as we are interested in to identify new ip addresses from suspicious campaigns. The following image is the result of a few clicks on fields containing a specific IP address.
Let’s suppose we want to identify new IP addresses that belong to a certain ASN (here we explain how to calculate a network range) and have some type of communication with PEEXE binaries.
This type of use case could even be used to monitor certain network ranges that may belong to our organization or customers to identify if a new IP address has any files that carry out communications.

Domain

Last but not least, we can also use the new Structure functionality with domains. In this case, domains include information about both the domain itself and the IP address it resolves.
And the same process that we have followed with the other entities that we have taken as an example, it would only be enough to click on the fields that interest us and shape our rule.
Within the information that we can find within the domains, there is an interesting field called categories. Within these categories we can identify if the domain could be linked to malware, phishing, spyware...
To create a use case with this field, let's say that we want to discover new domains that are related to phishing, and that the value of the not_before field of the HTTPS certificate is greater than a specific date that we want to search for information.
Another case that we can do also related to phishing is to monitor a specific favicon that is using our brand image. Subsequently, we are also interested in whether it includes a pattern in the domain name or in the alternative name in the certificate.

Wrapping up

At VirusTotal we continue trying to include the greatest number of functionalities that are useful for analysts for threat hunting. Our goal is to make work easier and spend time intelligently when using the platform.
The idea of this new feature is to continue to add new fields that can be consumed through VirusTotal intelligence to make livehunt rule creation more powerful. It is not easy to remember or know which fields are available within the files to create livehunt rules, so the new "Structure" functionality can help us.
We want livehunt rules to be a great tool to detect campaign patterns and to be able to track players more powerfully.
We would also like to announce that we have opened a GitHub where the community can publish their YARA rules and contribute! During the following weeks we will be posting new rules https://github.com/VirusTotal/vt-public-crowdsourced-yara.
We hope you liked this functionality. Happy hunting!

Friday, August 04, 2023

Crowdsourced AI += NICS Lab

We are pleased to share that NICS Lab, a security research group from the Computer Science Department at the University of Malaga, is joining the Crowdsourced AI initiative at VirusTotal. By extending our capabilities using a different AI model for processing PowerShell files, NICS Lab not only strengthens our collective understanding of the code and its behavior, but also provides verdicts on the potential threat level of each file according to model criteria - categorizing them as malicious, suspicious, or benign.

As a reminder, Crowdsourced AI is VirusTotal's initiative that taps into the power of diverse AI models and community contributions to fortify our cyber defense strategies. Just two weeks ago, we announced the integration of Hispasec's solution, which is specifically designed for analyzing Microsoft Office documents. As we have explained in the past, these solutions based on AI LLMs can make mistakes, but their contributions are very valuable in complementing other technologies in the analysis and detection of new threats.

This time, the solution offered by NICS Lab serves as a complement to the code explanations already generated by Code Insight, which is based on Google PaLM. As a result, numerous PowerShell file reports will now benefit from the insight of solutions based on two distinct AI models. This essentially encapsulates VirusTotal’s strategy of embracing diverse threat detection solutions to improve understanding and risk assessment.

Let's explore a few examples:

In this first showcase, we see that two analyses appear in the Crowdsourced AI section: one from NICS Lab and the other from Code Insight. In the case of the former, in addition to the explanation about the file's behavior, we can observe the "Malicious" verdict highlighted in red.

f3642eacb95ad7272d5485bc1fbcd7ebb872ebd72e27fc60e0e79d5643006663

Similar example, this time with a ransomware case. Here we can see how both models, despite aligning on the overall analysis, complement each other by providing diverse details. The first model, for instance, outlines the file extensions that are encrypted by the ransomware, while the second model highlights the email where the ransom is demanded.

ff68ade91babb31db87a5dcb5b1f650cb429ae6eb7d291cda4c0d92e76c5101c


The next example shows how the models behave when analyzing a PowerShell file where attackers obfuscated the code by separating the text strings that constitute the instructions, and using a function to replace the encoded strings with their actual values at runtime.


As we can see, the sample manages to evade detection by antivirus engines, but the models succeed in deobfuscating its code, analyzing it, and providing an explanation of its behavior.

48a7c59575f61e568dbc997db09c707f5b04abfe847d19c084ce955b4f97e648

AI reports’ results are available via VT Intelligence, allowing the use of the "nics_ai_analysis:" modifier to search into the resulting AI’s output, and "nics_ai_verdict:" to search by verdict - malicious, suspicious, or benign. As an example, below we show the results of searching for NICS Lab reports where "telegram" is mentioned and the verdict is "malicious". This search is performed using the following query: nics_ai_analysis:telegram and nics_ai_verdict:malicious.


Here is the analysis of the first file that appears in the previous search:

acc91fccb084496ae0d0864c90d3ae99493cf638189995fb4d8d9f4ecbbf7a52

Similarly, the rest of AI models have specific search parameters, such as "hispasec_ai_analysis:", "hispasec_ai_verdict:", and "codeinsight:". Moreover, there are two additional parameters that enable simultaneous searching across all Crowdsourced AI models: "crowdsourced_ai_analysis:" and "crowdsourced_ai_verdict:".

We want to express our gratitude to NICS Lab, for their contribution to the VirusTotal Crowdsourced AI initiative, and congratulate the School of Computer Science and Engineering of the University of Malaga for launching Spain's first-ever degree combining Cybersecurity and Artificial Intelligence. As we forge ahead, welcoming more contributors with diverse skill sets, we remain steadfast in our commitment to building a collaborative, powerful, and diverse defense strategy to tackle the ever-evolving cyber threats. We encourage others to join us in this endeavor.

Tuesday, August 01, 2023

, ,

Actionable Threat Intel (V) - Autogenerated Livehunt rules for IoC tracking

As we previously discussed, YARA Netloc uncovers a whole new dimension for hunting and monitoring by extending YARA support to network infrastructure. All VirusTotal users have already access to different resources, including templates, a GitHub repository, and the official documentation to quickly get started on writing network YARA rules.
You can also find excellent external resources, like this blog post from SentinelOne's Tom Hegel, which discusses the use of YARA Netloc in a real investigation.
And as we highlighted in our previous post, this is just the beginning. We are playing with new ideas and features that leverage YARA Netloc, and we couldn't resist implementing a few of them already. In this blog, we will discuss a new functionality that uses YARA Netloc to help us track indicators of compromise (IoCs) and their related infrastructure with just a few clicks.

IoCs subscription

You might have noticed that all IoC reports in VirusTotal have a new Follow dropdown menu in the top right corner, which offers a few options.
The idea of this new feature is to offer VirusTotal’s users easy ways to track any IoCs’ activity. For instance, as shown in the previous screenshot, we are offered to monitor any infrastructure that this malware interacts with in the future (URLs, domains or IPs), or being notified when we see it being downloaded from anywhere.
When clicking any of these options, we are creating a one-click Livehunt rule based on a template. We can customize the resulting rule as needed, or simply deploy it as suggested, although we highly recommend renaming it to easily identify it.
For example, by clicking URLs downloading it in the previous sample’s report, the following rule will be automatically generated and deployed in our Livehunt:
import "vt"

rule UrlDownloadsFile {
  condition:
    // vt.net.url.new_url and // enable to restrict matches to newly seen URLs
    vt.net.url.downloaded_file.sha256 == "2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125"
}
This rule will simply track and notify any new URL VirusTotal observes downloading that particular sample.

Livehunt dashboard

The Livehunt dashboard consolidates all your team's and your own Livehunt YARA rules in one place. We added three filtering options to help you quickly move around.
  • The first one filters rules created by yourself, created by other users in your VirusTotal group and shared with you, or “Autogenerated” with the IoC’s report Follow option, as previously explained.
  • The second filter allows you to search for rulesets containing a specific substring in its name or anywhere else in the ruleset, including comments. For example, if we use the hash of the file in the previous example (2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125), we get the rule we previously created. Please note VirusTotal will automatically add tags corresponding to the to the names of the rules in a ruleset, plus the "Autogenerated" tag if the ruleset was generated with the Follow option:
  • The third one allows you to filter by ruleset status (active or inactive).

The dashboard also shows whether rulesets are active, as well as the entity that ruleset matches against. You can also find which users and groups that ruleset was shared with and, lastly, the number of matches - which lists all matching IoCs in the IoC Stream by clicking it.

Wrapping up

In the previous posts in our "Actionable Threat Intel" series we showed how to use the new YARA editor, deploying Livehunt rules from the editor either using templates or from scratch, using Netloc for creating network hunting rules, and how to track IoCs of interest with automatically generated hunting rules.
All these elements help us to set the monitoring rulesets we need to be on top of our investigations or any malicious activity set of our interest. IoC Stream serves as a single repository to centralize all our notifications, including Hunting rules, IoC Collections and Threat Actors subscriptions.
Last but not least, we would like to specially thank our colleagues from Mandiant and all the security researchers who kindly offered to help during early stages and beta testing to help make Netloc hunting as good as possible:
    Paul Rascagneres (@r00tbsd), Volexity
    Ariel Jungheit (@arieljt), Kaspersky
    Marc Green (@green0wl), eBay
    Vitor Ventura, Cisco
    Markus Neis (@markus_neis), Arctic Wolf
    Matt Pierce, CrowdStrike
    Pasquale Stirparo (@pstirparo), Independent Researcher
    Tom Hegel (@TomHegel), SentinelLabs
We hope you find these features as useful as we do. If you have any questions or requests please do not hesitate to contact us.
Happy hunting!

Wednesday, July 26, 2023

VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques

We just released a new edition of our “VirusTotal Malware Trends Report” series, where we want to share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on “Emerging Formats and Delivery Techniques”. Here are some of the main ideas presented there:

  • Email attachments continue to be a popular way to spread malware.

  • Traditional file types (Excel, RTF, CAB and compressed formats) are becoming less popular. Although the use of PDFs slowly decreased for the last few months in June 2023 we observed the biggest peak for the last two years.

  • OneNote and JavaScript (distributed along HTML) are the most rapidly growing formats for malicious attachments in 2023.

  • OneNote emerged in 2023 as a reliable alternative for attackers to the traditional use of macros in other Office products.

  • ISO files for malware spreading are a flexible alternative for both widespread and targeted attacks. Distribution as heavily compressed attachments makes them difficult to scan by some security solutions.

  • ISO files are being disguised as legitimate installation packages for a variety of software, including Windows, Telegram, AnyDesk, and malicious CryptoNotepad, among others.



For full details, you can download the report here


As we usually do, in this blog post we will focus on technical hunting ideas you can use to monitor malicious activity. We also provide additional technical details for some of the most interesting points discussed in the report.


Monitoring malicious attachments


Our data shows that there was an increase in the number of malicious files attached to emails between March and April of 2023. In terms of suspicious attachments, for the past two years, we have observed spikes in the number of suspicious PDF files linked to malicious campaigns. These files can be used for a variety of purposes, such as exploiting vulnerabilities (less usual) or phishing (most of the time).

OneNote is becoming a popular format for malware distributed as email attachments in 2023. We will describe the OneNote attack flow in the next section. In 2023, it became the fastest-growing format for malicious attachments, by percentage.




In 2023, we saw a significant increase in the use of JavaScript distributed alongside HTML, in sophisticated phishing attacks designed to steal victims' credentials. Excel, RTF, CAB, compressed formats, and Word all seem to be declining in popularity as malicious attachments.


OneNote to rule them all


Suspicious OneNote files uploaded to VirusTotal can we filtered using the following VTI query:

entity:file type:one p:5+

Most of the files in our collection were submitted in 2023. We can observe how AntiVirus detection during January and the first half of February was significantly lower than afterwards, when security vendors improved their detection for this format. 


Malicious OneNote files usually embed a malicious file (vba, html+jscript, powershell, or any combination of them) and, as happens with malicious Office attachments, try to convince the victim to allow execution. 

Commonalities for the files resulting the previous search offer some interesting data on who is currently using this format for distribution:

  • Many of them distribute QBot, RemcosRAT or AsyncRAT.  We also found Emotet malware samples using Onenote for spreading.

  • Around 20% seem to distribute QakBot.

  • The Microsoft_OneNote_with_Suspicious_String Crowdsource Yara rule seems to provide good detection with a low false positive ratio. 

Payloads vary from family to family, but many of them access external URLs to download a DLL file camouflaged as a PNG file. This is a very old trick used to bypass basic firewall rules or just look less suspicious to the eye. 

We can find several examples of this, for example searching for BumbleBee malware samples reaching a remote "view.png" file or Qakbot samples contacting "01.png" in any network resource.

The most usual kill chain where OneNote format is involved is as follows:

  • The victim receives an email with a OneNote attachment. The mail body encourages the victim to click on a button to see a hidden/distorted image or document.

  • This button executes a script (VB script, HTA, powershell, etc,) that will launch a payload, either embedded into the same script or downloaded from an external resource. 

  • The external payload might be yet another OneNote file, an image file renamed as a ".bat" file, a DLL file that's loaded into memory or even a Windows executable.


The following is an example of an obfuscated second stage .Net executable payload extracted from this powershell script:


ISO files as a flexible alternative

Windows-targeting malware bundled in ISO files is a highly popular delivery method used by threat actors these days. It is used on a large scale for  crimeware distribution as well as high profile APT campaigns actors. You can use the “isoimage” tag to list ISO files in VTI:


You can be more specific to detect only those ISO files containing an executable: 


Another interesting approach is to leverage Sandbox reports to get ISOs files interacting (drop/delete/open/execute) with specific file types during their execution:


Using this method you are not only no longer dependent on the “contains-pe” tag (that could be missed in some cases), but also you are able to discover ISOs with “hidden” executables, for example ISO containing archives that contain executables. It is also possible to detect cases when an ISO file contains only a non-binary file, like LNK or script, that drops and executes a malicious PE payload. 

It is possible to identify ISO clusters for specific malware campaigns. For instance, you can get samples used in a ChromeLoader distribution campaign with the following name and size filters:


Another interesting ISO cluster contains artificially zero-byte inflated executables, allowing attackers to compress the resulting ISO file from 300Mb to 400Kb:

Example of ISO file with artificially inflated executable inside

The following query will help you find some of these examples:


We also found something that appears to be a malware campaign distributing weaponized versions of legitimate software, including “Crypto Notepad”, within ISO files. Examining one of the samples, we can see that the bundled .NET executable is also inflated with zero-bytes up to 313Mb. The main purpose of the malicious injection in legit software is to download a remote binary file for execution:

It is also capable of fetching remotely hosted powershell code and execute it:


We found hundreds of samples related to this campaign related to the following C2 hosts:

installmarkets[.]hair relations with malicious samples


Other than compressing artificially inflated files, another reason to distribute ISO files is mimicking legitimate installation software packages, which you usually expect to be sizable. The following example uses a well known browser to find suspicious cases:


The previous search results in a number of files with zero AV detections. However, further manual analysis reveals their maliciousness.

Malicious samples with 0 AV detections mimicking Brave browser installer

There are different ways to explore what are the main spreading vectors used to distribute malicious ISO files and their related infrastructure. For instance, the following query provides samples seen being hosted  In-The-Wild:


You can refine the search to list samples seen being hosted in a specific host:


Email spreading can filtered using the “attachment” tag or “email_parents”, they both provide pretty much the same results:


Wrapping it up


Attackers are constantly rotating the file formats they use to deliver malware. This is done to increase the effectiveness of their campaigns and to avoid detection by security measures. The security community needs to be aware of the use of alternative file formats for malware delivery and to put more resources into stopping these new spreading methods. For example, although traditional file types, such as Word, Excel, and RTF, are still used for malware delivery, alternative formats, such as OneNote and ISO, are becoming increasingly popular.

As a proof of the effectiveness of format rotation for attackers, the simple fact of bundling a malicious sample inside of an ISO file seems to effectively decrease AV detections. We also observed poor detection in the first waves of OneNote malicious files, although improved with time. 

We suggest monitoring malware spreading trends, and actively check how your security stack responds to proactively minimize infection risks, as well as including in your analysis all logs to/from allowed legitimate sites as they are regularly used for malware distribution, do not exclusively focus your anomaly detection on unknown traffic.  


Happy hunting!