Thursday, 20 February 2020

VirusTotal MultiSandbox += QiAnXin RedDrip


VirusTotal would like to welcome QiAnXin RedDrip to the multi-sandbox project! QiAnXin is now sending execution behavior reports to the VirusTotal ecosystem for a wide variety of file types.


In their own words:
QiAnXin RedDrip Sandbox, developed by QI-ANXIN Threat Intelligence Center, is a cloud‐based malware analysis service provided to security researchers, analysts as well as ordinary individuals. Based on hardware virtualization technology, the sandbox contains less traits inside the monitored guest system that the malware could be aware of. The runtime environment also gets tailored to behave like a potential victim, rather than an analysis machine. We do this through invalidating available checkpoints, simulating keyboard/mouse interactions, and so on. It is able to handle many file types, probe and trigger infection vectors. These features help us to discover APTs easier and result in the discovery of zero-day attacks in the wild. By using the service, people gain better understanding of the malware and could perform intelligence hunting more conveniently.

On VirusTotal you can find the QiAnXin reports on the Behavior tab:



Here are some interesting samples to highlight QiAnXin RedDrip’s capabilities:


LNK File


Example:
529177610e30a96c2c8a5b40f5015ce449eb611e06d5d75e66730236cc83bdc6

Within the processes and services actions section we can see that the victim would launch a VBE script silently in the background while opening the HWP document. HWP files are popular in South Korea.



Knowing about this, advanced users can then leverage VT Intelligence modifiers to build logic to flag suspicious LNK files, for instance:
type:lnk behaviour_processes:start

 

RAR File with malicious DLL side loading with goodware EXE


Example:
9155afcf50ee1c2a4b217034ddd43ceb48ea8ead94fa6d9e289753f2fadb82dc

This RAR file is interesting because it contains a trusted, and digitally signed WinWord executable from Microsoft, as well as a malicious DLL to be side loaded. Attackers often use DLL side loading to avoid detection.



As usual in our multisandbox effort, network observations contribute to the file’s relations, meaning that we can use VT Graph to shed light into a threat campaign:


 

A ZIP file that contains executables and scripts


Example:
97eabe0eda591b9a7059b71156f5d3a50f371c2a6a9ef7136943b8b80925704c

RedDrip will use 7z to decompress ZIP packages, it will run through the package contents and identify interesting files to execute. This is particularly useful for multi-modular malware, where a given malicious file has certain dependencies and will not be executed unless it can find them. Packaging up all dependencies in a single bundle overcomes this limitation.

Outlook email


Example:
216ac0a63ce9103a1b5c7d659806675e7188893e98fbaed56e9a90a2a17b53c7

This example illustrates email being used as an attack vector by adversaries. In this example there is a malicious document attachment that gets extracted and runs a powershell script. RedDrip extracts the attachment and opens/executes it, revealing the entire attack chain and allowing us to tie network infrastructure to the original bait.



If we switch over to the relations tab, the network-recordings are immediately visible. We can see that the contacted URLs, domains and IPs are most likely benign. From here would could pivot and continue investigating in VT Graph:



Most importantly, the fact that RedDrip will follow subsequent executions allows performing advanced searches to identify suspicious patterns in VT Intelligence, for instance:

type:outlook behaviour_processes:"winword.exe" have:behaviour_network

This enables us to unearth malicious files that may not yet be detected. This particualr query is asking VirusTotal to return all those outlook messages that upon being opened have launched Microsoft Word (they contained a document attachment) and gave rise to network communications (the document reached out to some URL, domain or IP, probably as a consequence of an exploit or a macro execution).

 

MS Word Document


Example:
e5b3792c99251af6a9581cd2e27e5a52b9c39c6d704985c4631a0ea49173793e

By now, given all of the previous examples, it is obvious that RedDrip will open documents and execute macros. It records all of the activity observed for the macro and any subsequent payloads that it may drop or download:


Switching over to the relations tab we can see how it relates to other contacted URLs, Domains, and IP addresses, and the detections of those entities. This is rich contextual information to make better decisions even when an individual file might not yet be widely detected.


All of the actions are also indexed in VT Intelligence, such that a simple click on the pertinent observation allows us to discover other samples exhibiting a given pattern. For instance, we can click on the HTTP requests in order to get to other files that reach out to the same URL:

VT Intelligence will then automatically surface commonalities (shared patterns) that may be used as IoCs in your security toolset:


Seeing the wide variety of file types handled by QiAnXin RedDrip, it is a very interesting addition to the VirusTotal multi-sandbox project.

Welcome and happy hunting! 

Monday, 10 February 2020

Official VirusTotal Plugin for IDA Pro 7

ATTENTION: In order to use the content search functionality you will need to have access to VT Intelligence. If you want to jump straight ahead and install the plugin, please refer to its GitHub repository.

VirusTotal is very excited to announce a beta release of a new plugin for IDA Pro v7 which integrates VT Intelligence’s content search directly into IDA.

This plugin adds a new "VirusTotal" entry to the IDA Pro context menu (disassembly and strings windows), enabling you to search for similar or exact data on VirusTotal. It translates the user selection into a query that VTGrep understands.

The current beta release provides the following search options:
  • Search for bytes: it searches for the bytes contained in the selected area.
  • Search for string: it searches for the same string as the one selected in the Strings Window.
  • Search for similar code: identifies memory offsets or addresses in the currently selected area and ignores them when searching.
  • Search for similar code (strict): same as above but it also ignores all the constants in the currently selected area.
  • Search for similar functions: same as "similar code" but you don’t need to select all the instructions that belong to a function. Just right-click on one instruction, and it will automatically detect the function boundaries, selecting all the instructions of the current function.



Using VTGrep content search to trace DTrack samples


As an example of how this plugin can speed up the analysis process, we have conducted a preliminary analysis of the DTrack sample that appeared last October 2019. As a reminder, this malware was used in an attack against the Kudankulam Nuclear Power Plant (KKNPP - India) on September 4, 2019, but was not publicly acknowledged by India’s Nuclear Power Corporation of India Limited (NPCIL) until nearly the end of October.

It's not the first time that a DTrack sample reuses code from previous attacks. Indeed, if we search for the string dkwero38oerA^t@# (VT Intelligence query: content:"dkwero38oerA^t@#") we can find 79 samples in VirusTotal that contain this string, and some of them are DTrack samples.



This string is used as a key to compress a "C.TMP" file containing files and directories of "C:\" (one zip file per connected device). There's another interesting string (abcd@123) that's used to encrypt a zip file containing all the evidence collected. There are a total of nine occurrences of this second string in the VirusTotal database.

These results can serve as a starting point to dive into previous versions of this sample. Additionally, we can look for similar code in the VirusTotal database. If we select the WinMain function's code, one sample shows up that looks promising.



Comparing both WinMain functions, we can see that they are almost identical; they only differ in the values of memory addresses and offsets. Therefore, we can argue that we've just found another version of the current sample because this match points to another file that starts with the same code.


Thus, just one click ahead of the WinMain function, we are driven to another sample that looks interesting.

There’s another approach we can take to find related samples. We can search for identical sequences of strings. Although generated code usually changes between compilations, strings are placed in the same order inside the file. Taking a look at the strings used for gathering information about the current IP addresses, running processes, and open ports, we can jump to another sample that looks similar.



We’ve just landed on another sample that shares code with our DTrack file. Taking a look at the disassembly, we can see a lot of similar functions (401B10, 402EB0, 4020E0, 403730, etc.). Even the function located at 11933B0 (related to the last search) seems to be a more completed version of the function located at 4038B0 in this last sample ("sct.jpg").

Keep in mind that the number of samples shown depends on your license type. Standard licenses allow 90 days retrospection, but Threat Hunter PRO will allow you to go back in time one year.

As we continue to develop this plugin here is some additional functionality that we are considering for future releases:
  • Display a preview of the detection results in an IDA Pro window.
  • Automatically identify domains, IPs and URLs contained in the strings of the file and summarize their detection information.
  • Automatically suggest a YARA rule to detect the file.
  • VT Enterprise shortcuts, such as searching for similar files.
  • Automatically rank strings according to interest.
  • Annotations community and collaborative RE.
  • Improve the searching for similar functions (fuzzy hashes).
  • Enrich the disassembly with behavior information obtained from our sandboxes.

VirusTotal is interested in user feedback and priorities. Please do not hesitate to contact us to rank these features and suggest additional ones.

Tuesday, 28 January 2020

VirusTotal MultiSandbox += BitDam ATP

VirusTotal would like to welcome BitDam to the multi-sandbox project!

In their own words:

BitDam Advanced Threat Protection (ATP) is a cloud-based engine that proactively detects threats, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and zero-day attacks contained in files and URLs. BitDam’s patented attack-agnostic technology shows remarkably higher protection rates compared to engines that are based on knowledge of previous threats. It learns the normal code-level executions of business applications such as MS-Word and Acrobat Reader, creating a whitelist knowledge-base. Based on this knowledge, the detection engine determines whether a given file or weblink is malicious or not, regardless of the specific malware it may contain.

Let's take a deeper look at some interesting samples showcasing BitDam's capabilities:

XLS spreadsheet with macro in a hidden sheet which launches powershell

 

This file contains a macro which accesses certain cells in a hidden sheet to retrieve the payload and then runs powershell with an obfuscated command line. The powershell script spawns a .NET related processes to compile the payload.

218178c583a2479ee6330f374f9e015db55c339d5b55cfd4f8b7a2fb78e8ab9d

BitDam not only generates execution reports, it also produces behaviour-based detection verdicts, we see BitDam detects the file as malware.




Doc with macro and VBA and WMI

 

This word document has a macro with some benign code, likely for deception and to make static analysis more difficult. The document also uses some basic obfuscation techniques.


BitDam highlights the network communications observed during the execution and populates the pertinent file to domain/IP address/URL relationships back into VirusTotal, as illustrated by the sample’s graph:




Discovering detection blindspots

 

VT Enterprise customers can use search modifiers to dig deeper. For example, we can look for files with low AV detections that BitDam ATP detects as malware:

bitdam_atp:malware and positives:7- and fs:2020-01-01+




Note that this task can also be automated via APIv3.

Welcome BitDam, glad to have you onboard!

Wednesday, 22 January 2020

VirusTotal Graph++

Just 2 years ago we launched the first version of VirusTotal Graph. The goal was to provide a tool which understands the relationship between files, URLs, domains and IP addresses, and an easy interface to pivot and navigate over them.

To continue in this direction, today, we are releasing a set changes to help your investigations with VirusTotal Graph.

1. We have created a dashboard where you can see your graphs and the graphs created by the community.


You can also search for graphs with certain features, for example, graphs that contains a node with a label “c2”. The searches will go simultaneously to the public graph repository and to your private repository.


You can see the full list of search modifiers here.

2. We’ve improved the VirusTotal Graph UI with these features, most of them coming from our power users:
  • Undo/redo
  • In graph search
  • Download the graph as JSON and as image
  • Align nodes horizontally and vertically
  • New ways of visualizing the graph
We’ve also included some extra features for our premium customers:
  • Removed the API usage. If you are a premium customer you can use VT Graph extensively, its consumption won’t count against your API quota
  • Added more commonality calculations
  • Integration with VT Hunting - link


3. As most of our other products, VirusTotal Graph is getting a restful API. The documentation can be found here and a Python library to reduce the learning curve; it is available in our Github repository.

In the meanwhile we are cooking very exciting enhancements that we really hope will please the Community, stay tuned. As always, we would love to hear from you.

Thursday, 28 November 2019

VirusTotal += Sangfor Engine Zero

We welcome the Sangfor Engine Zero to VirusTotal. In the words of the company:

“Sangfor Engine Zero (a.k.a SAVE engine in China) is an AI-powered malware inspection engine developed by the Sangfor Security Team and in use at some of the most influential and forward thinking enterprises globally. Engine Zero utilizes machine learning technology to analyze and synthesize input data. The combined power of Sangfor’s dedicated R&D and Security teams, comprised of data scientists, security analysts and white hat researchers, has produced Engine Zero’s unique, multi-dimentional features, able to detect and classify malicious files, sight unseen. Engine Zero surpasses traditional detection engines (feature/hash based) in its ability to: 1. Ability to identify new and unknown malware with no updates to the AI model 2. Proven industry-leading ransomware detection capabilities (successfully detected WannaCry, Globelmposter, GandCrab, CrySiS and their families) 3. Integrate and work in conjunction with the highly-automated Neural-X, Sangfor’s AI-enabled cloud platform for threat intelligence & analytics, to self-evolve and self-teach without human intervention.”

Sangfor has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by SKD Labs, an AMTSO-member tester.

Wednesday, 6 November 2019

Pipelining VT Intelligence searches and sandbox report lookups via APIv3 to automatically generate indicators of compromise

TL;DR: VirusTotal APIv3 includes an endpoint to retrieve all the dynamic analysis reports for a given file. This article showcases programmatic retrieval of sandbox behaviour reports in order to produce indicators of compromise that you can use to power-up your network perimeter/endpoint defenses. We are also releasing a set of python scripts alongside this blog post to illustrate this use case.

We recently rolled out a new Windows dynamic analysis system called VirusTotal Jujubox. This new sandbox represents a major revamp of VirusTotal’s in-house behaviour analysis capabilities as well as a key addition to the multi-sandbox project, which already aggregates behaviour reports from more than 10 partners and the most popular operating systems.

Behaviour reports are often perceived as a mechanism to understand what an individual sample does when executed, a quick overview before diving into disassembly and debugging. However, when you have a massive dynamic analysis setup processing hundreds of thousands of files per day, the microscopic dissection capability is far from being the most attractive use case.

When you generate reports at scale, and more importantly, when you index them in an elasticsearch index and expose it via API, the generated data can be used for advanced hunting, especially when this data can be combined with other static, binary and in-the-wild properties.

The basic workflow would be as follows:

  1. Periodically identify new malware variants pertaining to a family that you are tracking making use of the VT Intelligence search API. Use family variant commonalities (for instance a section name, the compilation timestamp or a document’s author metadata property) to retrieve a stream of malware.
  2. Focus on recent matches since the previous execution (query: fs:2019-11-01+).
  3. For each match, retrieve the generated behaviour reports for the pertinent file. You can also focus specifically on network communications with the contacted_ips, contacted_domains and contacted_urls relationships.
  4. For each automatically extracted network observable, check popularity ranks in order to filter out noise and FPs.
  5. All the newly yielded network artefacts (CnCs) can then be fed into SIEMs or transformed into IDS rules to power up network perimeter defenses.

Let’s illustrate this with a particular example. Bankbot is an Android banking trojan, it allows the attacker to perform:

  • SMS hijacking.
  • GPS tracking.
  • New permission requests.
  • Overlay attacks to mask legit bank apps with forms to intercept credentials. Sometimes based on a remote set of HTML templates. 

The trojan was released in an underground forum and the post included the source code for the client-side and server-side components, including the database setup to collect stolen information.




Initially, the trojan included a hardcoded list of target bank applications that it would overlay in order to intercept banking credentials:



Since the source code of the trojan was also published in the underground forum, other crooks soon modified it to accept a remote list of financial entities to attack. This makes target identification more complex, static analysis is not enough to identify the targeted banks and subsequent date-tied CnC infrastructure.



While identifying targeted financial institutions might be a more complex task, discovering new variants of the same family and automatically identifying new network infrastructure tied to it becomes easier. Why is this? A server-side remote target list leads to a common network infrastructure pattern that can be used to track the malware family.

This is an example of a Bankbot sample:
https://www.virustotal.com/gui/file/5fdbe1e83ec9c43929cc348681cb6afde12afee637feaf444a4983c317b18423/detection

VT Enterprise allows similarity searches and other attribute searches to find additional variants of the same malware family. In this particular case, the Android package name under the details tab seems interesting, clicking on it will launch a VT Intelligence search for other Android APKs that share that very same package name:



The matches do indeed seem to belong to the same family:




When opening these samples and looking at their behaviour reports, certain commonalities are easily noticed:





Static/behaviour/code commonalities are very frequent since attackers usually reuse code across different campaigns. Sometimes the commonalities are a result of recompiling the same code to communicate with a different network infrastructure. Other times, commonalities are present because the attack binaries are generated with some kind of builder or kit for dummies. Similarly, CnC infrastructure often exhibits commonalities in terms of the same path structure or query parameters, it is the result of attackers reusing the same CnC panel through a server-side kit that they deploy without changing file names or path structure.

These patterns, in conjunction with VT’s massive dynamic analysis setup and indexing, make it easy to automatically discover new malicious network infrastructure and automatically generate indicators of compromise.

The behaviour reports for the identified cluster of samples shows that the CnC panel uses the subpaths tuk_tuk.php or checkPanel.php.

Let’s use this common pattern to periodically check VirusTotal for new variants of this malware family, and by doing so, let’s identify new network infrastructure tied to this attack, live, as samples are uploaded to VirusTotal.

Using the APIv3 Intelligence search endpoint, it’s possible to search for any Android APK whose network recordings contain the substring tuk_tuk.php:
https://developers.virustotal.com/v3.0/reference#intelligence-search
type:apk behaviour_network:"tuk_tuk.php"

Multiple properties, such as dynamic/static analysis and metadata, can be combined to make a more refined search:
type:apk behaviour_network:"tuk_tuk.php" behaviour:"del_sws" androguard:"android.permission.ACCESS_FINE_LOCATION"

The API can sort matches according to first seen descending, meaning that by executing this search periodically and focusing on the latest results, it’s possible to discover new malicious network infrastructure tied to this particular family.

At the time of writing, this search yielded the following results:

5fdbe1e83ec9c43929cc348681cb6afde12afee637feaf444a4983c317b18423
elis[.]ru
92.53.97[.]75
hxxp://elis.ru/private/tuk_tuk.php

52998a07d22b0aa267505635898219ef6104dc6cd255bea69c7ab701285666fa
xzcxzfs.kl.com[.]ua
5.79.66[.]145
hxxp://xzcxzfs.kl.com[.]ua/private/tuk_tuk.php

7c06552f59b594ef0d650204423e97c8ab8f07588f1215ec2a469dc9cb7f5670
u36084.test93w[.]ru
hxxp://u36084.test93w[.]ru/private/tuk_tuk.php

56b220e610d17987b4f96afa79e23c3c9cab16592384ed883e9ac8240907b53b
u36206.test93w[.]ru
185.31.163[.]148
hxxp://u36206.test93w[.]ru/private/tuk_tuk.php

The Intelligence search API endpoint will return a list of file objects matching a search criteria. Each of these file objects can have one or more multi-sandbox reports. These behaviour reports can be retrieved making use of the pertinent relationship (behaviours) for each of the files:
https://developers.virustotal.com/v3.0/reference#files-relationships

It’s also possible to filter the network communication relationships fields, instead of asking for the whole report (contacted_urls, contacted_ips, contacted_domains):
https://www.virustotal.com/api/v3/intelligence/search?query=type:apk behaviour_network:”tuk_tuk.php”&relationships=contacted_urls,contacted_domains,contacted_ips

Once the pertinent network infrastructure is parsed, it’s possible to either rely on the objects returned by the network-related relationships (contacted_urls, contacted_ips, contacted_domains) or make a subsequent automated call to the domain / IP address / URL API endpoint in order to retrieve further details about the given network observable. The aim of this subsequent stage is to filter out potential false positives. For instance, among the details returned for a domain lookup, there are different popularity rank lists that can be useful to filter out TOP domains.

You can easily test this workflow with a little script released along with this blog post. This script makes use of our official APIv3 python library, it can serve as your starting point to build more complex pipelines:
https://github.com/VirusTotal/vt-py/blob/master/examples/intelligence_search_to_network_infrastructure.py

python3 intelligence_search_to_network_infrastructure.py --apikey=<YOUR_API_KEY> --query=’type:apk behaviour_network:"tuk_tuk.php"’

=== Results: ===
DOMAIN: u363571.test93w.ru
IP_ADDRESS: 185.31.163.148
URL: http://u363571.test93w.ru/private/tuk_tuk.php
DOMAIN: bot.mymaster-rem.ru
URL: http://bot.mymaster-rem.ru/private/tuk_tuk.php
DOMAIN: lensfor.xyz
URL: https://lensfor.xyz/private/tuk_tuk.php
IP_ADDRESS: 38.21.243.204
URL: http://38.21.243.204/anib/private/tuk_tuk.php
DOMAIN: f0316480.xsph.ru
IP_ADDRESS: 141.8.192.151
URL: http://f0316480.xsph.ru/private/tuk_tuk.php
DOMAIN: u36255.test93w.ru
DOMAIN: mtalk4.google.com
IP_ADDRESS: 185.31.163.148
URL: http://u36255.test93w.ru/private/tuk_tuk.php
DOMAIN: u36206.test93w.ru
IP_ADDRESS: 185.31.163.148
URL: http://u36206.test93w.ru/private/tuk_tuk.php
DOMAIN: yumishop.co.uk
URL: http://yumishop.co.uk/private/inj_lst.php
URL: http://yumishop.co.uk/private/tuk_tuk.php
DOMAIN: u36317.test93w.ru
IP_ADDRESS: 185.31.163.148
URL: http://u36317.test93w.ru/private/tuk_tuk.php
DOMAIN: u36317.test93w.ru
IP_ADDRESS: 185.31.163.148
URL: http://u36317.test93w.ru/private/tuk_tuk.php


Note that this workflow is exclusively based on behavioural observations and works independently of the detection ratio of files, by pipelining VT Intelligence searches and sandbox report lookups, it is possible to generate indicators of compromise even if the related sample is undetected. The identified domains can be automatically checked against SIEM logs or can be automatically transformed into IDS rules, serving as an additional layer in your onion-like security strategy.

This blog post focuses on combining VT Intelligence searches with behaviour lookups, the same can be done with YARA rule matches. VT Hunting Livehunt matches can programmatically retrieved using APIv3, for each match the pertinent behaviour reports can be retrieved and CnC network infrastructure can be automatically extracted. Similarly, other properties that can be used as IoCs, such as mutexes, registry keys, embedded domains, file names, cmd parameters and the like can be automatically yielded. The following two script showcase this other VT Hunting workflow:
https://github.com/VirusTotal/vt-py/blob/master/examples/hunting_notifications_to_network_infrastructure.py
https://github.com/VirusTotal/vt-py/blob/master/examples/retrohunt_to_network_infrastructure.py

If you are rather a golang fan, feel free to check out our official VirusTotal golang library:
https://github.com/VirusTotal/vt-go

APIv3 was a major component of our 2019 roadmap, soon we will be officially releasing it and announcing a generous deprecation timeline for APIv2, stay tuned!

Thursday, 31 October 2019

VirusTotal += Bitdefender Theta

We welcome the Bitdefender Theta scanner to VirusTotal. This engine is 100% Machine Learning powered and reinforces the participation of Bitdefender that already had a multi-platform scanner in our service. In the words of the company:

“When it comes to pushing things forward in the fight against cyber-crime Bitdefender Theta checks all the boxes. This new technology stack makes use of deep neural networks to provide industry leading detection rates in the fight against ever changing cyber-attacks. Bitdefender Theta is 100% Machine Learning powered and built on top of Bitdefender's state of the art dynamic behavioral analysis and cloud services is used to identify and block threats without the need for daily signature updates.”

Bitdefender has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-Comparatives, an AMTSO-member tester.