Thursday, December 10, 2020

, , , , , , , ,

VirusTotal Multisandbox += Sangfor ZSand

VirusTotal multisandbox project welcomes Sangfor ZSandThe ZSand currently focuses on PE files,with extensions to other popular file types like javascript and Microsoft office to be released soon.

In their own words:
ZSand, developed by Sangfor Technologies’ Cloud Computing & Security Team, is an agentless behavioral analysis engine incorporating multiple innovative techniques. At the systems level, zSand employs Two-Dimensional Paging (TDP) techniques to inject hidden breakpoints, enabling accurate monitoring of the API calling sequence of a given process for further fine-grained analysis. At the GUI level, interactions are simulated by the virtual network console (VNC) and visual artificial intelligence (AI) techniques, providing a lifelike and fully functional sandbox. At the detection level, zSand identifies all forms of malware, including vulnerability exploits, by uncovering malicious behaviors and synergistically applying both conventional rule-based approaches and advanced AI algorithms. As a core innovation of the Sangfor anti-malware research group, zSand is a significant improvement in cyber-security capability for both Sangfor Technologies and its clients, customers and partners. Use cases include proactive hunting for unknown threats and the near real-time production of threat intelligence identifying malicious URLs, domain names, files, memory fingerprints, and malicious behavioral patterns. zSand is an agentless behavior monitoring engine, allowing users to deploy real-time defenses in a virtual environment.

In comparison with other sandboxes, the key advantages of zSand include:
  • High runtime performance -- By optimising the configuration of TDP and reducing the number of VMExit events, zSand minimizes monitoring overhead and resource utilization.
  • Strong anti-evasion measures -- Thanks to high performance hardware virtualisation and agentless features, zSand is immune to anti-sandbox detection. 
  • Comprehensive monitoring -- zSand retrieves detailed malware behavioral events and associated states of hardware including CPU, memory, disks, and network interfaces. 
  • Extensive and in-depth analysis -- Designed by cyber-security specialists and AI specialists, zSand is able to dynamically detect elusive and concealed malicious behavior, vulnerability exploits, malware persistence, and privilege escalation, at low levels.

Take take a look in the behavior tab to view these new sandbox reports:

Example reports:

You can also take a look at a couple of Sangfor ZSand behavior analysis reports here and here.
In case you are interested in searching for specific Sangfor ZSand reports, VirusTotal premium services customers may specify so using sandbox_name:sangfor in their queries.

Pivot on interesting behavioural characteristics

All malware uploaded to VirusTotal is detonated in multiple sandboxes, providing security analysts with many interesting and powerful possibilities. Having multiple fine-tuned sandboxes increases the possibilities of malware detonating properly (remember malware usually implements different anti-sandboxing techniques), and provides valuable dynamic data on how the malware behaves.

Why is this data valuable? Because it gives us details that are not visible at static analysis time. For instance, we can use this data to land some TTPs into something more actionable. We will get back on this topic on a future blogpost.

For example, taking in the following sandbox report we find some potentially interesting mutex names. 

We can use this data to pivot and find other malware having the same mutexes when detonated on our sandboxes. By clicking on one of the interesting mutexes, in this case ENGEL_12, we will create a new search ( behaviour:ENGEL_12) which provides us with samples belonging to a common family of padodor malware.

It turns out that this is a valuable dynamic indicator we can use to identify malware samples belonging to this particular malware strain.   From VirusTotal, we welcome this new addition to our Sandboxing arsenal. Happy hunting!

Tuesday, December 01, 2020

VirusTotal += BitDefender Falx

 We welcome the BitDefender Falx scanner to VirusTotal. This engine is specialized in Android and reinforces the participation of Bitdefender that already had two engines in our service, their multi-platform scanner (BitDefender) and a 100% machine learning engine (BitDefenderTheta). In the words of the company:

“Bitdefender offers a cloud-based malware detection product for Android. It is built on several automated systems that perform different methods of static and dynamic analysis. Powerful machine learning models and other complex threat detection techniques form a state of the art security solution capable of detecting previously-unseen advanced malware. The cloud-based approach offloads computationally intensive tasks to a distributed cloud environment to deliver the best protection with no impact on system or battery performance.”

Bitdefender has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-Comparatives, an AMTSO-member tester.

Thursday, November 26, 2020

, , , , , , ,

Using similarity to expand context and map out threat campaigns

TL;DR: VirusTotal allows you to search for similar files according to different orthogonal notions (structure, visual layout, icons, execution behaviour, etc.). File similarity can be combined with the “have:” search modifier in order to gain more context about threats, e.g. what are the emails or URLs that distribute them.

This is the second blog post in our similarity series, the first article focused on how to trigger file similarity searches and the different similarity vectors at your disposal. In the context of this series we have also done a webinar that can be viewed on-demand, it focuses on using similarity to automatically produce optimal YARA rules to detect a given malware framework/family/campaign via VTDIFF.

This situation might sound familiar. As a SOC analyst or Incident Responder you are often confronted with files you know nothing about. Your SIEM describes their internal sightings and actions but fails to transmit the bigger picture. You are constrained by the narrow visibility of your corporate logs. Context is king and the problem is that you are fighting threat actors that operate globally with just a piece of the puzzle, your local data.

What is this file? Who is behind it? What is their modus operandi? How did it get there? Are there other related components? What does it do? Are there other variants that could have impacted my organization in the past? Any that could impact us in the future? How do I contain it? Your SIEM, case management system, EDR, firewall, IDS etc. don’t answer these questions. You are missing a necessary layer in your defense-in-depth security strategy.

VirusTotal is your saving grace. You jump into VT ENTERPRISE and look up the hash: threat reputation is useful, but you need further context. Your task is to identify IoCs that can be used for remediation, e.g. by blocking a command-and-control domain in the network perimeter, as well as artefacts that can be used for proactive threat hunting purposes, to determine whether there has been a breach and what is its scope. The issue is that sometimes VirusTotal does not have full context for a specific individual file in terms of sandbox reports, in-the-wild sightings, relationships, etc. and so your investigation might end here.

How to do it better

Isolated hashes are of limited value. Many times they are unique per victim or campaign, so a better idea would be finding the cluster/family/campaign they belong to in order to unearth remediation IoCs and threat hunting patterns. Most importantly, you need to leverage those groupings in order to surface command-and-control domains, dropzones, distribution URLs, phishing emails, etc. that can be used for mitigation and containment, and, to build proper understanding and situational awareness.

Similarity and the “have” search modifier to the rescue. Let’s imagine the initial hash that popped up as an alert in our environment was a first stage EMOTET dropper, i.e. a document that delivers a malicious payload through macros.

Threat reputation allows you to perform an immediate first assessment (alert triage), but other than that there is little context in terms of remediation IoCs and hunting artifacts. We still know nothing about how this file gets distributed, i.e. its delivery vector. Similarly, we fully ignore whether this is something spear phished exclusively against our organization or part of a larger campaign. What about the threat network infrastructure? Does it download additional payloads? Does it communicate with a command-and-control?

The next step in an incident response engagement - and this is what most analysts fail to do - is to jump into the file’s cluster (its family/framework/campaign) in order to expand context and surface IoCs. This is just one click away:

For documents there is a limited number of approaches to find similar files (other file formats will expose more), this said, they are very rich because they are fully orthogonal: structural features, visual layout, local sensitive fuzzy hashing, execution behaviour similarity. Let’s jump to other similar files based on the document’s visual layout by clicking on “Similar by icon/thumbnail” or on the thumbnail itself, located in the top right: main_icon_dhash:23232b2b00010000.

There are too many matches, we would have to iterate over every single one in order to surface particular patterns that may allow us to understand the campaign.

Finding phishing emails that distribute the threat

We can narrow down the search above to match exclusively those files that have been seen as an attachment in some email uploaded to VirusTotal:

main_icon_dhash:23232b2b00010000 AND have:email_parents
(Note that you can also use tag:attachment instead of have:email_parents)

We can now run through the matching files, open up their Relations tab and jump into the pertinent email parent, so as to understand the deception techniques being used in the campaign:

This particular instance poses as some kind of World Health Organization report on COVID. It is important to inspect all the other emails because not only will they tell us more about the lures, it will also allow us to identify targeted industries, geographical spread, activity time spans, etc. For instance, there could be other localized variants that could be targeting some other corporate branches. Access to these emails will not only give us greater insight into the attacker, it is also something we can leverage tactically in order to improve filtering in our email gateways.

Discovering URLs that distribute this threat

We want to see if this campaign is also being distributed via download URLs. If that´s the case we can block them in our network perimeter or use them to search across web proxy logs. Let’s ask VirusTotal whether any of the files in the cluster have associated in-the-wild URLs:
main_icon_dhash:23232b2b00010000 AND have:itw

We can now jump into the Relations tab in order to export these additional IoCs:

There are over 3K files with in-the-wild URLs, note that we can automate all of this via the API.

Identifying command-and-control/exfiltration infrastructure

The next step is to understand whether any of the machines in our corporate fleet are beaconing out to infrastructure tied to this campaign. At the same time, we will probably want to block the CnC and exfiltration points in order to mitigate the impact of historical undetected breaches. Let’s filter down the search to focus exclusively on those files that exhibited network communications when executed in a dynamic analysis sandbox:

main_icon_dhash:23232b2b00010000 AND have:behaviour_network

Most of the matching files have been analysed by several sandboxes participating in our multi-sandbox effort. This gives us unparalleled visibility into the campaign. For an attacker it is easy to evade a single sandbox, it is far more complex to do so for 17+ of them at the same time. Each one of them set up in a different geographical region, going out to the internet through a different IP address, running different OS versions, with different software and language packages installed, etc. As a result, we now have very interesting sightings in terms of infrastructure:

These communication points can be very easily triaged. Remember that VirusTotal also characterizes domains, IP addresses and URLs. Threat reputation for these domains further confirms that they are accurate IoCs:

The domain relationships (in-the-wild sightings) tell the same story:

We now have additional IoCs that we can feed into our stack in order to proactively defend our organization from other variants. As a bonus point, pivoting to other campaign files that have sandbox behaviour reports allows us to shed more light into other TTPs that we might be tracking via MITRE ATT&CK (e.g. installation, actions on objectives, etc.).

Gaining context through the community

Furthering on the use of the “have” search modifier, we can also leverage it to find files on which some VT Community user has placed a comment providing more context:

main_icon_dhash:23232b2b00010000 AND have:comments

Community comments often give us interesting details in terms of in-the-wild observations, malware capabilities, reverse engineering reports, attribution, etc. For example, in this particular case we learn about additional distribution URLs:

This other case helps us understand that this first stage is EMOTET and allows us to jump into a pastebin dump with further context about the campaign in terms of related hashes and network infrastructure:

Additional context

The “have” modifier accepts many other values, some of the more representative ones are:

  • compressed_parents: the files were seen inside a compressed file uploaded to VirusTotal.
  • pcap_parents: the files were seen in a network traffic recording uploaded to VirusTotal.
  • embedded_(urls/domains/ips): a URL/domain/IP address pattern was extracted from the binary bodies of the files.
  • behaviour: the files managed to execute in at least one sandbox and produced the pertinent dynamic analysis report.
  • behaviour_registry: the files executed in a sandbox and interacted with the Windows Registry.
  • crowdsource_yara_rule: the files match some YARA rule coming from open source community repositories, these rules often provide additional references and descriptions about a threat.

Summing up

VirusTotal aggregates orthogonal means to cluster together groups of related files. Files which may belong to the same malware family/framework/campaign/actor. These file similarity vectors range from structural features to dynamic analysis observations.

We started off with a single IoC for which we had little context, neither did VirusTotal, beyond basic threat reputation. By leveraging file similarity we managed to find thousands of other files related to the campaign/malware framework. Through the “have” search modifier we then narrowed down our searches to identify phishing emails used by the attackers, distribution URLs, additional network infrastructure such as CnCs and context shared by other threat researchers.

All of this is tactical intelligence that can be fed into network perimeter defenses, but also context that can be operationalized and digested into TTPs in order to characterize threat actors. Finally, this blog post presented an incident response scenario but the very same logic can be applied to threat actor tracking or campaign monitoring use cases.

This post was authored by Emiliano Martinez.

Thursday, November 19, 2020

Why is similarity so relevant when investigating attacks

The concept of similarity is pretty straightforward: are two files similar? There are many ways to figure it out. That's why different similarity algorithms exist. Now, why is this useful? 

Attackers need tools for their attacks, basically malware. Malware in the end is a piece of software, built from frameworks, code and libraries, and takes some time and expertise to create. The result is that two different malware files built from the same developer using the same pieces will look alike.

Imagine you are investigating some attack and you find some suspicious file. After taking a look in VirusTotal, you find nothing really meaningful about the file itself. One idea at this point would be finding similar files: maybe the attacker used similar malware in other campaigns than the one under investigation, and maybe these files will tell more about the infection chain and infrastructure. Here is where similarity comes handy!

Additionally, the same approach can be applied to attribution. We find some malware that looks new, there are no references about it. Can we find similar malware? Maybe the new artefacts will tell more about the author, maybe they are well-known by the security industry. This is how attribution is built in many cases.

There are many situations where similarity becomes useful. We can always reduce the problem to the following: IOCs can easily be replaced, malware frameworks not. 

If you want to know more about how to use similarity in real cases, join us next November 25th for our “Similarity brings your threat hunting to the next level” webinar with TrendMicro and Trinity Cyber. Register here.

In this blogpost we will discuss some interesting ideas of what can be done with similarity in VirusTotal.

File similarity in VT

You came across the following sample c9b96d5d694e4e25e03d97c7b95eff637525e539b9c47c8eda498f72ecd51b22 within your network and you want to find some context. Crowdsourced sigma rules already warn that something fishy might be going on. 

At this point we want to get a better understanding of the whole picture, which means getting more artifacts. When we run out of indicators, similarity to the rescue!

How to find similar samples? Right from the Details panel in the sample report there are several hashes that correspond to the output of different similarity algorithms: vhash, authentihash, imphash, rich PE header hash, ssdeep and TLSH:

It is important to understand that different similarity algorithms provide different results. Choosing the right similarity many times depends on the samples we are working with, that's why sometimes it is just easier to check them all at the same time and take a look at the results.

Clicking on any of the hashes shown in the report will return all similar samples. In this case, vhash returns 57 additional files, imphash finds no other hits and rich PE header hash returns around 1.16 million other files in VT (we can spot potential non-malicious files adding the search operator positives:0).

All the above might sound too technical, that's why sometimes we can approach this similarity problem with a different angle. For instance, we implement visual similarity. This is specially useful for suspicious documents distributed by attackers, but it also works for executables sharing similar icons. In this case, visual similarity returns 3,390 new files by clicking on the icon above.

We do our best to detonate in a sandbox every file we receive in VirusTotal. Would it be possible to find files with a similar behavior? It is! Even better, we integrate multiple sandboxes, offering us different options. We can do this similarity search either by selecting it in the multiple similarity button, or in the Behavior tab. Following the example, JujuBox behaviour similarity returns 11 additional files. This is an interesting feature when we want to make TTPs actionable, but we will get back to all these topics in a future post.

We have used clustering hashes (both static/structural and behavioural), but are there concrete features that we could pivot on? We can look at the Capabilities and Indicators. Specifically, let's try to find some pivotable features (or clues) among the million files caught by rich PE header hash using the VT Enterprise query [rich_pe_header_hash:640b9fb49577f39427b39125155c2425 have:clue_rule]. One of the results, 15e5353c8d5d1b1dba8d9c99e77075d737771335eac9597eba95d1f3efc3b6cd, shows interesting dropped files, registry keys set and DNS resolutions in the Details panel. We can click in any of these indicators to find their respective clusters.

We can even drop all of this into a VT-Graph to see the whole picture and the different clusters in a single panel, including the rest of the attack like dropped files, contacted URLs, etc.


To sum up, once we understand the value of using similarity for our threat hunting, it is very important to have all the options available depending on our needs. Different investigations, or different malware families, need different approaches. Behavioural similarity for instance can be very interesting when the samples are different but the TTPs are common.

But we cannot apply similarity without any data to compare. In VirusTotal we have 2.5 Billion files to make sure you get the most from your Threat Intel investigations.

Happy hunting!

This post was co-authored by Marta Gomez and Jose Martin.

Thursday, November 05, 2020

, , , ,

Keep your friends close; keep ransomware closer

“How to avoid being a ransomware victim?” is one of the main questions every single company and organization asks themselves every day. Unfortunately there is no silver bullet against that, but there are several good practices we can follow to minimize our exposure.

We can start by enumerating what are the main vectors that attackers use to get into victims: phishing, brute forcing and the use of exploits. Let's use this information to understand what exactly are attackers doing from a technical point of view, but more importantly, to monitor how their campaigns evolve. And here we want to highlight the importance of continuously tracking malicious activity in order to feed our systems accordingly: attackers evolve their methods and the IOCs used constantly change. We need the whole movie, not just a static picture.

This post describes different examples of techniques we can use to monitor ransomware campaigns, with a special focus on the infection vectors previously mentioned in order to minimize the risk of becoming a victim.

For more details, you can check our recorded anti-ransomware webinar in English and Spanish.

Ransomware in phishing attacks

Phishing is the most common technique used to distribute ransomware. We want to be able to discover how it is being used in new ransomware campaigns and to obtain the infrastructure behind the attack, gathering valuable IOCs and TTPs to feed our defenses.

We can start looking for emails involved in phishing campaigns uploaded this year to VirusTotal:

engines:ransom type:email fs:2020-01-01+

We get a list of generic ransomware email files. We can specify a certain malware family we are interested in. For instance, the following query returns emails related to some of the most common campaigns:

(engines:bitpaymer OR engines:maze OR engines:Ryuk OR engines:gandcrab OR engines:clop OR engines:revil OR engines:sodibiniki OR engines:matrix) type:email

Trickbot is a malware family frequently used to distribute ransomware. By searching for recent samples delivered by email (engines:trickbot fs:2020-09-01+ type:email) we can quickly find an interesting sample implementing an exploit and pretending to be a well known financial institution. We can quickly expand all the domains, URLs and IP addresses embedded into this file into our investigation graph, getting a broader overview of the campaign:

Expanding different nodes uncovers new IOCs to feed our defenses and unfolds this campaign, showing domain names that were used to bait victims into opening the malicious word document attached to the phishing email. 

This kind of phishing attacks where legitimate logos, domains and brand images are used to bait victims into executing malware can hurt a company's reputation, not to speak of being used against the company itself. The sooner we detect a campaign the faster we can perform actions to shut it down. VirusTotal’s Livehunt checks any submitted file against a search criteria written in Yara.

For example, to check for embedded domains in emails detected as phishing, we could use:

import "vt"
rule brandmon_google {
        $domain1 = ""
        $domain2 = ""
        $domain6 = ""
        for any engine, signature in vt.metadata.signatures : (
            signature contains "phishing" and vt.metadata.file_type == vt.FileType.EMAIL and (any of them)

Exploits used in ransomware attacks

Exploits are commonly used for installing malware or for escalating privileges into your system.

According to this report, the four CVEs that are most frequently used for performing ransomware attacks this year are:
  • CVE-2019-19781 → Revil/Sodinokibi, Ragnarok, DopplePaymer, Maze, CLOP y Nephilim.
  • CVE-2019-11510 → Revil/Sodinokibi y Black Kingdom
  • CVE-2012-0158 → EDA2 y RASOM
  • CVE-2018-8453 → Revil/Sodinokibi
We can add to the list a couple of recent remarkable exploits: zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796). We observed several ransomware lookups in VirusTotal tagged with this last vulnerability during the last months:

We could use the following query to get more detailed information about what CVEs were used in ransomware attacks during 2020:

engines:ransom tag:exploit fs:2020-01-01+ tag:CVE-2020*

We can once again filter by malware families. For instance, the previous query is mostly GandCrab malware, which can be easily checked using the query: (engines:ransom and not engines:gandcrab) tag:exploit fs:2020-01-01+ tag:CVE-2020*).

Now, we are ready to create a Livehunt rule to find new files tagged with one of the exploits frequently used by ransomware. 

import "vt"
rule ransomware_exploits {
        for any tag in vt.metadata.tags : (
            tag == "cve-2019-19781" or
            tag == "cve-2019-11510" or
            tag == "cve-2012-0158" or
            tag == "cve-2018-8453" or
            tag == "cve-2020-1472" or
            tag == "cve-2020-0796"
        ) and not vt.metadata.file_type == vt.FileType.CAP

This will result in an immediate notification, allowing us tracking any new IOCs we can use to protect our system.

More importantly, this is very valuable information we can use on a regular basis to manage our patching policy, prioritizing patches based on fresh data of how different exploits are being used in real attacks.

Tracking fresh campaigns

Now, we want to make sure that we monitor any new ransomware campaign in order to understand how it evolves and what new artefacts and techniques they use.

As an example, we can start with a recent DFIR Report investigation revealing Ryuk exploiting zerologon. There are many ways to track campaigns, however VT Graph is a great choice to get together all the discovered observables and extend our knowledge in a visual way. Here are some tips that could help you during this process:
  • Start by adding all the known observables to a new VT Graph.
  • Expand domains, URLs and IPs to unfold relations and obtain new observables.
  • In order to keep our list of observables up to date, we can translate common Yara rules into Livehunt rules to catch new files, injecting Livehunts results directly into the graph.
  • Additionally, we can use Retrohunt rules to look for similar samples in our collection.
We start the investigation dropping one of the files included in the publication in a new graph, showing domains, urls and ip addresses embedded in the file, ITW URLs hosting the file and network observables contacted by this sample when executed. This file is detected as “bazar” malware, used to install Ryuk. We dropped all this information in our graph:

Additionally to keep pivoting using our graph and indicators, we can also translate the Yara rules from the DFIR report into Livehunt rules.

We can integrate Livehunt results into our graph in just two clicks. Just click on the target icon at the right in the VTGrap interface, select the rule desired and choose "Load results". This will add all the new observables that match our rules to the current graph. We can expand these new nodes to unveil new observables and create relationships.

All these new IOCs are fresh observables that are clearly related to this campaign. All this continuous flow of fresh indicators will help us improve our security mechanisms to stop Ryuk from passing through our defenses.

Summarizing, the knowledge of what attackers are using is the first necessary step for us to minimize our exposure to different campaigns. It wouldn't be right to put all the different ransomware attacks under the same umbrella, as they became highly specialized and protecting from different actors is not exactly the same. The techniques described in this post are a good starting point for automatically minimizing our exposure to more spread ransomware campaigns, however they can be applied both for generic and targeted attacks.

Stay safe and happy hunting!

This post was co-authored by Vicente Diaz.

Thursday, October 29, 2020

VirusTotal += Gridinsoft

 We welcome the Gridinsoft engine to VirusTotal. In the words of the company:

“Gridinsoft provides an autonomous multi-layered malware detection engine based on a powerful malware-analyzing laboratory. We combine the most relevant file inspection methods with an effective interaction of our development and analyst teams. They gather threat patterns, classifying and replenishing the database with rising threats. At the same time, the Gridinsoft Scan24 engine fills with new processing patterns. Gridinsoft Antimalware Neural Network (our GANNet) is composed of several modules using deep neural networks to provide high detection rates. All these together give a reliable and consistent result reified as a rapid scanner with minimal impact on resources and no conflict with other software.”

Gridinsoft has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by NioGuard Security Lab, an AMTSO-member tester.

Tuesday, October 13, 2020

, , , , ,

Tracing fresh Ryuk campaigns itw

Ryuk is one of the most dangerous Ransomware families. It is (allegedly) run by a specialized cybercrime actor that during the last 2 years mainly focused on targeting enterprise environments. The amount of bitcoins demanded in their ransom attacks varies depending on the target. Some of the wallets used by the group to collect the ransom payments reached millions of dollars in a few weeks.

Protecting against such attacks is one of the main priorities for any CISO or security team. This is a problem that should be approached from different perspectives, being prevention (likely) the most relevant one.

Now, what can be done in terms of prevention? Information is power, the first thing we need is understanding how the new campaigns are operating. Is this distributed through phishing or exploiting any vulnerabilities? Do they use brute force attacks? Maybe all together?

In addition to the TTPs described above, we want as many technical details as possible. This will result in very valuable Indicators of Compromise we can use for protecting our infrastructure: deploying networking indicators to disrupt malware communication, making sure our Yara rules will detect all the components of the attack, launching regular scans in our infrastructure to detect any artefact used in the campaign.

We need to quickly deploy our fishing nets to catch everything related to fresh new campaigns! And then to keep monitoring for a while to make sure we keep our systems updated as attackers evolve.

In this blogpost we will describe how we used VirusTotal to detect and monitor new Ryuk activity. However this is a very specific case where we want to show how our IDA plugin can save us a lot of time when dealing with certain samples.

If you want to learn more about how you can keep your organization safe from ransomware and how to easily leverage VirusTotal to monitor ransomware activity, please join us for our next Anti-ransomware workshop - English (Live November 4th, 1pm ET) and Spanish (Live October 28th, 17:00 CEST) versions available.

Starting the investigation

Two weeks ago new files were uploaded to VirusTotal (1, 2). According to the crowdsourced YARA rule that identified them, these files looked like Ryuk malware.

A closer look revealed that these samples have been probably dumped from memory: the disassembled code showed plenty of memory mapped addresses, the import table was missing and the samples crashed when executed - they were definitively corrupted PE files.

Given these were fresh samples, we certainly wanted to know more about them, especially if they were part of a bigger campaign. In such cases, one of our best allies is looking for similar samples that could also be part of the attack. However, when working with memory dumps we need to be careful, given that probably some segments and memory mapped addresses will be execution specific. If we include any of such specifics in our search, we won't be able to find other samples.

IDA plugin to the rescue

One of the options would be to rebuild the samples we found, which is an extremely time consuming process. Instead, we can use the VirusTotal IDA plugin (see original blog post announcement) to help us search for the original sample. Using the "search for similar code" functionality we can create a query that will ignore all the memory mapped addresses, being a perfect choice for our problem.

Taking a look at the samples with IDA, we can see there are many functions that aren't properly identified by the disassembler engine given the use of anti-disassembly techniques. Precisely for this reason, they are good choices for searching for code similarity.

We just need to select the code, right-button, and search for similar code. The resulting query will take care of ignoring all the memory mapped addresses we wanted to get rid of.

The resulting listing with all the files found shows very close first submission time. Also, some of them report behaviour activity, meaning they executed in the sandboxes without crashing: maybe one of them could be our original sample.

Picking one of our initial samples and another one with behavioural information, we can see that:
  • They don't show up as similar when doing a similarity search (as expected).
  • They have some long sequences of bytes in common.

Is this our sample?

At this point we feel confident that the new sample found is the one we were looking for. Indeed, starting from this sample and taking a look at the (undetected) function located at 0x35008A60, we select a large sequence of instructions with the IDA plugin (as we did before) for a new search. This results in only 4 files that match the query generated: our two initial samples, another file that's also corrupted, and the previously chosen sample that detonated in our sandboxes. Therefore, this is the second time that we get this file when looking for similar code.

Going deeper, we'll see that it shares the same PE entry point that our two initial corrupted files. Furthermore, their WinMain functions are the same. Initially it looks like a quite simple function, composed of only three blocks of code. But, after overcoming the anti-disassembly trick implemented to confuse IDA, we can compare both function graphs to see the similarity. We conclude that we found the original sample.

What now?

At the time of this research there isn't any Yara rule detecting the original sample and it has 28/71 positives. Inside this file we can find encrypted strings that are extremely useful for pivoting to find additional samples. These strings are included in the corrupted files as well, stored in the ".gfids" segment at the end of the file. In other words, they aren't located in the ".data" segment as seen in the original sample. This new location reveals that probably these strings were initially encrypted and became decrypted after execution, thus they can be seen as footprints of the original sample.

Using the VT-IDA plugin we can search for other files that contain these encrypted strings. As expected, the four files found before are listed now, but there are two other samples that were submitted three days prior to our original sample and can also be investigated.

Moreover, all these new strings can be used to improve the original Yara rule that brought us here, or to create a new one! Remember to keep it running as a LiveHunt to make sure you keep track of any new Indicators of Compromise and to detect anything new attackers use in their campaigns. You can find all the details about the campaign described in this blogpost in the following VT-Graph.

This post was co-authored by Vicente Diaz.

Monday, August 24, 2020

, , , , , ,

Learn how malware operates so you can defend yourself against it

TL;DR: VirusTotal is hosting an APJ webinar on August 27th showcasing our advanced threat enrichment and threat hunting capabilities, register for the webinar, it is free.

Following the EMEA webinar that we recently conducted (watch on demand if you missed it), we want to spread the word about all the features and capabilities your team can take advantage of with VirusTotal. Our mission is to improve security for billions of users by coordinating and empowering distributed security teams, acting as the nexus of the security industry, and it is with you, our community of users, that we are able to execute on it.

Join our upcoming webinar “Advancing Threat Intelligence & Hunting with VirusTotal” where we will run you through a detailed and comprehensive overview of VirusTotal Intelligence and Hunting capabilities. This will showcase the search capabilities within VirusTotal to help sift through the vast amount of malware and how it may be pertinent to your organization as well as ways to track this threat for future variants. An investigation can start from IoC’s with little context, and how an analyst may leverage the data in VirusTotal can help uncover additional variants and the techniques attack groups may be utilising. Learn how VirusTotal can supercharge your team in regards to:

  • Security threat enrichment
  • Incident response
  • Threat hunting
  • Fraud and brand protection
Specifically, among other things, you will understand how:
  • A SOC level 1 analyst can use static information, crowdsourced metadata and inter-observable relationships generated by VirusTotal in order to confidently act on an alert, even when the pertinent IoC is fully undetected.
  • An incident responder can leverage file similarity search in order to map out an entire threat campaign and generate network IoCs to mitigate a breach or proactively defend his organization.
  • Identify variants and other threats to augment your organization’s prevention and detection capabilities.
  • Uncover vectors which adversaries may be using to target your organization and your customers.
  • A threat hunter can automatically generate optimal YARA rules to track adversaries and pivot through the dataset to discover their TTPs.
Knowledge is power, learn how malware operates so you can defend yourself against it.

Stay positive, remain resilient, fight the bad guys.

Tuesday, June 09, 2020

VirusTotal += Cynet

We welcome the Cynet engine to VirusTotal. In the words of the company:

“Cynet 360 is an autonomous breach protection platform that includes multi-layered anti malware capabilities including AI-based static analysis, process behavior monitoring, memory monitoring, sandboxing, and granular whitelisting, interlocking together to protect against malicious executables, exploits, scripts, Macros, LOLbins, malicious process injection and other fileless attacks. Cynet 360 protection ranges across the entire malware lifecycle identifying malicious attributes in either the pre-execution stage by analyzing the file in its binary form or across multiple stages throughout the process execution.”

Cynet has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by Virus Bulletin, an AMTSO-member tester.

Wednesday, May 27, 2020

, , , , , ,

I did not know you could do X, Y, Z with VirusTotal

TL;DR: VirusTotal is hosting an EMEA webinar on June 4th showcasing our advanced threat enrichment and threat hunting capabilities, register for the webinar, it is free.

I did not know you could do X, Y, Z with VirusTotal”, this is the most common feedback that we hear coming from our users whenever we jump in calls, demos or give a talk at conferences. Our mission is to improve security for billions of users by coordinating and empowering distributed security teams, acting as the nexus of the security industry, and it is with you, our community of users, that we are able to execute on it.

Join our upcoming webinarSupercharging Your Security Operations with VirusTotal” where we will run you through a detailed and comprehensive overview of how VirusTotal can step up your security operations, from SOC Level 1 analysts confronted with IoCs for which they have very little context, to advanced threat hunters tracking state-sponsored attacks. Learn how VirusTotal can supercharge your team in regards to:

  • Security threat enrichment
  • Incident response
  • Threat hunting
  • Fraud and brand protection
Specifically, among other things, you will understand how:

  • A SOC level 1 analyst can use static information, crowdsourced metadata and inter-observable relationships generated by VirusTotal in order to confidently act on an alert, even when the pertinent IoC is fully undetected.
  • An incident responder can leverage file similarity search in order to map out an entire threat campaign and generate network IoCs to mitigate a breach or proactively defend his organization.
  • A threat hunter can automatically generate optimal YARA rules to track adversaries and pivot through the dataset to discover their TTPs.
  • A threat intel analyst can pivot over URLs, Domains and IPs to burn down threat campaigns not by studying the malware itself, but rather the CnC panels controlling it. Furthering such pivoting to uncover a specific threat actor operating a given cybercrime malware family. 
  • An ecrime/anti-fraud analyst can leverage network infrastructure searches to study phishing campaigns against a financial institution, and extend those searches into the file corpus in order to identify fraudulent apps impersonating his organization. 
  • Automate all of the above and start thinking about live data enrichment to step up your onion-layered security model and complement your security stack.
Knowledge is power, learn how malware operates so you can defend yourself against it.

Stay positive, remain resilient, fight the bad guys.

Wednesday, February 26, 2020

, , , , , , , , ,

Uncovering threat infrastructure via URL, domain and IP address advanced pivots a.k.a. Netloc Intelligence

Quick links:

Ten years ago, VirusTotal launched VT Intelligence; a critical component of VT Enterprise which offers users the capability to search over VirusTotal's dataset using advanced search modifiers. VT Intelligence allows security professionals to pinpoint malware based on its structural, behavioural, binary, metadata, etc. properties to uncover entire threat campaigns.

For example, the following search query instructs VirusTotal to search for all documents that make use of macros whose static analysis seems to reveal some kind of payload execution and that when executed in a dynamic analysis environment (sandbox) reach out to a URL (highly suspicious sequence of events):
type:docx tag:macros tag:run-file behaviour_network:http

By drilling down within the VT corpus and identifying these kinds of suspicious patterns, analysts can discover new threats and build the defenses for them.

However, this approach has certain limitations. In the context of an attack, hashes/files are one of the last observables, to mitigate a threat, often analysts must begin by studying the campaign at the network level. A single domain/URL/IP address might be used to distribute thousands of server-side polymorphic variants of the same malware family. Similarly, very often it is far easier to discover new threat campaigns by focusing on the network side of things, has an adversary set up a new domain to distribute his malware? Can I block such domain in my network perimeter defenses (IDS, firewalls, webproxy etc.) even before he leverages it to distribute malware? VT Graph allows you to understand this easily:

As you can see, by blocking the domain bbvaticanskeys[.]com we would be, all of a sudden, killing the chances of our organization’s users downloading any malware that it delivers now or in the future and we would also be preventing the exfiltration of data to the domain if the compromise had already taken place. Note that hundreds of different variants communicate with the domain. In an onion layered security model it is important to build defenses not only against the bullets, but also against the gun, the bad actor porting the gun and the organization to which they belong.

Enter VT Intelligence’s netloc faceted search layer. We are supercharging the investigation capability of VT Enterprise customers by allowing a myriad of search modifiers over the domains, IPs and URLs that VirusTotal scans and sees in its backend processes, at no extra cost. This new functionality has been seamlessly rolled out to your accounts and it will simply consume search quota in the same manner that traditional VT Intelligence and VT API queries do.

So what exactly does this mean for investigators? VirusTotal can now power numerous new use cases:

Discover new threat campaign infrastructure set up via builders/kits and perform early blocking at the network perimeter level

Often adversaries instrument their attacks via trojan builders, exploit kits, command-and-control panels, etc. It is basically tooling that allows less technical crooks to set up an attack or that accelerates the time to launch a campaign.

The catch is that these kits often lead to repeated patterns that can be used to identify an attack:
  • Common URL path subsequences.
  • Uncommon HTTP ports.
  • Distinctive server HTTP response headers.
  • Repeated URL GET/POST parameters across campaigns.
  • etc.
Repetition of server setup patterns is something you can easily observe by browsing over something like URLhaus:

With the netloc intelligence module you can now launch searches like:

entity:url query_field:worker query_value:universal - Silentbruter malware
entity:url path:"fre.php" - LokiBot CnC
entity:url port:7000 path:gw
entity:url path:"/zehir/z3hir"
entity:url path:"bstr.php"
entity:url path:"tuk_tuk.php"
entity:url path:"/private/checkPanel.php"

With regards to path commonalities, Virus Bulletin recently published an article on dissecting the C&C panel deployments, it clearly portrays how new malware variants and threat infrastructure can be identified by focusing on CnC kit patterns:

The author’s observations are easily backed with the following VT Intelligence search:
entity:url path:"PvqDq929BSx_A_D_M1n_a.php"

By focusing on the newest sightings first, you can immediately discover new infrastructure being set up by attackers. You can block the pertinent domains/IPs long before they may impact your organization and very often long before blocking technologies catch up on the malware that they deliver.

Track threat actors by revealing new threat infrastructure operated by the same group

Sometimes the patterns do not surface in the URL itself but rather in the domain registration details, SSL certificates, DNS TXT records, etc. It is not uncommon to see attackers registering new domains with the same email address or identical fake physical address. The new netloc intelligence component allows you to pivot over (anonymized - privacy preserving) whois details.

Let’s look at an interesting reported campaign:

New Advanced Phishing Kits Target Digital Platforms
“We hit pay dirt. Whois records for both of these name servers reveal more than a thousand additional malicious domains using similar naming conventions.”

Name servers:

We can craft a whois search to identify other domains making use of the same name servers
entity:domain whois:""

We can also do it at the DNS records level:
entity:domain ns_record:""
entity:domain txt_record:"tsdomain"

Note that all these pivots surface as quick links on basically every section in the details of observable reports, meaning that when looking at a particular IP/domain you can immediately jump to other related infrastructure:

This is something that applies to pretty much every information block, not only to the Whois lookup. For example, you may click on an SSL thumbprint to discover other IPs that make use of a given SSL certificate. This builds upon our existing capabilities to discover other infrastructure operated by a same group, namely our pDNS dataset:

Other interesting commonly reused artefacts that can be searched for are trackers or cookie names.

Protect your brand and discover phishing campaigns

Phishing sites against a particular bank or online service will often make use of typosquatting or will contain the name of the given service as a subdomain of an illegit domain. This allows investigators to find URLs in the dataset that do not belong to the original brand:
entity:url hostname:"*gmail*" p:1+

This said, sometimes the attackers will avoid including the legit name in the domain string so as to prevent easy detection. In those cases we can still discover new phishing campaigns. For instance, let us focus on websites that make use of GMail’s favicon:

Similarly, we can look into certain indexed metadata, such as the title of the page or meta tags:
entity:url title:"Sign in - Google Accounts" p:5+

More generally, you might just be interested in keeping up with the phishing landscape:
entity:url AND (category:phishing OR engines:phishing) AND positives:3+

Feed your IDS/SIEM/webproxy blocks, etc. with IoCs based on anomalous or suspicious patterns

Sometimes you do not really know what you are hunting for, but you can unearth threats by focusing on highly suspicious sightings. Why would someone configure a server to return an “image/jpeg” HTTP response header when serving a Windows executable? The only reason is probably to try to circumvent very basic web proxy filtering:
entity:url header_value:"image/jpeg" tag:downloads-pe

This logic can also be applied to URL paths, the extension modifier tries to identify file extension within URL paths:
entity:url extension:jpg tag:downloads-pe

On this front, identifying double extension tricks also comes to mind as an easy hunting dork:
entity:url path:".jpg.exe"

Similarly, attackers tend to reuse deception techniques such as spamming users to deceive them into downloading malicious documents that claim to be some kind of invoice or payment request (e.g. Emotet spreading):
entity:url header_value:"attachment;filename" header_value:"invoice" tag:downloads-doc
entity:url header_value:"attachment;filename" header_value:"payment" tag:downloads-doc

Executable downloads on non-standard HTTP ports are often worth deeper inspection:
entity:url tag:downloads-pe port:81+ NOT port:443 NOT port:8080

Open directories are also a common place to hunt for malware:
entity:url tag:opendir tag:contains-pe p:1+

As well as executables served via bare IP address URLs that are repeatedly submitted to VirusTotal:
entity:url tag:ip tag:downloads-pe submissions:20+

Same goes for DGA-like patterns:
entity:domain tag:dga detected_communicating_files_count:10+ communicating_files_max_detections:10+

Malicious domains can also be surfaced by focusing on their relationships, in these cases we do not track particular actors or campaigns but rather high numbers of malicious sightings around the pertinent network locations:

entity:domain detected_downloaded_files_count:1+ detected_urls_count:1+ detected_communicating_files_count:1+ detected_referring_files_count:1+

entity:ip detected_downloaded_files_count:1+ detected_urls_count:1+ detected_communicating_files_count:1+ detected_referring_files_count:1+

When considering detections of connected entities, probably the most interesting search is to identify undetected URLs that download some kind of malicious file:
entity:url positives:0 response_positives:10+

All of these suspicious sightings can be extended to your own organization’s properties in order to dig deeper into threats that interact directly with your domains or IP ranges:
entity:domain domain:"*" detected_communicating_files_count:10+ communicating_files_max_detections:10+

Filters on the IP address CIDR are also allowed, to focus exclusively on your network ranges:
entity:ip ip:"" AND ((detected_communicating_files_count:10+ communicating_files_max_detections:10+) OR (detected_downloaded_files_count:10+ downloaded_files_max_detections:10+))

All of this said, we acknowledge that the current facets and indexed data might not be perfect. Over the coming months we will be adding new modifiers based on more use cases that you may have, so please do not hesitate to contact us with suggestions and feature requests. We are pretty certain that one the most prevalent asks will be to expose some kind of YARA-like Livehunt capability in order to set up notifications for new network-level sightings: more on that front later this year.

The described functionality is now also exposed via APIv3:

Oh, and one last thing, you may have already noticed that we recently added domain and IP address verdicts to extend the reputation capabilities that we already offered for files and URLs.

Happy hunting!