Tuesday, January 28, 2020

, , , , , , , , ,

VirusTotal MultiSandbox += BitDam ATP

VirusTotal would like to welcome BitDam to the multi-sandbox project!

In their own words:

BitDam Advanced Threat Protection (ATP) is a cloud-based engine that proactively detects threats, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and zero-day attacks contained in files and URLs. BitDam’s patented attack-agnostic technology shows remarkably higher protection rates compared to engines that are based on knowledge of previous threats. It learns the normal code-level executions of business applications such as MS-Word and Acrobat Reader, creating a whitelist knowledge-base. Based on this knowledge, the detection engine determines whether a given file or weblink is malicious or not, regardless of the specific malware it may contain.

Let's take a deeper look at some interesting samples showcasing BitDam's capabilities:

XLS spreadsheet with macro in a hidden sheet which launches powershell


This file contains a macro which accesses certain cells in a hidden sheet to retrieve the payload and then runs powershell with an obfuscated command line. The powershell script spawns a .NET related processes to compile the payload.


BitDam not only generates execution reports, it also produces behaviour-based detection verdicts, we see BitDam detects the file as malware.

Doc with macro and VBA and WMI


This word document has a macro with some benign code, likely for deception and to make static analysis more difficult. The document also uses some basic obfuscation techniques.

BitDam highlights the network communications observed during the execution and populates the pertinent file to domain/IP address/URL relationships back into VirusTotal, as illustrated by the sample’s graph:

Discovering detection blindspots


VT Enterprise customers can use search modifiers to dig deeper. For example, we can look for files with low AV detections that BitDam ATP detects as malware:

bitdam_atp:malware and positives:7- and fs:2020-01-01+

Note that this task can also be automated via APIv3.

Welcome BitDam, glad to have you onboard!


Post a Comment