Tuesday, November 30, 2021

Introducing VirusTotal Collections

TL;DR: Threat researchers use Pastebin and similar sites to share sets of IoCs among themselves. We believe there is a more actionable and contextualized way to perform this task, enter VirusTotal Collections. Help us shape the future of IoC collections with the what’s next form.

Collective knowledge is key for the success of us all in the industry. For this reason, we paved the way to give a voice to our community by providing them the mechanisms to (annotate and share) comments on VT observables. Time evolves and now most investigations go beyond one observable, quickly adding up several indicators of compromise (IOCs) for one single incident . With many security researchers sharing their findings in blog posts and tweets, it’s getting hard to keep track of all these data inputs. Moreover, these investigations change over time bringing more difficulty into reporting the new findings. 

To fill that gap, today, we are releasing VirusTotal Collections. A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags. 

Collection owners can update these by adding or removing IoCs. They are public via our UI and API, and they can be shared using their permalink. This makes it a very convenient way of linking to listings of IoCs in blog posts, research reports and the like.

All our community generated content, including comments, graphs and collections will contribute to the Community section of file, URL, domain and IP address reports. This means that if a security researcher creates a Collection with a file in it, if you visit the file report you will see the collection in the community section.


You can create IoC collections in the VirusTotal home page, under the SEARCH tab.

Let’s take collaboration one step forward, we hope you enjoy it and we invite you to shape the future of this new functionality in our what’s next form.

Happy Hunting!

Monday, November 29, 2021

Insights on ransomware attacks

Our first “Ransomware in a global context” report offered an overview on how ransomware attacks evolved since 2020, highlighting GanCrab’s supremacy in 2020 and its rebranding as REvil with a different targeting. On the bright side, law enforcement agencies have been very active conducting dozens of operations in the last months, including the arrest of several REvil affiliates.  

We wanted to reflect on this and other recurrent questions we received since the publication of our report with our colleague Vlad Stolyarov from Google’s Threat Analysis Group (TAG)  to help provide some further insights into them.You can also find some of the answers and great additional content in our beloved Cloud Security Podcast by Anton Chuvakin and Tim Peacock Episode 45 “VirusTotal Insights on Ransomware Business and Technology”.

Alright, let’s go check some of the most popular questions we received.


Can you provide more details on the geographical distribution of the samples? How is it possible the US is not the main target?

Well, North America remains the most targeted region by number of ransomware samples according to our visibility. 

What we show in the report is the difference between the normal average submission of samples from any given territory and ransomware submissions. We did our best to filter out automatic submissions or any other systems that could alter the real spreading, but obviously there can be exceptions. In the case of Israel, we believe the dramatic increase is a combination of being highly targeted by ransomware and several security companies or experts submitting to VirusTotal. 


Why was GandCrab the most popular family in 2020? Does it continue to be the biggest one by number of samples?

GandCrab was one of the most successful groups implementing the Ransomware-as-a-Service (RaaS) distribution model. Indeed, anyone could sign up on their portal to be an ”affiliate”, getting a significant commission from each ransom payment made by victims. This made this actor very successful, which created a snowball effect where ransomware affiliates preferred GandCrab over other RaaS programs as branding matters in the ransomware business. Despite the fact that several versions of GandCrab had cryptographic flaws, with free decryptors available on the NoMoreRansom project website, it remained popular. That didn’t stop this actor making (as they claimed on forums) more than 150$M in a year.  

Now, GandCrab RaaS program is believed not to be active since mid-2019, and yet VirusTotal still sees a large number of samples detected as GandCrab, even in 2021. Why? Our hypothesis is as follows:

1) Many TTPs (Tactics, Techniques and Procedures), initially popularized by GandCrab were later weaponized by other, unrelated commodity ransomware families. Antivirus engines, however, largely continue to associate and detect samples utilizing these TTPs as GandCrab.

2) While it was still active, GandCrab employed a number of distribution mechanisms. In addition to the more traditional vectors such as malspam, it used trojanized software, torrent sites, and a wormable network exploit EternalBlue to infect machines in the organization’s network.

Actors behind GandCrab have since moved on and are now believed to be related to the infamous REvil/Sodinokibi Ransomware-as-a-Service, which shares big portions of code and other indicators such as PDB strings with GandCrab. “Rebranding” of GandCrab as REvil/Sodinokibi follows a general trend in ransomware where many actors have switched from targeting individuals to larger corporate organizations in the past two years.

REvil, following GandCrab’s footsteps became very popular and is infamously known for several high-profile attacks: triple extortion attack on Quanta Computer who is an Apple supplier, threatening to release confidential information on unpublished products; JBS, a large meat processing company; Kaseya supply chain attack affecting multiple managed service providers and their customers.

On latest news, some REvil affiliates were recently arrested by law enforcement, following a coordinated takedown operation with an infrastructure takeover. Around the same time BitDefender published a free universal decryptor. As a result, REvil Ransomware-as-a-Service announced it’s shutdown and we have yet to see if they will resurface under a different name, once again.


What are double extortion schemes?

Ransomware actors use double or even triple extortion schemes as an additional method to force victims to pay ransom. In a double extortion scheme, in addition to encrypting victim’s data, attackers also exfiltrate critical data and threaten to publish it unless the victim pays. Under triple extortion schemes, ransom demands may also be directed at a victim's clients or suppliers. At the same time, further pressure points such as Denial-Of-Service attacks, or direct leaks to the media, are also brought into the mix.

 

Is there any ransomware malware on macOS?

Ransomware on macOS is possible, but much less frequent than in other platforms. One example would be the (opportunistic) EvilQuest/ThiefQuest family discovered in mid-2020, which had ransomware functionality, although it’s not clear if that was the main goal. ThiefQuest is also a very representative example of ransomware on macOS - despite only demanding 50$ payment in Bitcoin, the wallet specified in the ransom note had received exactly zero transactions, meaning no user had decided to pay to get their files decrypted (well, that, and the fact that free decryptor is also available).
There are several potential explanations to this: 

  • targeting corporate victims is far more profitable than targeting individuals, and most organizations are still using Windows-based environments. 

  • low level of expertise and experience in writing macOS malware amongst ransomware developers.

  • What about ransomware on Linux?


It exists! BlackMatter and REvil both have versions for Linux. As more organizations are investing in virtual machines and file backup servers, ransomware groups are increasingly developing Linux variants, targeting specifically VMWare ESXi and NAS servers - this increases the likelihood of victim organizations paying the ransom as they have no way of restoring data or their infrastructure.


Do we expect exploits and 0days to become more popular in ransomware attacks?

Yes, but with a catch. Traditionally, office exploits (not necessarily 0days) were always popular amongst financially motivated actors and this is not unique to ransomware. In addition to that, profit from a successful ransomware attack is often enough to buy a 0day or two, but what’s the point of burning expensive 0days on individual users (even if they are employees of a large organization), when phishing is just as effective? On the other hand, we’re seeing an increasing amount of interest in remote vulnerabilities targeting server software - anything from VPN to mail servers and domain controllers. But to each rule there are exceptions: a recent example would be a remote code execution vulnerability in MSHTML, CVE-2021-40444, which was used as a 0day from a Word document in a Big-Game-Hunting (BGH) campaign in September to deploy ransomware.

You can use VirusTotal Intelligence to monitor samples related to CVE-2021-40444 using the following query: “tag:cve-2021-40444”.   


Any info/insight on how ransomware operates internally" and why it works so well [for them]?

Ransomware groups are organized criminal activity with people working weekdays, 9 to 5. “Employees” have clear roles and responsibilities such as IT support, system administrators or developers. As crazy as it sounds, some employees might be unaware of who they’re working for. This description fits well for the biggest actors who previously used to be in Point-of-Sale/Banking/Carding areas, like FIN7, who are also attributed as operators of the DarkSide/BlackMatter RaaS.


As a final note, we recommend checking our original post to find more details on how to monitor ransomware activity before being hit. We will continue sharing relevant malware related information to keep our world a little bit safer. As always, we are happy to hear from you.


Happy hunting!


Thursday, November 18, 2021

Uncovering brandjacking with VirusTotal

 Malicious activity comes in all kinds of colors and flavors, sometimes abusing users’ trust by impersonating well known brands to get their private data, install malware or any other form of scam. At VirusTotal we analyze more than 3 million distinct URLs daily obtaining not only AV verdicts from more than 70 different vendors but also extracting as much data as possible including headers, cookies and HTML meta tags. This data is indexed and related to other observables we keep in our database, which is an excellent way to track malware infrastructure but also to find other forms of fraudulent activity. Indeed, many of our customers use VirusTotal daily to monitor brand abuse and fraudulent impersonation.

In this post we will describe how VirusTotal served to investigate the Anniversary brand abuse campaign by our good friends from Hispasec.


How to start our investigation


In this particular case, the campaign was distributed mostly using WhatsApp messages, where the victims were encouraged to share with their contacts links similar to the following ones:

hxxp://mayhx[.]cn/adidas-mo

hxxp://luby3a0[.]cn/r2eizhga/adidas-mo


These domains seem to be randomly generated. Now, starting from this information, how can we start an investigation in VirusTotal? There are a few handy VTI modifiers we can leverage:


  • Tracker: Many websites use different ads trackers, which we will try to find inside the HTML body of the analyzed URL. If two websites share the same ad tracker, it usually means they’re owned by the same person. You can use this modifier to find URLs where we found the same tracker. Example VTI search: entity:url tracker:G-J151F98PH2




  • Main_icon_dhash: Here we will find other websites having the same favicon. In this case, VirusTotal will calculate the favicon’s hash for us and do a fuzzy search to find similar ones. Example VTI search: entity:url main_icon_dhash:4932332b178e4d20



It seems we have several ideas to start our search with. As you have probably already realized, values used in the previous example VTI searches correspond to the two malicious websites we started our analysis with. Some of them are extremely precise for a given search (such as the response sha256), while others, like the favicon, title and path look interesting for any automatically generated infrastructure. However one of the key elements for this investigation was the tracker, as it identifies the website owner. 

Let’s first check the prevalence of all these different elements among VirusTotal:


Description

Value

VTI search

Items found

Google Tag Manager tracking ID

G-J151F98PH2

entity:url tracker:G-J151F98PH2

13.91K

HTML title

🎉Adidas 70th Anniversary!🎊

entity:url title:"🎉Adidas 70th Anniversary!🎊"

35.79K

URL path

adidas-mo

entity:url path:adidas-mo

24.44K

Favicon

Cute pink heart

entity:url main_icon_dhash:4932332b178e4d20

1.22M

Response body SHA256

e839c5398c1fe08dde3a4b0ffb39fd6b6a7c6dcab9d5477b0dfdfe8d62bcd77b

entity:url response_sha256: e839c5398c1fe08dde3a4b0ffb39fd6b6a7c6dcab9d5477b0dfdfe8d62bcd77b

5.74K


The number of found items is pretty high, which could either mean this is a large campaign or the values are not really representative. Combining three of the criteria listed above (title, tracker and path) in a single search returns 13.86K results, confirming it is a huge campaign. We can add some extra modifier like p:5+ (detected as malicious by at least 5 different AV vendors) for a total of 11.02K, confirming our suspicions. 


Leveraging VT Graph


Another way to start our investigation would be taking advantage of VT Graph. This would put on the table all the elements related to the IOCs we have to start our investigation with, giving us a good idea of the dimension and of the elements of interest. 


The graph helps us visualize what both URLs share in common, as well as a bunch of additional ones that also share the same tracker ID. In particular, there are a couple of common javascript libraries detected as malicious by several AV vendors that look interesting for our investigation. We can open their VirusTotal report in the links below: 

https://www.virustotal.com/gui/file/a29fa70847eb0cba146b247f7d4549575b04edd588628b23a473c69c87e5c887/detection

https://www.virustotal.com/gui/file/ee3f8cc642a94e667d5f885691ecbc70d5d49869d36d905d96f19391117fa084/detection


We don’t need to download any of these files to analyze them, as happily VirusTotal allows us to check their content at the content tab in the file’s report.


Indeed, when doing that there are several very significant strings that seem highly related to the campaign we are investigating, such as “var project = "adidas-mo";”.  We can simply click on this string to find any other files that include the very same content:

https://www.virustotal.com/gui/search/content%253A%2522var%2520project%2520%253D%2520%255C%2522adidas-mo%255C%2522%253B%2522/files

This results in hundreds of libraries that were used by attackers, most likely in this very same campaign. Displaying a LARGE number of elements in a graph is probably not the best idea, but nevertheless this is how it looks like:


This gives us a very quick idea on how clustered this campaign is. We can pivot all this data to obtain the full infrastructure used in the campaign. For large automated processes like this one, we also recommend using our API or vt-client.


It all started with a couple of URLs


Having a large malware database creating relationships among all indicators and allowing pivots using any of them has its advantages. You never know what is the particular criteria that would be the key element for a particular investigation, in this case both “tracker” and “path” proved to be very useful. Visualizing information is also one of the most powerful methods to quickly understand what is most relevant from the data you are working with, allowing you to quickly focus on the most important elements. 


Both methods shown in this post are some ideas to use when tracking brandjacking or any other fraudulent activity, if you have any other favorite methods you use for your investigations and you want to share with us please do not hesitate to contact us.


Happy hunting!


Thursday, November 04, 2021

Automate and Augment Case Management, Threat Intelligence and Enrichment

One of the most usual use cases for integrating Threat Intelligence into your security stack revolves around enriching threat data. This helps incident responders, SOC analysts and threat intel teams properly assess how bad the situation is and what to do next. Unfortunately, many times the data we use for alert triaging is too simplistic. Threat intelligence should be compliant, actionable, relatable and easy! But also provide the full needed context when needed.


In our previous post we introduced VT Augment as our solution to help integrate VirusTotal full contextual data into 3rd-party products. Swimlane was one of the first to integrate VT Augment into their solution, and today we want to discuss how to leverage such integrations into your day to day operations.


But before we continue, we encourage you to join us next November 10, 2021 at 4pm UTC for our joint webinar with Swimlane to learn more on this topic.

Automating response to threats


Orchestration, automation and response (SOAR) capabilities are adopted and required in most security stacks. They allow to automate common tasks such as enriching threat alerts, and to also automate the response when integrating with additional tools. For the examples in this post, we will be using Swimlane, which integrates VirusTotal. 


A typical case would be automating the answer provided when facing suspicious indicators (hash, URL, IP or domain) showing up in our detection systems. For instance, a first simple approach for quick triage would be we creating a workflow based on the number of AV detections just to make sure the incident will be automatically remediated before proceeding with a deeper investigation, if needed:




It could be that these first signals are not strong enough to make an educated decision. Analyst would need to have additional context which in this case is provided by VT Augment. The following capture shows how VirusTotal enriches the domain information available for the analyst, showing IPs it resolved, detected URLs and Whois information, among others:  



Depending on the type of IOC there will be different information available. For instance, for a suspicious file an analyst might be interested in checking for specific AV verdicts in order to understand what kind of threat it represents. Other less technical information such as the first time it was seen in VirusTotal can also be useful to understand if we are handling a potential new threat.


Integrating contextual threat intelligence where needed


VirusTotal integrates with dozens of vendors. Some notable examples include CrowdStrike Falcon which uses a dedicated plugin, or Google Workspace Alert Center. Ultimately, VT Augment and VT API allow integration with any system helping organise workflows to properly respond to any threat.


 

Threat Intelligence data should be relevant in the context it is being used. Automating routine tasks using the right indicators helps mitigate most cases automatically. This should be complemented with providing all the relevant information at the fingertips of the analysts to make the right decisions. 


We keep working on providing contextual threat intelligence data that makes a difference to our partners in the security industry. If you need help integrating VirusTotal in your product, please let us know.


Happy hunting!