Tuesday, March 15, 2022

, , , , , , ,

VT4Browsers++ Any indicator, every detail, anywhere

TL;DR: VirusTotal’s browser extension can now automatically identify IoCs in any website and enrich them with superior context from our crowdsourced threat intelligence corpus, in a single pane of glass fashion. Install in Chrome | Install in Firefox | Read the docs. Please provide feedback.

Don’t feel like reading? Check out a demo video showcasing how VirusTotal’s browser extension is now able to contextualize alerts from your SIEM.

12 years ago I wrote the very first version of the VirusTotal browser extension, now called VT4Browsers. A lot has changed since then, among other things, much smarter colleagues (Ana Tinoco and Camilo Benito) took on the development and kept improving it, including this major release.

Up until now, the extension mostly focused on easing the task of analyzing files and URLs with VirusTotal. For instance, upon downloading a file it asks whether you would like to scan it with over 70 antivirus/nextgen/EDR solutions. Similarly, retrieving the reputation for a link that you are about to follow is as easy as right-clicking on it.

VT4Browsers is getting a major revamp (v4.0) mostly intended for security analysts, incident responders and threat researchers. It can now leverage your API key to automatically identify IoCs (hashes, domains, IPs and URLs) in websites of your choice and enrich them with threat reputation and context from VirusTotal, through a single pane of glass experience.

VirusTotal’s detection score is injected next to the corresponding IoC, as a visual triage data point. Upon clicking on the detection ratio, a side panel kicks in with the full context for the IoC, served with our VT AUGMENT widget. All this happens within the original website, as if it were native functionality in the corresponding platform.

SOC analysts and other cybersecurity responders can now easily access threat reputation and context inside their SIEM, case management system and other tools of their choice, even when they do not have a built-in integration for VirusTotal. This results in faster, more accurate and more confident incident response.

Indeed, alert triage and incident response are two major VirusTotal use cases. These days security teams are increasingly concerned about missed threats due to lack of context. This is further exacerbated by two issues:
  • Machine learning, artificial intelligence, heuristics, user entity behaviour analytics, generic signatures, anomaly detection and other fancy detection buzzwords - even when they work, they often generate more questions than answers. When they don’t work, they lead to noise and false positives.
  • Even the most advanced security programs and defensive stacks are constrained by internal-only (corporate network) visibility. Meanwhile, threat actors operate globally, targeting other organizations. Much could be learned from their footprints.

Thanks to community crowdsourcing VirusTotal is in a unique position to address lack of context, let's look into it. SOCs are often confronted with cryptic alerts such as:

Beyond some internal sighting information (date, machine, user logged in) and a related IoC (IP address), nothing is known about the potential malware family/toolkit behind it, delivery vector, subsequent attack stages, additional threat campaign IoCs, attacker TTPs, threat actor, motivations, etc. 

VirusTotal’s sandbox detonation information, passive DNS dataset, whois lookup history, threat graph, campaign collections, geo+time submission metadata, crowdsourced YARA rule detections, etc. transforms the aforementioned cryptic alert into something more like:

The good news is that connecting the dots has never been easier. The new VT4Browsers version bridges the contextualization gap in your existing security solutions and it is fully stack agnostic. It can work simultaneously with your SIEM, case management system and pretty much any other security solution web interface. The extension allows you to add certain platform domains and URLs to lists for persistent enrichment, which is very handy for tools that get used regularly. One-off contextualization via the right-click menu is also possible. Moreover, if you don’t feel like clicking, you can set up keyboard shortcuts. Two contextualization modes are available:

  • Enrichment: Fully automatic - identifies IoCs within websites and automatically looks all of them up against VirusTotal, injecting context where appropriate. It consumes one API lookup per identified IoC.
  • Highlighting: Manual - identifies IoCs within websites and adds a VirusTotal lookup trigger icon next to each of them. Contextualization will only happen when you click on the trigger icon. It consumes one API lookup each time you click on a trigger icon next to an IoC.

As described, the enrichment mode automatically performs an API lookup for each IoC, as a result, it is only recommended for premium API keys. Important: upon making any changes to the lists of domains/URLs to highlight or enrich, make sure that you reload the pertinent website so that the setting kicks in.

One more thing. This new version also adds additional right-click functionality allowing you to automatically parse out IoCs found in websites to look them up in bulk in VT INTELLIGENCE and VT GRAPH.

Make sure you check the documentation to get your environment set up and please pay close attention to the privacy settings for the pre-existing scanning functionality.

Install VT4Browsers in Chrome
Install VT4Browsers in Firefox
VT4Browsers 4.0 documentation

Need a website to test the contextualization? VXVault is a nobrainer.

As usual, we want to make sure that future functionality meets user needs, share your feedback and get to see your suggestions in the next release!

Happy hunting threat contextualizing!

Monday, March 14, 2022

YARA "dotnet" module now available for Livehunt and Retrohunt

 Good news for all threat hunters! As announced in our latest release notes, the “dotnet” YARA module is already available both for your Livehunt and Retrohunt rules. This module allows inspecting features and characteristics of .NET executable files, like GUIDs used, .NET assemblies metadata, resources and so on.

As an example, the following YARA rule published by AlienVault uses different features provided by the “dotnet” module for detecting Shrug ransomware:

import "dotnet" 
rule ShrugRansomware {
        author = "AlienVault Labs"

        $bitcoin_address = "1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx"
        $s1 = "upoldhash.php"
        $s2 = "HarmedFiles"
        $s3 = "ShrugDecryptor"
        $s4 = "SHRUG2"
        $pdb1 = "\\Debug\\ShrugTwo.pdb"
        $pdb2 = "\\Debug\\Shrug.pdb"

        uint16(0) == 0x5A4D and
        dotnet.number_of_guids > 0 and
        dotnet.typelib == "a6ab6b1f-b144-4920-be42-bb90ec6fc22e"
        or $bitcoin_address
        or 2 of ($s*)
        or any of ($pdb*)

The “dotnet” module is not exactly new: it has been growing its own fan club since YARA 3.6.0. However, it was not included in the default YARA build nor enabled in VirusTotal services… until now! You can find more information about this module in the official YARA documentation

We want to use the opportunity to thank Wesley Shields, the module’s original author, for this great contribution to YARA. 

We hope these changes will make life easier for the malware research community and, as usual, we would hear any feedback from you. 

Happy hunting!

Wednesday, March 09, 2022

Meet our new improved VirusTotal Graph

TL;DR; We are publishing a new version of VirusTotal Graph that, among other things, supports VirusTotal Collections and provides a new filter engine to speed up your investigations.

Today we are proud to announce a new release of VirusTotal Graph, the tool to visually navigate the VirusTotal dataset and to create collaborative visual investigations. We heard all the feedback from the community to make VT Graphs even better.

Support for VT Collections

During the last months we have been actively introducing new mechanisms for the community to share their collective knowledge in a more contextualized through VirusTotal collections.

Today we are making collections easily actionable in VirusTotal Graph allowing to expand IOCs and find further VirusTotal collections by pivoting from observables.

As an example, we can create a new graph starting from the domain jolotras[.]ru (mentioned in a recent article) resulting in the following graph:

The resulting graph helps to quickly identify that the domain is already contained in some collections . By hovering the collection node, a snippet containing the most relevant information about this collection is displayed.

Moreover, when selecting the node it shows the main collection attributes and the possibility to pivot to their contained IOCs. This greatly helps adding both context and more elements to our current investigation without leaving the graph. The same behavior applies for referenced entities.

Additionally, we added the option to export your graph into a new collection in VirusTotal via the File menu. The collection will contain the files, URLs, domains and IP addresses present in your current graph.

Filter engine

One of the most requested features we received from the community’s feedback (send yours here) is the ability to filter out elements in VirusTotal graphs.

It is common to find yourself investigating large noisy graphs after multiple pivots and expansions. The VirusTotal dataset is very large and we want to help you find the needle in the haystack.

With that goal in mind, we are happy to introduce you to the new filters engine. You will find the filters icon at the right of the Search Bar.

When clicking a new card will appear at the right of the graph with the different filter types supported by the engine (by now, more to come!). 

For timestamps, you can find a timeline divided in buckets showing how many nodes are included in each of them. Use them to adjust your time window and filter nodes in the graph accordingly .

Additional filters available are based on an aggregation of the elements existing in your graph, like the type of node. Along with the filter you can find  the total number of entities in your graph that have the given value (like, 32 URL nodes) as well as the number of nodes having the given value AND being detected as malicious by at least one AV engine(in the image below, that applies to 22 of the URLs in the graph).

Each filter provides three options:

  • OR: When one or multiple OR conditions are selected, a node must match at least one of them to be visible.

  • AND: When one or multiple AND conditions are selected, a node must match all of them to be visible.

  • NOT: When one or multiple NOT conditions are selected, a node must not match any of them to be visible.

After a filter is applied the graph is updated automatically. Similarly, when the user clicks on “Removed filtered nodes” nodes not visible from the graph are removed and filters reset. You can start over again and re-play the filtering flow from there.

You can apply filters to all the nodes in the graph, a selection or nodes in a given relationship. To apply filters on specific nodes just select them. If the filter drawer is already open, it will be automatically refreshed.

Back to our initial investigation, we could filter IP addresses resolutions seen during the 2022 with at least one detection.

You can find full Filters engine documentation here.

We are really excited with this new version of VT Graph. We find it easier to use, and the new functionalities really help to make investigations much more agile and clean. VT Collections add nice extra context, and exporting investigations into Collections makes results more actionable and collaborative. We welcome everyone to give it a try and to keep  sharing your feedback with us.

Happy hunting!