Wednesday, April 20, 2022

VirusTotal's MISP modules get a fresh upgrade

Tldr: We upgraded the VirusTotal MISP modules and added new cool relationships.

Historically, VirusTotal provides integration to MISP through two modules (corresponding to public and VT Enterprise subscriptions) created and maintained by the community. They are used to enrich and provide additional context to indicators in the MISP platform. Additionally, we contributed with a module to export MISP events to VTGraph and more recently with a module exporting events to VTCollections. 


The freshly upgraded modules (VirusTotal and VirusTotal Public) were migrated from the old API v2 to v3, which allowed us to improve the data returned per indicator, adding detection ratio to IPs addresses and Domains. Moreover, we have added more relationships and attributes.

The following table summarizes the attributes provided by the freshly upgraded modules to enrich MISP events per type of indicator:

MISP Module

File

URL

Domain

IP

VirusTotal

Detection ratio

md5,sha1,sha256

tlsh*

vhash*

ssdeep*

imphash*

ITW urls*

Communicating files*

Downloaded files*

Referrer files*

Detection ratio

Communicating files*

Downloaded files*

Referrer files*

Resolutions*

URLs*

Detection ratio*

Whois

Communicating files

Downloaded files

Referred files

Subdomains Siblings Resolutions

URLs*

Detection ratio*

ANS

Network

Country Resolutions

URLs

VirusTotal Public

Detection ratio

tlsh*

vhash*

ssdeep*

imphash*

Communicating files*

Downloaded files*

Referrer files*

Detection ratio

Detection ratio*

Whois

Communicating files

Referred files

Subdomains Siblings Resolutions

Detection ratio*

ANS

Network

Country Resolutions

* new attributes and relationships available.

Keep in mind that all these VirusTotal modules are not activated in MISP by default, so please ask your friendly MISP administrator to check them out! Stay tuned for more VirusTotal contributions into the Threat Intel ecosystem and as usual, please let us know how we can further help.

Happy Hunting!

Monday, April 18, 2022

, , , , , , , , ,

VirusTotal Multisandbox+= ELF DIGEST

VirusTotal welcomes ELF DIGEST, the first integrated multi-sandox fully dedicated to only processing linux files. This addition helps put the spotlight on linux malware.


In the words of the founder Tolijan Trajanovski:

ELF DIGEST is a cloud-based Linux malware analysis service provided to security researchers, analysts, and academics. The service performs static, behavioral, and network analysis to extract IoCs and IoAs. The static analysis searches for IoCs in the strings and may also identify obfuscation in the form of string encoding and executable packing. The behavioral analysis can recognize various malicious actions, including VM detection, anti-debugging, persistence, process injection, loading of kernel modules, firewall configuration changes, and others. The network analysis can identify C2 endpoints, resolved domains, HTTP requests, and port scanning. In addition, ELF DIGEST utilizes the open-source malware labeling tool AvClass to determine the most probable malware family the analyzed sample belongs to. The currently supported CPU architectures include ARMv5, ARMv7, MIPS, x86 and x86_64. The detailed findings of the analysis are presented in an aggregated view and can be also downloaded as a JSON report.

Let's take a deeper dive on some samples:


Botnet on ARM with iptables kernel modules

This sample is part of the Mirai botnet. At the top of the report we can see the network communication, possibly the command and control server.

 

In the shell commands we can observe the iptables firewall stopped and tables flushed. This would allow the malware to communicate without the firewall obstructing it.

The linux kernel modules being loaded, which are most likely related to the iptables command line interactions.

We can explore other pivots either on the relationships tab, or within VirusTotal Graph. Here we can see more details with respect to the command and control infrastructure as well as relations to other files, URL, and IPs.



Mozi botnet with bittorrent

Within this sample we see DNS resolutions to common bittorrent trackers and traffic on common bittorrent port 6881.

In the HTTP requests section, scanning for other vulnerable devices on the internet

Using a file search modifier we can find similar samples that perform the same request. behaviour_network:"boaform/admin"




ELF DIGEST, uploads the PCAP network traffic capture. When sandboxes or users upload PCAPs to VirusTotal, we analyze them with snort and suricata, using rules from community contributors.


Other Interesting samples to have a look at:

ELF DIGEST is a great addition to VirusTotal, and will help further shine the spotlight on linux malware. Happy Hunting!