Tuesday, August 02, 2022

Deception at a scale

Continuing our initiative of sharing VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, we are proud to announce our “Deception at scale: How malware abuses trust” report. 

This time, we focused on different techniques used by malware to bypass defenses and make social engineering attacks more effective.

We encourage you to read the full report, but below you can find some of the main findings

  • Ten percent of the top 1,000 Alexa domains have distributed suspicious samples.
  • 0.1 percent of legitimate hosts for popular apps have distributed malware.
  • 87% of the more than one million signed malicious samples uploaded to VirusTotal since January 2021 have a valid signature.
  • In a growing social engineering trend, 4,000 samples either executed or were packed with legitimate apps installers.
  • There has been a steady increase in the number of malware visually mimicking legitimate applications, with Skype, Adobe Acrobat, and VLC comprising the top three.
  • 98% of samples, including legitimate installers in their PE resources, were malicious.
You can download the full report here
To help stop cyberattacks that rely on the malware that VirusTotal can track, we provide below the technical details that support our  conclusions presented in the report.


Abusing legitimate domains to distribute malware

One of the most effective social engineering techniques consists of hiding malware by packaging it into installation packages with legitimate software. This becomes a supply chain attack when attackers get access to the official distribution server, source code, or certificates.

We checked files submitted to VirusTotal and distributed from well-known legitimate domains. Below you can find an example how to obtain this information using VirusTotal Intelligence:


From the almost 80,000 unique files found, 78 of them were detected by more than 5% of antiviruses as potentially malicious. Here we list the top 5 most detected files:


SHA1
DR
Distribution URL
26/64
hxxps://global-download.acer[.]com/GDFiles/BIOS/Firmware/Firmware_Acer_103_A_A[.]zip
23/64
hxxps://dlcdnets.asus[.]com/pub/ASUS/GamingNB/FA506IV/BKXCR000_v014_20201013_EXE[.]zip
15/64
hxxps://dl.dell[.]com/FOLDER06606984M/1/Printer_E310dw_FW_Dell_A07_WIN[.]zip
11/59
hxxp://dl.dell[.]com/folder06109278m/1/dell_u2419hc_monitorfirmwareupdateutility_m3t107_mup[.]zip
10/63
hxxps://dlcdnets.asus[.]com/pub/ASUS/LCD%20Monitors/MB16AMT/MB16AMT_touchFW_vT3_for_MAC_10.15[.]zip

Execution Parents

Execution Parent is a VirusTotal’s in-house relationship, linking a file to its “parent” file (that was created during sandbox execution). This type of relationship can be visualized in the Relations tab, the image below shows the list of execution parents for a legitimate Telegram installer:


In this example, almost a half of all the Execution Parents for a legitimate installer seem malicious. We used this approach to find suspicious execution parents of legitimate installers. Below you can find top 5 of most detected execution parents with known distribution URLs:

Parent SHA1
DR
Distribution URL

Legit child

edf493140ccaba2ec6f340de3d3f1ab2d6c1651f

65/68

hxxp://192.210.173[.]40/files/loader2[.]exe

Google Chrome

4d6fe5d14dbd6f47e06ab901ff1c4170dec4cfd7

67/71

hxxps://uc1a9ed2ac0662c4ccfe1b1ab0b5.dl.dropboxusercontent[.]com/…

Malwarebytes

2dcedfdbcf527eb6680b4c4bce6f791b2681cae3

64/69

hxxp://192.227.158[.]110/im/kok[.]exe

Google Chrome

60822aaa3c451cebfecec1e2f11004367be998ae

64/71

hxxp://69.64.43[.]224/tsi[.]exe

Windows update

62d7c0cd150b107923429674bcc9246d1d8b0d6c

52/69

hxxp://103.249.34[.]183/Telegram[.]exe

Telegram


In order to monitor such activity, the following query provides legitimate Telegram installers having known execution parents. 


We might use this list of files to check if any of their execution parents look suspicious. This can be easily automated using VirusTotal’s API, you can find an example in Appendix I at the end of this post.

Compressed Parents

This is a similar approach to the previous one, with the difference that legitimate installers will be found bundled inside compressed files (ZIP,  RAR, but also other installer executables like NSIS, MSI, etc). Compressed Parents are also found in the Relations tab.

We found around 24% of Compressed Parents are detected as malicious by several antiviruses. Here are some examples of most detected Compressed Parents, with their known distribution URLs:

Parent SHA1
DR
Distribution URL
Legit child

5df092af805ffacba1dee39a432aa3c7836f4f35

57/69

hxxps://cdn[.]discordapp[.]com/attachments/791698781954506774/791699989772369930/ZoomInstaller[.]exe

Zoom

2e5b1d982ebcf07ba9c90b29b07f247f93d282e6

49/71

hxxp://aaaenterprises[.]co/download/Setup[.]exe

Brave

253d043f85e55100b79b632dd7b05c6237b196a3

45/67

hxxps://bit[.]ly/3kxKGtR

Malwarebytes

0854be1e84e5b204e06ece528bba459a32b93389

45/67

hxxps://updatebrowser[.]org/downloads/firefox/FirefoxInstaller.exe

Firefox

0fb43ccb3ec7878c0ef12f9e488accbbfbf1338b

40/67

hxxps://anonymousfiles[.]io/f/ProtonVPN_win_v1.16.1_-_Cracked_By_PC-RET.zip

ProtonVPN


The ProtonVPN sample from the above list is an interesting example. This iZIP archive contains three files: two executables and one text file.

The first executable has a high detection rate and it appears to be a Jigsaw ransomware sample. The second executable is the official ProtonVPN installer, as seen in the “ITW Urls” section in the Relations tab:


The last file is a text document with instructions for potential victims:


Malware visually disguised as legitimate software

VirusTotal can be an effective tool to search for visual similarities among files and websites, which is great for detecting malware stealing icons from legitimate apps.

We can follow the same way to reveal files abusing Telegram’s icon:


Typically, we’d want to first search for a legit Telegram installer and click on its icon when listed in VirusTotal intelligence to obtain the value of the main_icon_dhash. We can add additional file-specific search modifiers to the previous query, like “have:itw” to find how it is being distributed. 

We can use the same technique for finding all the URLs that use a given favicon (again Telegram). The following query does this, skipping a few parent domains we know are legitimate:


The fuzzy_domain keyword is another very useful search modifier. Based on Levenshtein Distance, it is perfect to find typosquatting attacks by listing all the misspelled domain names:


There are many additional modifiers we can leverage. You can find extended documentation here for domains, IP addresses, and URLs.


Exploiting valid certificates

Malware signed with a valid certificate might trick the user (and security software) to believe they are legit applications. The following query reveals more than one million suspicious files signed with valid certificates since 2021:


We can also filter by a specific Certificate Authorities. The following query finds suspicious samples signed by Microsoft Root CA ("Microsoft Root Certificate Authority") and detected by at least five antiviruses:



Conclusions

Our research helps us understand the dimension of the techniques discussed –  some of which are evidently growing in popularity. At the same time, we found some samples which seemed interesting enough to take a second look. 

It is equally important to know what techniques malware adopts to increase its effectiveness as it is to be able to do something about it. The analysis and description of the deception techniques described in the report, along with the implementation ideas shared in this post, will help to actively monitor and understand the evolution of future campaigns. 

At VirusTotal, we will keep sharing both our visibility and best practices to protect against new attacks and to keep our world a little bit safer. As always, we are happy to hear from you.

Happy hunting!


Appendix I

Example on how to use VirusTotal’s API to find suspicious execution parents of software distributed through a legitimate domain:

import requests
import json
import urllib

headers = {
    "Accept": "application/json",
    "x-apikey": '' # VT API key
}

def get_execution_parent(file_hash):
    """Returns file parents with more than 5 detections in VT.

    Args:
    file_hash: str, file to check.
    """
    url = f'https://www.virustotal.com/api/v3/files/{file_hash}/execution_parents'
    while url:
        response = requests.get(url, headers=headers)
        response.raise_for_status()
        data = response.json()
        for item in data['data']:
            try:
                positives = item['attributes']['last_analysis_stats']['malicious']
                if int(positives) > 5:
                    print(f'{item["attributes"]["sha256"]} - {positives}')
            Except KeyError:
                continue
        if 'links' in data and 'next' in data['links']:
            url = data['links']['next']
        else:
            url = None

def get_files_with_execution_parent(target_domain):
    """files found itw in a given domain having execution parent.

    Args:
    target_domain: str, domain to check
    """
    url = 'https://www.virustotal.com/api/v3/intelligence/search'
    while url:
        response = requests.get(url, headers=headers, params={'query': f'entity: file have: execution_parents itw: {target_domain}'})
        response.raise_for_status()
        data = response.json()
        for item in data['data']:
            get_execution_parent(item['attributes']['sha256'])
        if 'links' in data and 'next' in data['links']:
            url = data['links']['next']
        else:
            url = None

target_domain = 'target.legit-domain.com'
print(f'Checking suspicious execution parents for files downloaded from:{target_domain}')
print(f' [sha256] - [AV positives]')

get_files_with_execution_parent(target_domain)


0 comments:

Post a Comment