Thursday, January 26, 2023

Mandiant's CAPA + GoReSym to reinforce VT's capabilities

VirusTotal, the world’s largest crowdsourced threat intelligence platform, is made possible thanks to a large community of security practitioners and vendors who integrate into our platform their best security tools. We are happy to announce the inclusion of two remarkable additions, both already having wide acceptance in the security community: Capa and GoReSym from Mandiant’s FLARE team.

CAPA


Capa provides a human readable explanation of what a suspicious binary might do and describes the evidence that it found. This gives analysts a high level understanding without the need of going into time consuming Reverse Engineering. We now run Capa against all PE and ELF files submitted to VirusTotal and display the results under the behavior tab.

Here you can find an example: 

Because we map the Capa results into ATT&CK Tactics and Techniques, you can pivot across them, making it easy to find other malware samples with the same behaviors. You can also create YARA rules for VirusTotal LiveHunt to get notified when any new file matching the same ATT&CK Tactics and Techniques is uploaded to VirusTotal. For example:

import "vt"

rule capa_mitre_attack_techniques {
    condition:

    for 2 vt_behaviour_mitre_attack_techniques in vt.behaviour.mitre_attack_techniques: (
        vt_behaviour_mitre_attack_techniques.id == "T1222" // set file attributes
        or vt_behaviour_mitre_attack_techniques.id == "T1083" // get file system object information
    )
}

When contributing to the Capa rules open source project, you’ll influence the behaviors and capabilities that VirusTotal extracts and indexes for all executables. That’s a pretty big impact!

GoReSym


GoReSym is a very useful tool for analyzing Go samples, parsing the binary to extract all kinds of valuable metadata. Some of this information includes function names, the Go version used to compile a binary, compiler flags, and much more. The tool is designed to be resilient in the face of malformed binaries, such as those that result from manually unpacking malware samples. Below is an example of the kind of output you’ll now see from this tool in VirusTotal:


Here you can find an example:

Some fields are pivotable and will help you find similar samples, for instance the Build ID field which is a Go compiler artifact. Pivoting on this feature, we find 9 related files to the previous sample:


Other pivots are available as well, such as finding Go binaries with common shared dependencies. In the example above, note that the Build Info Path field has the value “command-line-arguments”, this is a default package path used in Go projects that were compiled manually by invoking the Go compiler with flags on the command line. By pivoting on that path, all Go binaries built this way could be located, projects not built this way will instead have a unique package path chosen by the source code author. As a final example, we could also pivot on the -ldflags “-s -w” using the query goresym:”-s -w” to find binaries that have their symbols stripped. 

The GoReSym tool generates a lot of additional output that might be useful for analysts beyond the fields displayed in the web interface, which is available to download in the tool header for more advanced use cases. The full tool output contains interfaces, user defined structures, user defined and standard function names, and much more. Check out the github repository of GoReSym for IDA and Ghidra scripts, so you can import this full output into your IDB or Ghidra project when doing manual analysis!

You can also use the GoReSym output in Yara rules, for example:

import "vt"

rule match_goresym_id {
    condition:
    vt.metadata.goresym.build_id == "B99XYaFUOQ0yODtCs9Uv/9pCMbat2LnysmuC_zNCN/HpA4BHee3FUchcRjZ_H8/X3mm-ynJxm79h5fETBwa"
}

Conclusions


The tools presented in this blog post not only provide added value to VirusTotal users, they also represent the first baby steps in our collaboration with Mandiant, now part of Google Cloud Security. We are happy to continue growing our community with valuable content.

Happy hunting!


0 comments:

Post a Comment