VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques

We just released a new edition of our “VirusTotal Malware Trends Report” series, where we want to share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on “Emerging Formats and Delivery Techniques”. Here are some of the main ideas presented there:

• Email attachments continue to be a popular way to spread malware.

• Traditional file types (Excel, RTF, CAB and compressed formats) are becoming less popular. Although the use of PDFs slowly decreased for the last few months in June 2023 we observed the biggest peak for the last two years.

• OneNote and JavaScript (distributed along HTML) are the most rapidly growing formats for malicious attachments in 2023.

• OneNote emerged in 2023 as a reliable alternative for attackers to the traditional use of macros in other Office products.

• ISO files for malware spreading are a flexible alternative for both widespread and targeted attacks. Distribution as heavily compressed attachments makes them difficult to scan by some security solutions.

• ISO files are being disguised as legitimate installation packages for a variety of software, including Windows, Telegram, AnyDesk, and malicious CryptoNotepad, among others.

For full details, you can download the report here. 

As we usually do, in this blog post we will focus on technical hunting ideas you can use to monitor malicious activity. We also provide additional technical details for some of the most interesting points discussed in the report.

Monitoring malicious attachments

Our data shows that there was an increase in the number of malicious files attached to emails between March and April of 2023. In terms of suspicious attachments, for the past two years, we have observed spikes in the number of suspicious PDF files linked to malicious campaigns. These files can be used for a variety of purposes, such as exploiting vulnerabilities (less usual) or phishing (most of the time).

OneNote is becoming a popular format for malware distributed as email attachments in 2023. We will describe the OneNote attack flow in the next section. In 2023, it became the fastest-growing format for malicious attachments, by percentage.

In 2023, we saw a significant increase in the use of JavaScript distributed alongside HTML, in sophisticated phishing attacks designed to steal victims' credentials. Excel, RTF, CAB, compressed formats, and Word all seem to be declining in popularity as malicious attachments.

OneNote to rule them all

Suspicious OneNote files uploaded to VirusTotal can we filtered using the following VTI query:

entity:file type:one p:5+

Most of the files in our collection were submitted in 2023. We can observe how AntiVirus detection during January and the first half of February was significantly lower than afterwards, when security vendors improved their detection for this format. 

Malicious OneNote files usually embed a malicious file (vba, html+jscript, powershell, or any combination of them) and, as happens with malicious Office attachments, try to convince the victim to allow execution. 

Commonalities for the files resulting the previous search offer some interesting data on who is currently using this format for distribution:

• Many of them distribute QBot, RemcosRAT or AsyncRAT.  We also found Emotet malware samples using Onenote for spreading.

• Around 20% seem to distribute QakBot.

• The Microsoft_OneNote_with_Suspicious_String Crowdsource Yara rule seems to provide good detection with a low false positive ratio. 

Payloads vary from family to family, but many of them access external URLs to download a DLL file camouflaged as a PNG file. This is a very old trick used to bypass basic firewall rules or just look less suspicious to the eye. 

We can find several examples of this, for example searching for BumbleBee malware samples reaching a remote "view.png" file or Qakbot samples contacting "01.png" in any network resource.

The most usual kill chain where OneNote format is involved is as follows:

• The victim receives an email with a OneNote attachment. The mail body encourages the victim to click on a button to see a hidden/distorted image or document.

• This button executes a script (VB script, HTA, powershell, etc,) that will launch a payload, either embedded into the same script or downloaded from an external resource. 

• The external payload might be yet another OneNote file, an image file renamed as a ".bat" file, a DLL file that's loaded into memory or even a Windows executable.

The following is an example of an obfuscated second stage .Net executable payload extracted from this powershell script:

ISO files as a flexible alternative

Windows-targeting malware bundled in ISO files is a highly popular delivery method used by threat actors these days. It is used on a large scale for  crimeware distribution as well as high profile APT campaigns actors. You can use the “isoimage” tag to list ISO files in VTI:

entity:file tag:isoimage

You can be more specific to detect only those ISO files containing an executable: 

entity:file tag:isoimage (tag:contains-pe OR tag:contains-elf OR tag:contains-macho)

Another interesting approach is to leverage Sandbox reports to get ISOs files interacting (drop/delete/open/execute) with specific file types during their execution:

entity:file tag:isoimage behaviour_files:".exe" not tag:contains-pe

Using this method you are not only no longer dependent on the “contains-pe” tag (that could be missed in some cases), but also you are able to discover ISOs with “hidden” executables, for example ISO containing archives that contain executables. It is also possible to detect cases when an ISO file contains only a non-binary file, like LNK or script, that drops and executes a malicious PE payload. 

It is possible to identify ISO clusters for specific malware campaigns. For instance, you can get samples used in a ChromeLoader distribution campaign with the following name and size filters:

entity:file tag:isoimage name:"Your File Is Ready To Download" size:100Mb+

Another interesting ISO cluster contains artificially zero-byte inflated executables, allowing attackers to compress the resulting ISO file from 300Mb to 400Kb:

Example of ISO file with artificially inflated executable inside

The following query will help you find some of these examples:

entity:file tag:isoimage size:300Mb+ size:316Mb- p:3+ have:compressed_parents

We also found something that appears to be a malware campaign distributing weaponized versions of legitimate software, including “Crypto Notepad”, within ISO files. Examining one of the samples, we can see that the bundled .NET executable is also inflated with zero-bytes up to 313Mb. The main purpose of the malicious injection in legit software is to download a remote binary file for execution:

It is also capable of fetching remotely hosted powershell code and execute it:

We found hundreds of samples related to this campaign related to the following C2 hosts:

• telegramdesktop[.]club

• telegramdesktop[.]digital

• fuckuavsystemsfewgqsg[.]live

• installmarkets[.]hair

installmarkets[.]hair relations with malicious samples

Other than compressing artificially inflated files, another reason to distribute ISO files is mimicking legitimate installation software packages, which you usually expect to be sizable. The following example uses a well known browser to find suspicious cases:

entity:file tag:isoimage name:BraveBrowserSetup

The previous search results in a number of files with zero AV detections. However, further manual analysis reveals their maliciousness.

Malicious samples with 0 AV detections mimicking Brave browser installer

There are different ways to explore what are the main spreading vectors used to distribute malicious ISO files and their related infrastructure. For instance, the following query provides samples seen being hosted  In-The-Wild:

entity:file tag:isoimage p:10+ have:itw

You can refine the search to list samples seen being hosted in a specific host:

entity:file tag:isoimage p:10+ itw:cdn.discordapp.com

Email spreading can filtered using the “attachment” tag or “email_parents”, they both provide pretty much the same results:

entity:file tag:isoimage p:10+ (tag:attachment OR have:email_parents)

Wrapping it up

Attackers are constantly rotating the file formats they use to deliver malware. This is done to increase the effectiveness of their campaigns and to avoid detection by security measures. The security community needs to be aware of the use of alternative file formats for malware delivery and to put more resources into stopping these new spreading methods. For example, although traditional file types, such as Word, Excel, and RTF, are still used for malware delivery, alternative formats, such as OneNote and ISO, are becoming increasingly popular.

As a proof of the effectiveness of format rotation for attackers, the simple fact of bundling a malicious sample inside of an ISO file seems to effectively decrease AV detections. We also observed poor detection in the first waves of OneNote malicious files, although improved with time. 

We suggest monitoring malware spreading trends, and actively check how your security stack responds to proactively minimize infection risks, as well as including in your analysis all logs to/from allowed legitimate sites as they are regularly used for malware distribution, do not exclusively focus your anomaly detection on unknown traffic.  

Happy hunting!

Read More

Actionable Threat Intel (IV) - YARA beyond files: extending rules to network IoCs

We are extremely excited to introduce YARA Netloc, a powerful new hunting feature that extends YARA supported entities from traditional files to network infrastructure, including domains, URLs and IP addresses. This opens endless possibilities and brings your hunting to a whole new level. Let’s get started!

Creating Network rules

YARA Netloc is based on extended functionality implemented for the “vt” YARA module. In particular, you will find now a new ".net" attribute specifically for network related entities such as URLs, domains and IP addresses. Here you can find the full documentation. Remember you can use the “vt” YARA module for any of your LiveHunt YARA rules.

Before we start working on a few examples it is important to highlight what resources you have available to get you quickly up to speed. First, our new YARA editor has available several templates you can use to build your rules. Second, the whole community can benefit from VirusTotal’s community rules in our new crowdsourced YARA GitHub repository. The repository is split into four folders, each of which with rules matching different entities (file, domain, IP or URL).

Let’s start with a first example rule. The “New Livehunt Ruleset” dropdown on the Livehunt section now allows us to select what kind of YARA we want to create, depending on the entity we want to match against.

Let’s select “New ruleset matching against Domains” to deploy a rule to track if any of our domains is serving malware without our knowledge. We will use the “Domain serving malicious files” template available on the YARA editor.

import "vt"

rule malware_distribution {
  meta:
    description = "Detects if my infrastructure is being used to distribute malware or malicious domains are impersonating my legitimate domain with the same purpose."
    category = "infra-monitoring"
    references = "https://www.virustotal.com/gui/search/entity%253Adomain%2520domain%253Atelegram.com%2520downloaded_files_max_detections%253A5%252B/domains"
    creation_date = "2023-07-19"
    last_modified = "2023-07-19"
    target_entity = "domains"
  condition:
    vt.net.domain.raw icontains "telegram.com" and
    vt.net.domain.downloaded_file.analysis_stats.malicious >= 5
}

In this case we can easily see how the new “.net” attribute is used in this rule. First we use “domain.raw” to specify our domain by comparing it to a given string (“telegram.com” in this example). Then we simply check if any new downloaded file from that domain looks suspicious by having five or more antivirus verdicts. We will keep this rule running as a Livehunt, and will be notified through IoC Stream in case VirusTotal sees our domain downloading anything suspicious.

Let’s see another example.

Now we are going to reuse one of the rules available in our repository, in this case to track Cobalt Strike’s infrastructure. The rule tracks IP addresses serving a well-known Cobalt Strike certificate, which we check with the “ip.https_certificate.thumbprint” condition. We could easily create similar rules for all kinds of suspicious infrastructure serving https certificates identified as malicious.

import "vt"

rule Cobalt_Strike_Default_SSL_Certificate
{
  meta:
    name = "Default CobaltStrike self-signed SSL Certificate"
    description = "Find IP addresses serving the default SSL certificate used out of the box by Cobalt Strike for C2 comms"
    reference = "https://www.mandiant.com/resources/blog/defining-cobalt-strike-components"
    target_entity = "IPs"
  condition:
    vt.net.ip.https_certificate.thumbprint == "6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c"
}

For our final example we will create a rule from scratch.

In this case we are inspired by the Zaraza bot credential stealer that exfiltrates stolen data using Telegram channels so we will use VirusTotal to hunt for fresh infrastructure (URLs) used in that way. Our rule will check for known patterns in the URLs for a given domain (“api.telegram.org”), and then check if the last file seen communicating with them (“communicating_file”) seems suspicious (“analysis_stats.malicious”>5) and it has a particular AV verdict (“steal” or “exfilt”) looping its “signatures” .

import "vt"

rule telegram_bot_stealer {
  meta:
    description = "Detects Telegram channels that bots potentially use to exfiltrate data to."
    category = "MAL-infra"
    malware = "Stealer"
    reference = "https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer"
    examples = "https://www.virustotal.com/gui/file/2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125/detection, https://www.virustotal.com/gui/url/f4abd85188b86df95c7f8571f8043d92ad033b6376a113fd0acd8714bd345798/detection"
    creation_date = "2023-07-06"
    last_modified = "2023-07-06"
    target_entity = "url"

  condition:
    vt.net.url.raw icontains "https://api.telegram.org/bot" and
    (
      (
        vt.net.url.raw icontains "/sendMessage?" and
        vt.net.url.query icontains "text="
      ) or
      vt.net.url.raw icontains "/sendDocument?"
    ) and
    vt.net.url.query icontains "chat_id=" and
    vt.net.url.communicating_file.analysis_stats.malicious > 5 and
    for any engine, signature in vt.net.url.communicating_file.signatures : (
      signature icontains "steal" or signature icontains "exfilt"
    )
}

Wrapping up

YARA rules are no longer limited only to tracking files. The new “.net” attribute in the “vt” YARA module empowers users with the ability to discover suspicious network infrastructure and combine it with VirusTotal’s metadata for a huge range of use cases.

The YARA “vt” module provides standardized syntax for files and network detection rules and allows combining attributes of different entities for highly customized monitoring rules. Additionally, it replaces the need of periodic (manual, but specially automated) lookups by allowing the deployment of Livehunt rules for monitoring.

Although this blog post shows some of the new YARA Netloc capabilities using a few examples, there are infinite possibilities. You can use it to track threat actors’ infrastructure, to monitor your own infrastructure (including IP ranges) or to detect phishing campaigns targeting your company, amongst many other use cases. You can find many more ideas by checking the YARA editor templates, checking the official documentation or the YARA rules GitHub repository.

We will be back soon with more details, use cases and examples for YARA Netloc hunting capabilities, but in the meantime do not hesitate to contact us for anything you need.

Happy hunting!

Read More

Apology and Update on Recent Accidental Data Exposure

We are writing to share information about the recent customer data exposure incident on VirusTotal. We apologize for any concern or confusion this may have caused.

On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators. We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.

First and foremost, we want to clarify unequivocally: This was not the result of a cyber-attack or a vulnerability with VirusTotal. This was a human error, and there were no bad actors involved. 

This is an example of the data that was included in the CSV file:

Company Name	VT Group	Admin group email address
VirusTotal S.L.	virustotal	User@virustotal.com

We assure you that the data disclosed was limited strictly to the sort of information provided in the example above. Since this incident, we have implemented new internal processes and technical controls to improve the security and safeguarding of customer data.  

Trust is the bedrock of our community, and again we apologize for any confusion or concern this may have caused. 

If you have additional questions or would like to speak with our support team, please reach out to contact@virustotal.com.

Thank you,

The VirusTotal Team.

Additional Q&A

Q: Is my account at risk for hacking because of this incident?

No, the list only included company names, VirusTotal group tenant names and VirusTotal group administrator emails. The Premium VirusTotal platform is only accessible to partners and corporate clients.

Q: How did VirusTotal become aware of the file's existence?

This was quickly flagged by our partners and fellow analysts via our support system—we removed the file within an hour of its posting. We deeply appreciate their timely action.

Q: How did these partners and analysts notice this particular file?

Many of our customers have a Livehunt service based on YARA rules. This service helps them identify targeted attacks against their organizations, such as phishing. Some of these YARA rules search for files containing their own domains. In this instance, the file matched these rules and the system generated an alert. 

Q: Could a malicious entity or anonymous user have downloaded the file from the VirusTotal platform?

No. The file was only accessible to our partners and cybersecurity analysts who hold a Premium account with VirusTotal. No anonymous or free account users on VirusTotal had access to the Premium platform. 

Q: Why are files uploaded and scanned on VirusTotal accessible to partners and professional security analysts via the VirusTotal Premium platform?

The VirusTotal Premium platform facilitates the discovery of new cyber attacks by industry professionals and cybersecurity experts. This shared knowledge enables the analysis of new security threats, leading to updates in security products and an overall improvement in both corporate and worldwide security.

Q: Why was an employee able to download the list in the first place? Has VirusTotal taken any measures as a result of this incident?

This list of limited customer data was critical to their role. Since this incident, we have implemented new internal processes and technical controls to improve the security and safeguarding of customer data. 

Read More

VirusTotal += Crowdsourced AI

We are pleased to announce the launch of Crowdsourced AI, a new initiative from VirusTotal, dedicated to leveraging the power of AI in tandem with community contributions. Spearheading this endeavor, Hispasec brings to the table an AI solution designed to analyze Microsoft document formats, particularly those containing macros, such as Word, Excel, and PowerPoint files. We extend a warm invitation to all interested parties to join this effort and explore innovative ways to contribute features that will strengthen the cybersecurity community.

About three months ago, we rolled out Code Insight, an AI tool geared to help security analysts better understand unfamiliar code snippets with explanations in natural language. In a more recent Q&A, we put out a call to anyone keen to lend their own AI models or use cases to VirusTotal to benefit the community. Now, Hispasec has stepped in and added a powerful solution for Microsoft Office documents. They're using a different AI model not only to explain the macros but also to deliver judgements about any potential malicious content, boosting VirusTotal capabilities.

In the words of the company:
“We are incorporating a specialized AI component from our Content Disarm & Reconstruction (CDR) solution, DeepClean, into VirusTotal. This component leverages a Large Language Model (LLM) to interpret and explain the code within macros in specific Microsoft document formats. Additionally, it offers a verdict—based on the model's criteria—on whether the analyzed content can be considered malicious or benign. It’s important to emphasize that this is just one facet of DeepClean. Our broader solution recreates files into clean versions, eliminating executable code while preserving the essential content.”

This new integration not only bolsters our AI-driven security analysis but also exemplifies the strength in diversity, mirroring our existing initiatives like Crowdsourced IDS, Sigma, and YARA rules. In line with VirusTotal's mission, we openly welcome various complementary solutions, reaffirming our commitment to a collaborative defense strategy against cyber threats.

Let's dive into a few examples showcasing how this new crowdsourced AI section and the contributions from Hispasec perform and are displayed within VirusTotal.

In the example below, we see the verdict label "malicious" at the beginning of the explanation, emphasized in red for easy visibility. This is followed by a detailed description of how macros within this .XLS file employ various obfuscation techniques. These include base64 encoded strings and the concatenation of variables with diverse names, in an attempt to disguise their behavior. However, the model deobfuscates these measures, revealing the true intent of the macros. It turns out they are attempting to download a script containing a PowerShell reverse shell and subsequently execute it.

7d86b9e20b3c115afd2f02bd3bfc1eae754a7b4c37d5155990cc3267d67df56e

In this other example, the model labels a file as "benign", with the verdict distinctly emphasized in green at the start of the detailed explanation. The report delves into the functionality of the various macros found within the file and their objectives.

24f05da105834088c604c0a2bd4987f092ad3d743d86b7200d835a61e490bc28

Search with Crowdsourced AI results

All the data generated by contributors in Crowdsourced AI is indexed and readily accessible via VirusTotal Intelligence. This means that analysts can now utilize this resource to perform targeted searches, streamlining their investigative processes. For a focused search by verdict, simply input "crowdsourced_ai_verdict:" followed by either "malicious" or "benign". If you're looking to search within the explanations provided by the AI, use the "crowdsourced_ai_analysis:" parameter followed by the specific text you're interested in.

To illustrate the practical application of these search parameters, let's walk through a scenario an analyst might encounter. Suppose you have received an alert from your SIEM pointing to the IP address 192.168.45.239. You want to find out if there is any document associated with this particular IP.

The search query "crowdsourced_ai_analysis:192.168.45.239" yields a .DOC file linked with the IP address.

Clicking on the search-returned sample, we can read the AI description and find the macro within the .DOC file uses the CreateProcess function to run an obfuscated PowerShell command. Decoding the base64 string reveals that this command downloads and executes a script from 'hxxp://192.168.45.239/run.txt'.

5a1cad5a9e9be128aa4436540450b17b6716cb64711894078435266106870e6a

Join Crowdsourced AI

At VirusTotal, our commitment to facilitating collaboration within the security community is unwavering. This extends beyond merely integrating AI models and use cases into our platform. We're also more than willing to supply datasets, comprising samples and metadata, to assist in training innovative security solutions.

If you're utilizing an AI model or have identified a potential use case that can enhance our collective security posture, we eagerly invite your contribution. Our goal isn't confined to file and code analysis models; we are open to any use case applicable within the VirusTotal ecosystem. This includes, but is not limited to, solutions addressing status and dynamic analysis explanation, metadata extraction, summarization and evaluation, applications related to domain names, URLs, IP addresses, and tackling various forms of cyber threats such as phishing and other sophisticated attacks.

By broadening our scope and welcoming diverse solutions, we aim to transform VirusTotal into a central hub for superior AI models and use cases across all aspects of the security domain. In doing so, we strengthen our community's defenses and augment our capacity to counter a wide spectrum of cyber threats.

Thank you for being a part of the security community and supporting collective efforts to improve threat detection and response.

Read More