Friday, August 04, 2023

Crowdsourced AI += NICS Lab

We are pleased to share that NICS Lab, a security research group from the Computer Science Department at the University of Malaga, is joining the Crowdsourced AI initiative at VirusTotal. By extending our capabilities using a different AI model for processing PowerShell files, NICS Lab not only strengthens our collective understanding of the code and its behavior, but also provides verdicts on the potential threat level of each file according to model criteria - categorizing them as malicious, suspicious, or benign.

As a reminder, Crowdsourced AI is VirusTotal's initiative that taps into the power of diverse AI models and community contributions to fortify our cyber defense strategies. Just two weeks ago, we announced the integration of Hispasec's solution, which is specifically designed for analyzing Microsoft Office documents. As we have explained in the past, these solutions based on AI LLMs can make mistakes, but their contributions are very valuable in complementing other technologies in the analysis and detection of new threats.

This time, the solution offered by NICS Lab serves as a complement to the code explanations already generated by Code Insight, which is based on Google PaLM. As a result, numerous PowerShell file reports will now benefit from the insight of solutions based on two distinct AI models. This essentially encapsulates VirusTotal’s strategy of embracing diverse threat detection solutions to improve understanding and risk assessment.

Let's explore a few examples:

In this first showcase, we see that two analyses appear in the Crowdsourced AI section: one from NICS Lab and the other from Code Insight. In the case of the former, in addition to the explanation about the file's behavior, we can observe the "Malicious" verdict highlighted in red.

f3642eacb95ad7272d5485bc1fbcd7ebb872ebd72e27fc60e0e79d5643006663

Similar example, this time with a ransomware case. Here we can see how both models, despite aligning on the overall analysis, complement each other by providing diverse details. The first model, for instance, outlines the file extensions that are encrypted by the ransomware, while the second model highlights the email where the ransom is demanded.

ff68ade91babb31db87a5dcb5b1f650cb429ae6eb7d291cda4c0d92e76c5101c


The next example shows how the models behave when analyzing a PowerShell file where attackers obfuscated the code by separating the text strings that constitute the instructions, and using a function to replace the encoded strings with their actual values at runtime.


As we can see, the sample manages to evade detection by antivirus engines, but the models succeed in deobfuscating its code, analyzing it, and providing an explanation of its behavior.

48a7c59575f61e568dbc997db09c707f5b04abfe847d19c084ce955b4f97e648

AI reports’ results are available via VT Intelligence, allowing the use of the "nics_ai_analysis:" modifier to search into the resulting AI’s output, and "nics_ai_verdict:" to search by verdict - malicious, suspicious, or benign. As an example, below we show the results of searching for NICS Lab reports where "telegram" is mentioned and the verdict is "malicious". This search is performed using the following query: nics_ai_analysis:telegram and nics_ai_verdict:malicious.


Here is the analysis of the first file that appears in the previous search:

acc91fccb084496ae0d0864c90d3ae99493cf638189995fb4d8d9f4ecbbf7a52

Similarly, the rest of AI models have specific search parameters, such as "hispasec_ai_analysis:", "hispasec_ai_verdict:", and "codeinsight:". Moreover, there are two additional parameters that enable simultaneous searching across all Crowdsourced AI models: "crowdsourced_ai_analysis:" and "crowdsourced_ai_verdict:".

We want to express our gratitude to NICS Lab, for their contribution to the VirusTotal Crowdsourced AI initiative, and congratulate the School of Computer Science and Engineering of the University of Malaga for launching Spain's first-ever degree combining Cybersecurity and Artificial Intelligence. As we forge ahead, welcoming more contributors with diverse skill sets, we remain steadfast in our commitment to building a collaborative, powerful, and diverse defense strategy to tackle the ever-evolving cyber threats. We encourage others to join us in this endeavor.

Tuesday, August 01, 2023

, ,

Actionable Threat Intel (V) - Autogenerated Livehunt rules for IoC tracking

As we previously discussed, YARA Netloc uncovers a whole new dimension for hunting and monitoring by extending YARA support to network infrastructure. All VirusTotal users have already access to different resources, including templates, a GitHub repository, and the official documentation to quickly get started on writing network YARA rules.
You can also find excellent external resources, like this blog post from SentinelOne's Tom Hegel, which discusses the use of YARA Netloc in a real investigation.
And as we highlighted in our previous post, this is just the beginning. We are playing with new ideas and features that leverage YARA Netloc, and we couldn't resist implementing a few of them already. In this blog, we will discuss a new functionality that uses YARA Netloc to help us track indicators of compromise (IoCs) and their related infrastructure with just a few clicks.

IoCs subscription

You might have noticed that all IoC reports in VirusTotal have a new Follow dropdown menu in the top right corner, which offers a few options.
The idea of this new feature is to offer VirusTotal’s users easy ways to track any IoCs’ activity. For instance, as shown in the previous screenshot, we are offered to monitor any infrastructure that this malware interacts with in the future (URLs, domains or IPs), or being notified when we see it being downloaded from anywhere.
When clicking any of these options, we are creating a one-click Livehunt rule based on a template. We can customize the resulting rule as needed, or simply deploy it as suggested, although we highly recommend renaming it to easily identify it.
For example, by clicking URLs downloading it in the previous sample’s report, the following rule will be automatically generated and deployed in our Livehunt:
import "vt"

rule UrlDownloadsFile {
  condition:
    // vt.net.url.new_url and // enable to restrict matches to newly seen URLs
    vt.net.url.downloaded_file.sha256 == "2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125"
}
This rule will simply track and notify any new URL VirusTotal observes downloading that particular sample.

Livehunt dashboard

The Livehunt dashboard consolidates all your team's and your own Livehunt YARA rules in one place. We added three filtering options to help you quickly move around.
  • The first one filters rules created by yourself, created by other users in your VirusTotal group and shared with you, or “Autogenerated” with the IoC’s report Follow option, as previously explained.
  • The second filter allows you to search for rulesets containing a specific substring in its name or anywhere else in the ruleset, including comments. For example, if we use the hash of the file in the previous example (2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125), we get the rule we previously created. Please note VirusTotal will automatically add tags corresponding to the to the names of the rules in a ruleset, plus the "Autogenerated" tag if the ruleset was generated with the Follow option:
  • The third one allows you to filter by ruleset status (active or inactive).

The dashboard also shows whether rulesets are active, as well as the entity that ruleset matches against. You can also find which users and groups that ruleset was shared with and, lastly, the number of matches - which lists all matching IoCs in the IoC Stream by clicking it.

Wrapping up

In the previous posts in our "Actionable Threat Intel" series we showed how to use the new YARA editor, deploying Livehunt rules from the editor either using templates or from scratch, using Netloc for creating network hunting rules, and how to track IoCs of interest with automatically generated hunting rules.
All these elements help us to set the monitoring rulesets we need to be on top of our investigations or any malicious activity set of our interest. IoC Stream serves as a single repository to centralize all our notifications, including Hunting rules, IoC Collections and Threat Actors subscriptions.
Last but not least, we would like to specially thank our colleagues from Mandiant and all the security researchers who kindly offered to help during early stages and beta testing to help make Netloc hunting as good as possible:
    Paul Rascagneres (@r00tbsd), Volexity
    Ariel Jungheit (@arieljt), Kaspersky
    Marc Green (@green0wl), eBay
    Vitor Ventura, Cisco
    Markus Neis (@markus_neis), Arctic Wolf
    Matt Pierce, CrowdStrike
    Pasquale Stirparo (@pstirparo), Independent Researcher
    Tom Hegel (@TomHegel), SentinelLabs
We hope you find these features as useful as we do. If you have any questions or requests please do not hesitate to contact us.
Happy hunting!