Following MITRE's footsteps in analyzing malware behavior

The MITRE framework helps all defenders speak the same language regarding attackers' modus operandi. VirusTotal provides multiple data points where MITRE's Tactics and Techniques are dynamically extracted from samples when detonated in our sandboxes. In particular, samples' MITRE mapping can be found under the BEHAVIOR tab of a file's report. This data is searchable in VirusTotal Intelligence (VTI) with the help of a set of specific file search modifiers.

In this article, we'll illustrate how security analysts can leverage MITRE for malware detection and behavior-based hunting for ransomware and keylogger samples.

Hunting for Ransomware

The security industry historically identified a set of commonly used techniques in Ransomware campaigns, including inhibiting the system recovery and discovering local files and network shares for later data encryption, usually combined with exfiltration and/or Command and Control techniques.

Common TTPs of modern ransomware groups by Kaspersky

In VT Intelligence we can use 2 search modifiers to query files behavior mapped to MITRE ATT&CK:

• "attack_tactic" search modifier followed by the MITRE Tactic ID returns the list of files that, based on our sandboxes analysis reports, execute techniques under the specified tactic. For example:
  • attack_tactic: TA0040
  • attack_tactic: TA0007
  • attack_tactic: TA0010
  • attack_tactic: TA0011
• "attack_technique" search modifier followed by the MITRE Technique ID returns the list of files that, based on our sandboxes analysis reports, execute the specified technique. For example:
  • attack_tactic: T1490
  • attack_tactic: T1083
  • attack_tactic: T1135
  • attack_tactic: T1486

In addition to the "attack_tactic" and "attack_technique" modifiers, VirusTotal provides extra modifiers listed on the Appendix I - Behavior search modifiers for procedures-based queries at the end of this post.

Let's do an example. We want to find samples given a set of ransomware-related techniques combined with the "behavior:CryptEncrypt" operating system API call (check Appendix I for details). Additionally, we specify the entity we are interested in (files) and the first submission date (fs) to filter out files submitted before 2024-01-01.

The resulting query is as follows:

entity:file attack_technique:T1490 and attack_technique:T1083 and attack_technique: T1135 behavior:CryptEncrypt fs:2024-01-01+

Let's analyze in more detail one of the query's resulting files (35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab). According to the community, the file belongs to a BlackHunt Ransomware campaign threat that compromised multiple companies in Paraguay.

Its BEHAVIOR report tab, provides details on the techniques detected during sample's detonation:

• T1490 (Inhibit System Recovery), the sample deletes the shadow copies (as highlighted in the Capabilities section below) and it also modifies Windows boot settings via bcdedit.
  
• T1083 and T1135: The sample runs discovery processes to get system local files and directories, and also network shares.
  
• The encryption process is visible by the CryptEncrypt operating system API call, functionality provided by the Advapi32.dll, and visible under the file's DETAILS tab.
  

Hunting for Keyloggers

Keyloggers are a particular form of Spyware designed for stealing user data, that commonly share some MITRE Tactics, including collecting data and/or discovering data for later exfiltration and/or Command and Control communication.

For our VTI query we will specify the T1056.001: Input Capture: Keylogging sub-technique of the Collection tactic, which identifies keystrokes interception. Additionally, we use the first submitted time condition (fs) and both Command and Control or Exfiltration tactics (attack_tactic), since we are not really interested in restricting the way the data gets outside of the victim environment.

attack_technique:T1056.001 (attack_tactic:TA0011 OR attack_tactic:TA0010) fs:2024-02-15+

One of the retrieved files (975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5) with a 25 out of 71 AV detection ratio is cataloged as Remcos, a commercial Remote Access Tool with keylogger capabilities among many others, which has been used by several Threat Actors.

On its BEHAVIOR tab, we can see details on the keystrokes interception performed via polling method. The report also reveals additional functionality, including capturing screenshots, reading victims' clipboard and geographical location of the abused device.

Conclusions

In this post we have seen using a couple of examples how present the MITRE framework is on VirusTotal and how it can be used to search for files with a particular TTP-based behavior using VirusTotal Intelligence searches. MITRE-related data is based on behavior detected during samples' sandbox detonation.

We have additionally created an Appendix I (below) detailing some of the most interesting behavior-search modifiers you can use in your queries. This fits particularly well with other TTP-based modifiers, allowing you to refine results by adding particular technical characteristics specific for the malware under analysis.

We hope you found this post interesting and useful. For suggestions or feedback please feel free to reach out here, we will be happy to hear from you.

Happy hunting!

Appendix I - Behavior search modifiers

The following search modifiers provide a more granular way of searching files based on their behavior, allowing more restrictive queries while using Tactics/Techniques ("attack_tactic", "attack_technique") search modifiers.

• "behavior_processes": followed by the executable and parameters used to run during the sample dynamic analysis:
• behavior_processes:"\\vssadmin.exe delete shadows /all /quiet"
• behavior_processes:"wbadmin.exe delete catalog -quiet"
• behavior_processes:" tree c:\\"
• "behavior_injected_processes": followed by the executable name with or without extension:
• behavior_injected_processes:lsass.exe
• behavior_injected_processes:Wininit.exe
• "behavior_created_processes": followed by the executable name with or without extension:
• behavior_created_processes: Wininit.exe NOT name:Wininit.exe
• "behavior_services": followed by the service name to get files opening or deleting internal services:
• behavior_services: sysmon
• "behavior_registry": followed by a system registry key to check for new, deleted or modified registry keys:
• behavior_registry:"\Software\Microsoft\Windows\CurrentVersion\Run"
• "behavior_network": followed by an URL, domain or IP address to identify files communicating with those network elements:
• behavior_network:ip-api.com
• "behavior_files": followed by the file name with or without extension and/or path to identify files that were opened, written, deleted or dropped:
• behavior_files: "C:\ProgramData\Vaccine.txt"
• behavior_files: "\Microsoft\Windows\Start Menu\Programs\Startup\*"
• "behavior": all the previous search modifiers in the appendix can be replaced by this one. It matches against the whole file behavior report and provides a way to check for other data that doesn't have a specific search modifier assigned:
• API calls: Calls Highlighted subsection under Highlighted actions section of a file behavior report:
• behavior: CryptEncrypt
• behavior: IsDebuggerPresent
• behavior: IsWow64Process
• behavior: GetSystemMetrics
• behavior: GetAsyncKeyState
• Mutexes created or opened, under the Synchronization mechanisms & Signals section of a file behavior report:
• behavior:BLACK_HUNT_MUTEX
• Modules loaded section of a file behavior report:
• behavior:CRYPTSP.DLL
• "behavior_tags": followed by the tag of your interest to get files assigned with the indicated tag that you can check here.
• behavior_tags:detect_debug_environment