Tuesday, March 12, 2024

Know your enemies: An approach for CTI teams

VirusTotal’s Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture accordingly. In this post, we will play the role of a CTI analyst working for a Singaporean financial institution.

As a first step, we search for threat actors that traditionally both targeted the financial industry and Singaporean companies.

TA505 and APT41 both match these requirements. For the moment let’s focus on TA505, which seems more active at the moment.

Understanding (TA505):

The Threat Actor card provides details on the actor, which seems to target organizations in the financial, healthcare, retail, and hospitality sectors across Europe, Asia Pacific region, Canada, India and the United States.

According to the description TA505 seems related to Dridex banking trojan and Locky ransomware activity.

In VirusTotal we can find two categories for TTPs:
- The First are TTPs directly ingested from MISP and MITRE.
- The second (called Toolkit TTPs) shows TTPs obtained from sandbox analysis of the IOCs related to a particular actor.

In this case, for TA505 we can find the following Toolkit TTPs:

The T1486 tactic (‘Data Encrypted technique for Impact') seems potentially related to the use of ransomware, such as Locky, by this actor. This seems like a good point for us to retrieve some fresh data and understand this actor’s recent activity. For instance, the following query provide fresh samples from the actor (samples submitted after January 1st, 2024) that use data encryption, and tagged as ransom by AVs:

Multiple of the returned samples belong to the “locky” Collection tagged as ‘locky’, which contains 510 files at the moment.

The Telemetry tab provides information about submissions and lookups, which helps us understand malware family’s distribution and timeframes of operations.

Tailoring defenses:

In addition, the Collection’s Rules panel provides details on crowdsourced Yara, sigma and IDS rules that match different indicators files in this collection.

In this case, the “win_locky_auto” yara rule matches almost all the files in this collection (505/510). This could help to enhance detection capabilities for this threat.

Collection’s commonalities refer to characteristics, behaviors, or technical attributes shared by a set of indicators, which helps to identify patterns. Let’s use this to create a new “Livehunt rule” to track this activity in the future. We will use only recent samples, we can filter them in the IOCS tab (“fs:180d+”):

Based on commonalities results, some useful information to create the livehunt rule may include:

  • File type: EXE and DLL formats.
    (vt.metadata.file_type == vt.FileType.PE_DLL or vt.metadata.file_type == vt.FileType.PE_EXE)
  • File size: Less than 1Mb.
    (vt.metadata.file_size < 1000000)
  • Main icon: Custom and specific icon.
    (vt.metadata.main_icon.dhash == "52c244c9a7a3998b")
  • Imphash: Hash value calculated from PE's import table, that could be matching some locky samples.
    (vt.metadata.imphash == "31553623c43827d554ad9e1b7dfa6a5a")

  • Sandbox attack techniques: Detect T1486 Encryption Data technique.
    (for any tec in vt.behaviour.mitre_attack_techniques: (tec.id == "T1486"))
  • Command execution: Identification of possible rescue note and background set.
    (for any ce in vt.behaviour.command_executions: (ce icontains "\\Desktop\\*.txt" or ce icontains "\\Desktop\\*.bmp"))
  • Memory patterns: Specific patterns observed in locky samples that could be reused.
    (for any mem in vt.behaviour.memory_pattern_urls: (mem icontains "checkupdate" or mem icontains "userinfo.php"))

Remember you can always follow Threat Actor and/or collections and receive fresh new IOCs through the IoC Stream.

Wrapping up:

Threat Landscape empowers CTI teams with insights for prioritizing threats, understanding threat actors and tracking their operations pivoting between Threat Actors <=> Collections <=> IOCs. This provides actionable details based on the technical capabilities of the malware used in these campaigns, including a set of TTPs based on sandbox detonation that we can use both for hunting and monitoring. Collections also provide “Commonalities” on different indicators, including which crowdsourced rules better detect them. This helps us to quickly create effective monitoring and hunting strategies for malware families and threats actors, as well as effective protections adjusted to recent campaigns and malicious activity.

If you have any suggestions or want to share feedback please feel free to reach out here.

Happy Hunting!


Post a Comment