Tracking Malicious Files with Favicons

-
Image
In today's post, we're diving into the world of favicons and their role in malware detection with VirusTotal Enterprise. If you read my last blog, you’ll remember we explored using VirusTotal Diff to track down new iterations of DarkGate malware. Though it might seem like I live and breathe VirusTotal, I assure you there are other tools I use. However, I do find these ad-hoc workflows interesting, and although I rarely document them, I'm making another post. Imagine you’re part of a product company that distributes a high volume of binaries, software, and various other items across a vast amount of websites. Often, third-party partners host legitimate versions of these products on their sites and SEO boosts. Unfortunately, this widespread distribution gives attackers a chance to mimic your products by using similar file names and even your company's favicon to deceive users. This is by no means a novel or new technique, in fact, it's quite trivial in my opinion, w
Post a Comment

VirusTotal Enterprise - Starting Workflow

-

In 2023, I set out to write a personal blog every four months but didn't quite meet that goal. Reflecting on the year, it's amusing to think I attributed this to writer's block. My role in threat intelligence and working with an advanced pursuit team involves crafting internal reports and advisories. Realizing this could have been a goldmine for blog content, I'm reminded of one of my favorite quotes, "I'm going to make this way harder than it needs to be." So, let's dive in.

I frequently utilize what I term 'open source databases' – resources like Shodan, Censys, VirusTotal, and AbuseIPDB. These databases provide intelligence on various artifacts, with limitations typically based on the account type (free, verified, or paid). Today, I want to focus on how I leverage VirusTotal Enterprise in my daily workflow.

Before we delve deeper, a quick tip: check the VT Enterprise Group tab under your profile to monitor your monthly usage. These resources reset monthly, and unused ones are lost. Given the cost of VT Enterprise, maximizing its use can be beneficial.




Protip: Keep a private browser open with VT for ad-hoc searches to conserve your search quota.

VirusTotal Diff

During October and September of 2023 teams phishing campaigns involving DarkGate being distributed began to surface. Intrigued by this method, I used VirusTotal to obtain and analyze samples. By pivoting from one VirusTotal sample, I identified others and utilized VirusTotal Diff to find patterns between the binaries. This process included four samples and excluded nine, enhancing the accuracy of the patterns identified. The exclusions, often false positives and may require multiple Diffs, are crucial for setting up efficient VirusTotal Livehunt monitoring.

 


Diff compares samples, identifying specific byte sequences, whether binary, ASCII, domains, etc. We can then use the content search feature in VirusTotal particularly, allowing searches across various formats. This helps in identifying non-malicious samples with similarities to known threats, aiding in focusing on genuine risks.

Using the screenshot above here is an example of a content search, that will return any file with a match in the VirusTotal database. These can be created automatically by selecting the magnifying glass. It's important to note, that you don't need to start with a Diff search to create content searches. 



Having identified a potential new threat and commonalities between the 4 files, we can now set up monitoring for new samples (or old with Retrohunt) using this information.

VirusTotal Livehunt

Analyzing the matched patterns from Diff, we can establish monitoring with a Yara rule in VT Livehunt. A useful aspect of VT's Yara module is avoiding repeat notifications for file uploads using vt.metadata.new_file. Testing and refining these Yara rules against new IOCs and uploaded files helps ensure they remain effective.




With Livehunt, as matches appear, it's essential to thoroughly investigate each one. In my case, initial matches on DarkGate led to some irrelevant findings, indicating a need to refine the Yara rule. When genuine DarkGate detections are found, further analysis can enhance the rule with additional indicators.

Conclusion

To finish this blog off, to some, this might be a bit oversimplified, but this is a similar use case to how I started learning how to use VirusTotal Enterprise. This is just one small example that can be used as an introduction to this powerful resource. These steps can also be expanded on to identify new and old TA networking infrastructure, additional payloads, campaigns, TTPs, and intelligence facets. 

Experimenting with these technologies has continually helped improve my workflow and enables me to enhance our proactive security measures. 

I hope this post offers valuable insights or sparks curiosity in leveraging VirusTotal. 



     DarkGate Hashes - Included 
  • aca769d607eca30fba616eeb60798feae8036acda5e2367c3e63db5c4f3de1fa
  • ffd3edf21e63fee92fb9babbf56ccaddf2d78f58caeb6e6985a25aa4b8c519f1
  • b748f0204e3dffc3ba9765065494aa0c21eb833223edd7369ab0aac8b455888a
  • 2c93c63e41f639a3a5c3d0c3dc292ebc7c7e80c27accb441408823dd119837f9


     DarkGate Hashes - Excluded

  • 9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66
  • abe507f7ac9d9de3d078140c0129c4c4245bb67fa9d729af32af522682645fc8
  • 6877fad5183fa5c90c2671baefcaac8dd0e5d6faf3c249366b4c5b5748e41c26
  • 3809b9c375738f2fb4482b9597b1a549463d1a4c840c80cc27f1ce0a6454df3b
  • c06d6b83b6ff386203575dcd331778cfc9c013a5d252d3f50a6490b9192b7e73
  • f995fdbc03aad9a2ae455609e9163d4d723f0db5eac22baf7bd6e528a0907020
  • 2b7a95affb391d6197bfc394c6e559488dcb9d4c34012c029d830fae6f11e516
  • bc7b6b32157ed65023bb251e177f78480490ec1fa53eb54ec4441e8a44f33f36
  • 070cea34e4d275393db78ab7683819da98f59911b6436cc1da34f50a37e610c8

Comments

Post a Comment

Popular posts from this blog

Certifried Red Team Operator

-
Image
I wasn't actually planning on writing up a blog about passing the CRTO, but here I am about two months since passing and felt like writing down some after-thoughts. Now that all the information has had time to simmer, there have been some key takeaways I've noticed in my day to day working in threat research. If you're not familiar with the CRTO, a TLDR is this focuses on using the C2 framework CobaltStrike from a red team perspective created by RastaMouse at Zero Point Security .    If you've ever worked in a SOC before, you've maybe heard the long standing joke 'it's an admin, false positive'. It used to make me laugh, until I moved in threat hunting and intelligence. Now hearing this just gives me anxiety. Elevating privileges typically isn't that difficult to accomplish but, detecting and preventing it before it has a negative impact is challenging. This is even more difficult when going against a skilled attacker that understands elevating privi
Read more

Creating Windows Defender Exclusions

-
Image
Something interesting I've come across, admittedly only a handful of times, is that the `MpPreference` cmdlet is being used in nefarious ways. Specifically, this involves instances where Domain Admin accounts have been compromised, and they are being to create exclusions that bypass Windows Defender detections.  The `MpPreference` cmdlet family is related to Windows Defender. There are 12 different cmdlets in this family, but I've really only encountered `Add-MpPreference` in the wild. On that note, this is not referring to Windows Defender for Endpoint, ATP, or whatever it was called before that. One important aspect of using MpPreference is that it requires some form of an elevated account to create the exclusions. I first came across this technique when I observed a script being executed after a DA pushed a GPO that did a few interesting things. This script disabled AVs, EDRs, backups, grabbed a malicious executable from a network share, and cleared audit logs. The fact that
Read more