Tracking Malicious Files with Favicons

-


In today's post, we're diving into the world of favicons and their role in malware detection with VirusTotal Enterprise. If you read my last blog, you’ll remember we explored using VirusTotal Diff to track down new iterations of DarkGate malware. Though it might seem like I live and breathe VirusTotal, I assure you there are other tools I use. However, I do find these ad-hoc workflows interesting, and although I rarely document them, I'm making another post.

Imagine you’re part of a product company that distributes a high volume of binaries, software, and various other items across a vast amount of websites. Often, third-party partners host legitimate versions of these products on their sites and SEO boosts. Unfortunately, this widespread distribution gives attackers a chance to mimic your products by using similar file names and even your company's favicon to deceive users. This is by no means a novel or new technique, in fact, it's quite trivial in my opinion, with many of the malware families using this as a means for initial access.

To kick things off, we need to pinpoint a handful of legitimate samples and identify any common features between them. It's important to remember that the hash values for your favicon likely will vary significantly, so the approach must be broad enough to include as many variations as possible. Searching based on the digital signature is usually effective, as any legitimate binaries should be signed by the company.


                  This blog uses CCleaner as an example, focusing on its developer's signature.


Next up, let’s talk about how we can leverage the favicon metadata to our advantage. By conducting an intelligence search through the VirusTotal API using the signature, we can retrieve unique hash values associated with our favicons. These hashes are key to our next step: using the file lookup feature to pull detailed information about the favicon itself.

Here's an example straight from the docs https://docs.virustotal.com/reference/intelligence-search



For our example, we've chosen to limit our focus to just five samples to keep things manageable. However, in a real-world application, don’t hesitate to cast a wider net. The more data you can gather, the better—there's no need to restrict yourself unnecessarily.

Next, we’ll dive into retrieving the favicon metadata. This data can be easily accessed within the JSON response when you look up the file hashes. This step is crucial as it provides the detailed insights needed to distinguish between legitimate and potentially spoofed favicons.

  • 1d94c15cc7d2b3cc3bdd8422b2bb271eff00d07cf77ddcb0cb445ee751784cde
  • 582e49708ed8355c675e3ae1e8644ad4a084608bb307e68a6da6c6e67b44be73
  • 4046b929f32149564a24bb7a6b284b79aeabf243c2f4367520b64fc95b4a03f3
  • 759e5039e9c8da655411ef569a6b4530b86d8f9559a8fa9df726e11a23c94c8b
  • fa7029e32ab909cf1cb9dfcfbefa5717d503b9ac8219c1b09f9ef7653c276fad

From this query, we should expect to see just two unique favicon hash values. Alongside these, we’ll uncover other useful bits of common information. For instance, you might find that both hash values are associated with products signed by Piriform Software (CCleaner and Recuva). This detail not only helps in verifying the authenticity of the files but also provides insight into how these applications are represented across different platforms.

  • c1c0d0989cf2f078 - Recuva
  • c2d190b8bc9edccc - CCleaner

Incredible, right? But the critical question is, how do we operationalize this information? You guessed it, let’s pivot into Livehunt to create some proactive monitoring rules with the data we've collected. Here’s how to build an effective rule:

  • Include all the unique favicon hashes—This ensures that any file associated with these hashes will be detected.

  • Exclude metadata tied to legitimate applications—By filtering out data related to the genuine software, we reduce noise and focus more accurately on potential threats.

  • Target only new file submissions to VirusTotal—Focusing on new submissions limits our data set and saves us time on analysis. 

 

What will use to create our rule is this is the IoC structure, essentially this lets us search on a hash values metadata, and click to add the related syntax you'd like into Live Hunt.

 

To start we will use the hash, search on dhash, and click to add.

  • 1d94c15cc7d2b3cc3bdd8422b2bb271eff00d07cf77ddcb0cb445ee751784cde

 




While in this case, we're only dealing with two unique favicon hashes, making it feasible to manage manually, there are scenarios where you might encounter lists with over 100 unique hashes. For those heavier tasks, Cyber Chef is an invaluable tool. Below, I’ve shared the recipe I use to streamline this process efficiently.

 Cyber Chef - Format Favicons


Now that we’ve listed the favicon hashes, our next step is to gather a sample of legitimate hash values. We'll identify key metadata values, such as the Company Name and Legal Copyright, and exclude these from our detection parameters. This can be efficiently achieved using the Indicator of Compromise (IoC) structure, allowing us to refine our monitoring rules to focus strictly on potential threats.

 

                                 I know, what is this? I thought it was called IOC structure


Structuring a little bit more, don't be afraid to look at public repos with VT Yara rules when figuring out how the syntax


 


Next, we’ll utilize the vt.metadata.new_file filter to ensure our Livehunt rules only trigger for newly uploaded files. The mindset for this is once a malicious file is identified, there’s little benefit in receiving repeated alerts for the same file. In my experience, with every Livehunt rule I've crafted, both the effective and not-so-effective, they tend to start with a lot of noise, this approach has been my preferred method to minimize that.

For those who need a broader scope or are dealing with different scenarios, adjusting the filter to something like vt.metadata.times_submitted might be more suitable.

Congratulations! We should now have a Yara rule that looks something like this.



 

Make sure to take the original identified hash values and run them as a test against the newly created Yara rule. Because we started with legitimate files, we essentially wrote a detection to not alert on them, if you have matches on them take the time to figure out why and if there's a way to tune them out.

 


Now it’s time to save the LiveHunt rule designed to detect newly uploaded files spoofing 'CCleaner'. Among our identified favicons, we know that the hash c2d190b8bc9edccc is genuinely used by CCleaner, while c1c0d0989cf2f078 belongs to Recuva. Initially, alerts will indicate matches for both favicons. However, since our goal is to specifically target files impersonating CCleaner, we likely will want to remove the Recuva favicon hash from the Yara rule to enhance its accuracy.

When dealing with larger sets of favicons, a similar process is advisable. Let the rule operate for 24 hours and then review the IoC stream. This will help you visually confirm which favicons align with the legitimate CCleaner favicon and easily identify which favicons do not.



 

After identifying malicious files, you might consider diffing them collectively to establish more targeted Livehunt rules. This could further enable you to track down adversary infrastructure, perhaps using tools like Validin or Shodan to pivot on network artifacts. Additionally, this approach might reveal the origins of these malicious files, potentially from a phishing campaign, a malicious website, or SEO poisoning.

The results can be operationalized in numerous ways to suit your specific use cases. As with my previous blog, the purpose here is to demonstrate a practical application of VirusTotal and my methodologies, providing a medium-level overview of use.

If you're not yet familiar with how to work with VirusTotal metadata, I recommend exploring the File/Networking section under LiveHunt in the documentation. For more detailed guidance, check out the VirusTotal docs on writing Yara rules for LiveHunt: Writing Yara Rules for LiveHunt.

Comments

Post a Comment

Popular posts from this blog

Certifried Red Team Operator

-
Image
I wasn't actually planning on writing up a blog about passing the CRTO, but here I am about two months since passing and felt like writing down some after-thoughts. Now that all the information has had time to simmer, there have been some key takeaways I've noticed in my day to day working in threat research. If you're not familiar with the CRTO, a TLDR is this focuses on using the C2 framework CobaltStrike from a red team perspective created by RastaMouse at Zero Point Security .    If you've ever worked in a SOC before, you've maybe heard the long standing joke 'it's an admin, false positive'. It used to make me laugh, until I moved in threat hunting and intelligence. Now hearing this just gives me anxiety. Elevating privileges typically isn't that difficult to accomplish but, detecting and preventing it before it has a negative impact is challenging. This is even more difficult when going against a skilled attacker that understands elevating privi
Read more

Creating Windows Defender Exclusions

-
Image
Something interesting I've come across, admittedly only a handful of times, is that the `MpPreference` cmdlet is being used in nefarious ways. Specifically, this involves instances where Domain Admin accounts have been compromised, and they are being to create exclusions that bypass Windows Defender detections.  The `MpPreference` cmdlet family is related to Windows Defender. There are 12 different cmdlets in this family, but I've really only encountered `Add-MpPreference` in the wild. On that note, this is not referring to Windows Defender for Endpoint, ATP, or whatever it was called before that. One important aspect of using MpPreference is that it requires some form of an elevated account to create the exclusions. I first came across this technique when I observed a script being executed after a DA pushed a GPO that did a few interesting things. This script disabled AVs, EDRs, backups, grabbed a malicious executable from a network share, and cleared audit logs. The fact that
Read more

VirusTotal Enterprise - Starting Workflow

-
Image
In 2023, I set out to write a personal blog every four months but didn't quite meet that goal. Reflecting on the year, it's amusing to think I attributed this to writer's block. My role in threat intelligence and working with an advanced pursuit team involves crafting internal reports and advisories. Realizing this could have been a goldmine for blog content, I'm reminded of one of my favorite quotes, "I'm going to make this way harder than it needs to be." So, let's dive in. I frequently utilize what I term 'open source databases' – resources like Shodan, Censys, VirusTotal, and AbuseIPDB. These databases provide intelligence on various artifacts, with limitations typically based on the account type (free, verified, or paid). Today, I want to focus on how I leverage VirusTotal Enterprise in my daily workflow. Before we delve deeper, a quick tip: check the VT Enterprise Group tab under your profile to monitor your monthly usage. These resources
Read more