Virustotal Shares New Ideas to Track Threat Actors

by Esmeralda McKenzie
Virustotal Shares New Ideas to Track Threat Actors

Virustotal Shares New Ideas to Track Threat Actors

Virustotal Shares Fresh Tips to Notice Likelihood Actors

In a most novel presentation at the FIRST CTI in Berlin and Botconf in Good, VirusTotal unveiled revolutionary tips on how to discover adversary activity by focusing on pictures and artifacts dilapidated right via the preliminary stages of the murder chain.

This methodology targets to toughen threat making an are attempting and detection engineering by inspecting samples built within the weaponization and provide phases.

Traditionally, threat making an are attempting and detection engineering hang focused on the latter stages of the murder chain, from execution to actions on dreams.

Right here’s on account of the abundance of files on hand in these phases, making it more straightforward to gape for clues the usage of endpoint detection and response (EDR), security knowledge and occasion management (SIEM), and various alternate choices.

Phases of the murder chain are categorized by their emphasis on threat making an are attempting and detection engineering.
Phases of the murder chain are categorized by their emphasis on threat making an are attempting and detection engineering.

VirusTotal’s original methodology makes a speciality of detecting suspicious Microsoft Bother of business paperwork (Observe, Excel, and PowerPoint), PDF files, and emails.

Analysts can immediate name doable threats by leveraging colours in most cases dilapidated in threat intelligence platforms—inexperienced for benign and red for malicious.

Exploring Embedded Details in Bother of business Paperwork

When a Microsoft Bother of business file is created, it generates a series of embedded XML files containing knowledge about the file.

VirusTotal has identified three styles of embedded files inside Bother of business paperwork that would possibly also be in particular important for threat making an are attempting:

  1. Photos: Normally dilapidated by threat actors to originate paperwork appear legitimate.
  2. [Content_Types].xml: Specifies the relate material kinds and relationships right via the Bother of business Birth XML (OOXML) file.
  3. Kinds.xml: Stores stylistic definitions for the file, providing constant formatting directions.
Preference of samples per actor right via the scope
Preference of samples per actor right via the scope

VirusTotal hypothesizes that if malicious Microsoft Observe paperwork are copied and pasted right via the weaponization course of, the hashes of the [Content_Types].xml and styles.xml files will likely remain the same.

APT28 – Photos

APT28 has been found to reuse pictures across assorted provide samples.

As an illustration, an describe of a hand dilapidated in false Observe paperwork for resort reservations used to be identified in a pair of paperwork over quite loads of years.

Photos shared in a pair of paperwork by APT28
Photos shared in a pair of paperwork by APT28

SideWinder – Photos

SideWinder, incessantly referred to as RAZER TIGER, has reused pictures of their operations against militia targets in Pakistan.

One indispensable instance is the signature of Baber Bilal Haider, dilapidated in a pair of paperwork.

Two assorted samples of RAZOR TIGER fragment the same describe of a handwritten signature
Two assorted samples of RAZOR TIGER fragment the same describe of a handwritten signature

Gamaredon – [Content_Types].xml and styles.xm

Gamaredon has reused styles.xml and [Content_Types].xml files in assorted paperwork, revealing original samples.

VirusTotal’s retrohunt identified patterns in these files, leading to the discovery of additional malicious paperwork.

[Content_Types].xml shared in a pair of paperwork by Gamaredon Group
[Content_Types].xml shared in a pair of paperwork by Gamaredon Group

AI to the Rescue

VirusTotal utilized the VirusTotal API to get and unzip a diagram of Bother of business paperwork dilapidated for provide, obtaining all embedded pictures.

They then dilapidated Gemini to automatically checklist these pictures, helping within the identification of suspicious paperwork.

Results obtained with Gemini after processing some of the embedded pictures within the paperwork dilapidated by the threat actors
Results obtained with Gemini after processing some of the embedded pictures within the paperwork dilapidated by the threat actors

PDF Paperwork and Email Details

Unlike Bother of business paperwork, PDF files make not have embedded XML files or pictures. However, Adobe Acrobat Reader generates a thumbnail of the first web page in BMP format, which is able to be dilapidated for pivoting.

VirusTotal demonstrated this with examples from the Blind Eagle threat actor and phishing activities focused on Tinkoff Financial institution.

PDF BMP FilesEmail files in most cases encompass company logos to deceive victims.

VirusTotal identified quite loads of mailing campaigns by leveraging these pictures, at the side of campaigns impersonating universities and companies.

Email impersonating a Chinese group the usage of the company label within the footer
Email impersonating a Chinese group the usage of the company label within the footer

VirusTotal’s revolutionary methodology to monitoring threat actors by inspecting artifacts linked to preliminary spreading paperwork provides a treasured addition to dilapidated making an are attempting ways.

By incorporating AI and focusing on embedded files and pictures, analysts can toughen their capability to observe and name doable threats.

Source credit : cybersecuritynews.com

Related Posts