Lurking threat actors and targets with VT

Lurking threat actors and targets with VT

Intro

Tracking malware actors and targets is not an easy task, so if you have a VirusTotal account with private API capabilities, I will provide you some tips and tricks to set up your control panel. We will use the ELK stack, some Python and lot of Yara rules.

Get your hands dirty with Nutella

First of all, you will need to write some Yara rules to feed our system, I will show you some examples:

rule new_suspicious
{
  condition:
    
    new_file and file_type contains "pe" and positives < 8 and positives > 3 

}

This example will track:

Actually, we can optimize much more this rule in order to focus on specifics threats.

rule mail_es
{
  strings:
    $a = "To: " nocase ascii wide
    $b = ".es" nocase ascii wide
    $c = "Subject: " nocase ascii wide
  condition:
    new_file and file_type contains "email" and @a < @b and @b < @c
}

This second example is pretty simple, you will track:

import requests

url = "https://www.virustotal.com/api/v3/intelligence/hunting_notifications"

params = {'apikey': '<apikey>'}

response = requests.request("GET", url, params=params)

We will receive the details related to the samples; we will need to use the cursor parameter to iterate all the notifications.

      "attributes": {
        "body": "",
        "date": 1553732253,
        "subject": "mail_es",
        "tags": [
          "feed",
          "mail_es",
          "1245d5d1454ab86f35b1019ee9cd6b6d2aa028d1400e3353305b1a1dc638ad25"
        ]
      }

We get the hash from the tags in order to perform a second query to VT, for this it is important your API key allows you to fetch all the fields are interesting for us.

What is source id? If you are familiar with VT you may realize that you in each report will find a ‘Submissions’ tab. This tab shows information about when and from where was uploaded the sample.

DateFile nameSourceCountry
2019-03-28 06:28:516700138a1a85c39 (api)US
2019-03-29,10:35:10malwarefa8be158 (web)UK

In this table we can see the “6700138” file was uploaded via API (it maybe also possible email, web or community) on 2019-03-28 by a user located in US (or using an IP Address from US).

But what is that source? Okay, this is getting interesting. VT doesn’t want to save the IP address of a submitter, but at the same type this attribution is very interesting for researchers, so VT assign an id to each user they can recognize as the same submitter and they call it source.

If we have the right permissions, we will be able to query all this data to VT via API, that means we will collect not only the files matching our Yara rules, but also some metadata related to the origin/target of the malware samples.

Let’s talk about origin. Advanced actors may never upload the samples directly to VT, because they may expose their samples too much and the AV engines will be able to detect them before they spreads the final binary. However, I found some actors are uploading malware samples to VT and tweaking their samples to decrease detections, in some cases until they become almost undetected.

If we are able to collect several source_ids, and store into our database, we will be able to:

What about the target? The second rule checks for new emails uploaded to VT received by users under a .es domain, so that might allow us to:

However, the source_id may change within the time frame we are researching. With email-based yara rules is not an issue, because each email has the destination address, but in the case of binaries it may be complicated to track the authors along the time. Fortunately, we can reuse the information we collected from the actor, and in some cases, we will be able to extract characteristics like imphash, entrypoint address, linker version, … that will help us to track new source_ids related to the actor.

I have been using Yara for tracking some interesting submissions since September 2018, but I set up my new environment by December 2018, so today I have collected close to 300k submissions with very interesting metadata.

Histogram

Most of the submissions I captured are PE files, x86 using different kind of linkers, but mostly Visual Studio.

StaticStats

Let’s review a few simple examples of sample based on my Yara rules.

After playing and pivoting with my data I found a source_id in US submitting the following files between Feb 19 and Feb 21:

TimeMD5First name
February 21st 2019, 00:01:46.000345e2e55f48b64d697e3dfee8b9a2fe4mypc2.exe
February 20th 2019, 23:37:58.000beeaecf669e7f8e7e5a7094c0fbe1da3mypc.exe
February 20th 2019, 23:15:32.0005b8dfc5e482d6816cdd6a5d024b92fadmalware_dd_imp2_pad_04res.exe
February 20th 2019, 21:31:37.000a7a5046c5c36f4648e8b432009d8717amalware_dd_imp2_pad_06
February 20th 2019, 21:21:41.0005d8f025d942dbe92ae905a65fac75125malware_dd_imp2_04
February 20th 2019, 06:35:14.0002c6187ca6d158fc77eb72db29c8558dcmalware_dd.exe
February 19th 2019, 23:01:01.000b390cb55e962296d128572a1c3acbc91osk_dd2.exe
February 19th 2019, 22:39:57.000a4aba6a64d09c7002147c4489cd08852osk_pad_fi_2.exe
February 19th 2019, 22:09:59.00000700a525d1dcdffd7aac5cbf82467ccosk_pad_fi.exe

It is obvious this is not a user or an organization trying to get results for a suspicious file, it may be an actor or a researcher trying to avoid AV detections.

Here we have another example from the Philippines, this one is having fun.. LOL!

TimeEntryPointMD5First name
February 20th 2019, 10:44:14.0000x8b56b337842ac26256c9c922c8446392833eInsaneHackerGame.exe
February 16th 2019, 14:49:13.0000x8b5608c84376698550e736308e9b8b21e0e1ServerSecurityActiveLogin.exe
February 15th 2019, 12:18:57.0000x8b56a0e2d1a90871c4656adf2ee79a5aa0e6lol.exe
February 15th 2019, 03:52:22.0000x8b56e99d2f626d1494a88d5f74535c38c6c9ServerDataUltraSecurity.exe

Let’s review a source_id from Spain submitting files, in the last version we can see the EntryPoint changes respect to the previous versions. In one of the submissions we can appreciate the username “director1”:

TimeEntryPointMD5First name
February 4th 2019, 13:44:17.0000x4a0c0ffe83c8f462d6d3a752689ff19b1a873rentacert.exe
January 31st 2019, 22:52:13.0000x1596f63f0dbf5b590dd95056da010d638214fC:\Users\director1\rentacert(4).exe
January 29th 2019, 19:00:10.0000x1596fa53d1c26ce6529829580b0e75097ba07avanzada.exe
January 21st 2019, 20:17:05.0000x1596fff4da2037b978b50408d36eab57c608cavanzada.exe
December 18th 2018, 12:07:52.0000x1596f8344bdee57110fe259729fe3a49036e9avanzada.exe
December 17th 2018, 00:13:47.0000x1596f0415275894d2141fab0a3aaebd6c300favant.exe

Going back to the email-based Yara rules, with my rules I received files from different sources: API, email and web, mostly related to exploits and most of them submitted by users from Germany.

Sources

Categories

Map

Conclusion

VT is a fantastic tool for tracking targeted malware from both perspectives, actor and a target.

Resources

Back