Alexey Firsh – WindowsTechs.com

Threat Hunting with VirusTotal – Episode 2

Posted on March 7, 2023 by Alexey Firsh

Last week we conducted the second episode of our “Threat Hunting with VirusTotal” open training session, where we covered YARA services at VirusTotal. We focused on practical aspects of YARA rules providing real life examples of infamous malware and historical APT attacks. You can find the video recording on Brighttalk and Youtube, as well PDF version of the slides, where you can quickly copy-paste interesting rule patterns and explore attached documentation links.
As in our previous session we received lots of inquiries that we decided to cover separately in this blog post.

1. Can you explain a bit more on the water mark usage in docs. How can we hunt using this? Also, how can we create a watermark as well?
As a quick example, here is the article describing the process of adding an invisible watermark in a PDF document. You can deploy a Livehunt YARA rule detecting this watermark and be notified every time your document is uploaded to VirusTotal.

2. Do you have tools helping you write YARA rules to find more easily nested item properties and syntax linting?

Recently we introduced a new YARA editor with pop-up suggestions, rule templates and new syntax highlighting, it’s live on both Retrohunt and Livehunt, check it out!

Also you can leverage VT Diff to help you find the most relevant entities to detect.

New YARA rule editor was deployed recently on Retrohunt/Livehunt

3. Whom to reach out for accidentally uploaded sensitive files removal?

The official (and by far) fastest way is making request to our tech support, also available for any other technical questions.

4. Is VT aware of CrowdStrike’s new memory scanning feature? Can we hunt process injected codes?

Scanning Memory dumps with YARA is something we are working in, so stay tuned for the latest updates in our social media and VT blog.

5. When might we expect to be able to search further back than a year in Retrohunt?

We are now collecting customers’ feedback on this feature. If you are interested, please feel free to submit this form (visible after checking the “Full history” option) or to directly reach out.

Express your interest in Full History Retrohunt

6. Are there courses for learning YARA that you recommend? Does Virustotal provide some kind of training for this subject? Is it free or paid? Do you suggest some kind of training to become a threat hunter?

Thank you for your interest! We are working on that kind of trainings and trying to find the best approach to deliver such content, stay tuned! At the moment, you can check out our Youtube channel for a number of tips & tricks videos as well as VirusTotal walkthrough materials. Plus, we have a dedicated “Applied YARA training”.

7. Is VirusTotal planning to implement a built-in YarGen capability? So I can just search for samples, check which ones I want a rule for, and then create a rule?

You described the functionality of our own diff tool and YARA generator that we called VT Diff. You can find the quick demonstration at the end of the training session, as well as documentation provided here.

8. Would be nice to have an option to remove hits from VT Diff results that are clean codes from libraries, just like yarGen. Just an idea to consider 🙂

How can we delete/edit/update Diff results?

Thanks for your request! We will check this out.

9. Does VTDiff have limitations on what file types it can accept? For example, when I try to create a VTDiff session for OneNote extensions, with file type “.one” I get an error. But I don’t get an error when creating a separate search for .exe files.

That depends on the specific error, but I assume you are getting “Need to give exclusion list for filetype one” error. Please check this manual for a quick fix.

10. How would you adjust the rule “SUSP_NVIDIA_Leak_Compromised_Cert_Mar22_1” if the timestomping was involved? Not sure if that can play a role based on the intel.

Compilation timestamp check is a nice way to filter out False Positives, but not the only one. If you want to avoid timestomping, you might want to use another legitimacy indicator, it could be the first submission date to VT (vt.metadata.first_submission_date) or any other signatures you find relevant to the original Nvidia software.

Rule to detect files signed with Nvidia leaked certificates

11. Can we use wildcards/regex while searching with the VT YARA module?

Absolutely! You are free to use wildcards for hexadecimal strings and regular expressions for text strings, just as in regular YARA.

12. Can we expect to have the macho YARA module for Livehunt/Retrohunt rules?

Historically there were a couple of security issues with this module, preventing it from being included in YARA distributions. Recently they’ve been fixed and we are now considering the possibility to include it in Livehunt/Retrohunt services.

13. Are you planning the next episode?

Yes, our open training will be delivered quarterly.

14. When you have samples that have come back from a YARA rule, what is the best way to investigate them and check their relevance? Behavior tab? Content?

That depends on the specific samples. If we are talking about some short script you can instantly check its relevance in the Content tab. If it’s a compiled executable it makes sense to check the Behaviour tab first. Checking the Relations tab is also very important to me, you can quickly get lots of valuable info such as known distribution hosts/c2 address/dropped files/parent files/etc.

15. Can we do this with the free version? Can this feature be available for independent paid users?

VT Intelligence and VT Hunting are only available starting VT Enterprise packages.

16. Is there a library of hunts for certain malwares?

VirusTotal maintains a collection of crowdsourced rules provided by third parties, you can find details on the repositories we ingest in our Contributors list. You can also explore all the YARA rules with the recently introduced interface for VT Hunting, with filters for name and author also available.

You can now explore a full list of crowdsourced YARA rules used by Virustotal

17. Can the “vt” module be used as a file search modifier?

We are working on bringing the same functionality to VT Hunting and VT Intelligence services, let us know if you miss anything.

18. Are there any threat intelligence operations you would recommend as a good first step towards leveraging automations using VTI API? Intent is to bring more awareness into threats that may impact an organization.

A high level example being malicious artifacts collected from an email protection platform to help generate content filters within VTI searches. In this particular case, what would be your recommendations for automation aimed at highlighting similar records of interest?

With API you can literally fetch all available information for any specific entity in VirusTotal. Here you can find our recent APIv2 to v3 migration guide where you can find some examples.

For emails, you can automate the process of checking any attached file or uploading it to VirusTotal. Then you can check the number of submissions to understand the file’s popularity or email parents to get other emails containing this file as an attachment. You can actually execute any other VT Intelligence query with our API, just as you do manually.

19. Decryption is cool, do you dump it from the mem?

Specific implementation depends on the sandbox. It’s usually based on crypto function hooks.

20. How can I download the YARA modules mentioned in the talk?

Most of the specified modules are available by default in the official YARA build. The VT module is available only on Retrohunt/Livehunt. Additionally, you can always implement your own module and compile your custom build of YARA.

21. Is there any way to limit the access to my YARA rules in Livehunt, make them visible to me only, team, org, etc?

Your Livehunt rulesets are by default only visible to you. You can share it with any other VT accounts by specifying their email addresses:

Livehunt ruleset sharing options

22. Can we retrieve YARA job results via API?

Yes, you can leverage VT Hunting capabilities using our API, check out the documentation on Retrohunt and Livehunt. In particular, you can list Livehunt notifications with this endpoint.

23. Which of the features you showed falls under quotas?

You can always check all of your current quotas in your work group control interface – https://www.virustotal.com/gui/group/*your_org_name*/users.

Users group consumption

24. How do you determine the magic number in the condition?

The most popular way to do this is to check data at specific offset. For example, uint16(0) == 0x5A4D checks that the first two bytes are 0x5A4D, which is a little-endian representation of 4D5A – MZ signature of Windows executable files.

25. Is there a VT module for Android in YARA rule hunt?

Yes, there is a YARA module for Androguard, which is an Android applications reverse engineering tool. We are now considering the possibility of including it into YARA distribution, so if you have any business needs to use it, please reach out to us.

26. Do I need a special subscription to search for a year? I only see an option for 90 days.

Yes indeed, It is only available for Threat Hunter Pro subscribers.

Different options of VT subscription

27. When I’m searching for some samples I want to find them only if they are in ZIP/RAR/etc archives. My IOCs are for the files, but it’s the zips I want to uncover.

If you are using VT Intelligence searches, you can leverage the have:compressed_parents search modifier and then pivot to the parent files.

28. Thanks for the first seen tidbit. As far as the LiveHunt result alerts, do they repeat? I’ve set up a few and I think I’m getting alerted on the same samples.

Yes, that’s the point. You are getting alerted on both newly submitted and rescanned samples. To only get files that are new to VirusTotal feel free to use vt.metadata.new_file in your YARA rules.

29. How can we scale this? Is the point to update “detections” or essentially hunt for the newer functionalities on these samples found through livehunt/retrohunt?

That depends on specific business needs, but usually keeping your YARA rulesets fresh is one of the main goals of a threat hunter.

If you have any other questions, please feel free to reach out.

Happy hunting!

Continue reading Threat Hunting with VirusTotal – Episode 2→

VT Intelligence Cheat Sheet

Posted on December 19, 2022 by Alexey Firsh

Many of you asked for this, and today we are happy to announce the release of our VTI Cheat Sheet with hints and examples on the most useful VT Intelligence queries and modifiers. Instead of providing a list of already documented search modifiers, we created something more specific and close to the real life cases, such as searching for files signed with leaked Nvidia certificates or recent samples from collections attributed to CozyBear.

You can find the PDF version of the Cheat Sheet here. In this post we are providing some of the clickable examples with additional explanations.

Entities

One of the basics of VT Intelligence is using the “entity” search keyword to directly specify the type of output you want to get. There are specific modifiers for every entity, here you can find direct links to documentation for file, URL, IP and Domain (Collection will be available soon, stay tuned). Here there are quick examples for each of them:

entity:ip asn:”15169″ communicating_files_max_detections:30+

entity:domain downloaded_files_max_detections:20+

entity:url p:3+ have:tracker

entity:file tag:signed p:10+

entity:collection name:apt or tag:apt

Specific group activities

There are a number of different ways to explore the latest footprints of certain threat actor in VT Intelligence.

In case you don’t have any other inputs except the campaign or malware family name, you can leverage AV verdict VTI search:

engines:wellmess

If you want to search for a verdict from a certain vendor, you can specify it explicitly:

kaspersky:wellmess OR eset:wellmess

Instead of getting file hashes as your search output, you can list all collections related to a specific actor/campaign:

entity:collection ( name:APT29 OR tag:APT29 OR name:CozyBear OR tag:CozyBear ) creation_date:2021-01-01+

You can also search within a specific collection, which is very handy when dealing with collections containing a large number of entities:

collection:alienvault_60eff240c7c9cb4f24907049 entity:file type:pedll p:10+

You can get the collection ID from the browser address bar when navigating a specific collection or simply click “Share the collection” when there.

Another approach for getting files related to a specific threat actor is by leveraging crowdsourced detection rules: Yara, Sigma and IDS. We are always looking for solid and active repositories constantly updated with the latest malware signatures. You can find more details in our Contributors list.

For example, the following query provides files matching YARA and IDS rules containing “APT29” or “CozyBear” in their names, as well as files detected by a specific Sigma rules:

crowdsourced_yara_rule:APT29 OR crowdsourced_ids:APT29 OR sigma_rule:976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e OR crowdsourced_yara_rule:CozyBear OR crowdsourced_ids:CozyBear OR sigma_rule:34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a

At the moment the only way to perform Sigma rules search is specifying the rule hash explicitly, you can find here the full list.

Finally, searching for specific comments can bring valuable results. It’s important to note that there are many third-party solutions contributing with useful comments in VirusTotal. Some of the most popular and reputed ones include THOR APT scanner and Intezer:

Comments on suspected APT29 malware

The following query searches for files containing some APT actor aliases in their comments:

entity:file ( comment:APT29 OR comment:CozyBear OR comment:NobleBaron OR comment:UNC2452 OR comment:YTTRIUM )

This also works for IPs, domains and URLs:

entity:domain comment:c2 comment:donot

Documents

Any query can specify the document format for the results. For example, the following query provides recently created (using “generated” modifier) documents (thanks to the “type” modifier) with macros embedded (by using “tag”), detected at least by 5 AVs (“p” modifier):

(type:doc OR type: docx) tag:macros p:5+ generated:30d+

A second example retrieves Excel files bundled with powershell scripts and uploaded to VT for the last 10 days:

(type:xls OR type:xlsx) tag:powershell fs:10d+

There is plenty of cool stuff you can do with the “tag:” search modifier, here is the full list with dozens of different tags supported, and here you can find descriptions for the most common ones. For example, you can search for documents with obfuscated VBA code executing other files:

(type:doc OR type: docx) tag:exe-pattern tag:run-file tag:obfuscated

You can also use “type:document” to search for all the document formats (office, pdf, text, rtf, latex, etc). The following query returns all documents having “invoice” in its file name and used as email attachments:

type:document name:”invoice” tag:attachment

Or documents exploiting any vulnerability published in 2022:

type:document tag:cve-2022-*

It’s important to highlight that “tag” is one of the few modifiers supporting wildcards.

Many of you asked about language specific document searches during our Threat Hunting with VirusTotal session. The “lang:” keyword uses Exif language property to find files matching any language:

type:docx lang:”farsi” p:5+

Non-Windows samples

We have dedicated keywords to perform searches for platforms such as Android, MacOS or even Symbian.

For Android, which is one of the most popular non-Windows platforms by number of malware samples, we use Androguard to process all ingested samples. You can query for any Androguard output which is stored under the umbrella “androguard:” keyword:

androguard:”spyMobile/”

This includes all sorts of different types of processed data: code strings, manifest entities, certificate signatures, etc. For example, this example looks for APKs that mimic a legitimate app by using the same icon (“main_icon_dhash”), but signed with a different certificate:

main_icon_dhash:9ef2e0c8e8f8bc8e type:apk AND NOT androguard:”45989dc9ad8728c2aa9a82fa55503e34a8879374″

However when looking for something specific it is better using “androguard_package:” to search for APKs with explicit package names (please note this only works for newly indexed files since March 2022):

androguard_package:org.xmlpush.v3

Since this is a new search modifier, please feel free to share our feedback with us.

In some cases you can skip using any special keyword and build your query using APK internal paths only:

( “assets/s.bin” AND “assets/l.bin” ) OR ( “assets/s.bin” AND “assets/m.bin” ) OR ( “assets/m.bin” AND “assets/c.bin” )

Here are some more examples for different platforms.

tag:iphone tag:signed p:5+ – signed iOS app packages detected by at least 5 AVs.

(type:apple OR type:mac) itw:cdn.discordapp.com – iOS/macOS files served from a given URL.

type:symbian name:”*spy*” – Symbian files (.sis) containing “spy” substring in its name.

Network

First of all, we encourage you to check the full list of network-related search modifiers for URLs, IPs and domains, as the list is too large to fit them all in this post.

However, network modifiers can save the day for different specific cases. Here are a bunch of practical examples.

If you are looking for botnet admin panels within a certain TLD (Top Level Domain) knowing only specific HTML meta information from the response, you can use this query:

entity:url tld:xyz meta:”admin panel”

In cases when you extracted the C2 endpoint from a malware sample and want to search for other servers using the same backend path:

entity:url path:get_config.php

You can even search for specific HTML body content with the “NOT parent_domain:” syntax to filter out legitimate results:

entity:url content:”Enter password” content:”Microsoft” fs:1d+ NOT parent_domain:office.com

There are plenty of different ways to detect malicious domains mimicking legitimate ones, including favicon similarity. To get a specific dhash you can just click on the original file/website icon in Virustotal and it will produce the query for you. Then you can check for additional domains using this favicon but detected by different AVs:

entity:domain main_icon_dhash:0e969e969306710f p:5+

Another approach is to use the “fuzzy_domain” keyword, which is based on Levenshtein distance and will get you domain names similar to a given one. The best use case for this is typosquatting attack detection. In the following example, we filter results using “urls_max_detections” to get only domains with URLs detected as malicious:

entity:domain fuzzy_domain:”google.com” urls_max_detections:1+ NOT parent_domain:google.com

The following query is a bit more complicated. It can be used to search for any kind of suspicious activity within a specified subnet:

entity:ip ip:”172.31.0.0/16″ (urls_max_detections:5+ OR reputation:-20- OR p:5+ OR downloaded_files_max_detections:5+ OR referring_files_max_detections:10+ OR (detected_communicating_files_count:2+ AND communicating_files_max_detections:5+ ) ) last_modification_date:7d+

Instead of an IP range, you can specify the whole ASN:

entity:ip asn:15169

Summarizing, the number of different options to query VT Intelligence can be overwhelming, but hopefully the above examples and our VTI Cheat Sheet will make your life easier. We will continuously update the VTI Cheat Sheet to keep it as fresh and useful as possible, we will be announcing every time there is any major update. In the meantime, we hope this will be useful for you, and as usual if you have any suggestions or just want to share feedback please feel free to reach out here.

Happy hunting!

Continue reading VT Intelligence Cheat Sheet→

Threat Hunting with VirusTotal

Posted on November 28, 2022 by Alexey Firsh

We recently conducted our first “Threat Hunting with VirusTotal” open training session, providing some ideas on how to use VT Intelligence to hunt for in-the-wild examples of modern malware and infamous APT campaigns. In case you missed it, here you can find the video recording available on Brighttalk and Youtube. We also created a PDF version of the slides with all the queries covered during the session and direct links to the documentation.

We received lots of questions during the session that we decided to answer in this Q&A blog post.

1. How can we search for “have:itw” with a specific URL?

“have:itw” is a search modifier you can include in your VT Intelligence queries to get all samples we found being distributed in the wild. You can specify any particular domain in your query, for instance the following example finds samples being distributed itw through discord:

itw:cdn.discordapp.com

2. How can we convert the search queries to monitoring alerts?

Good question, at the moment we are working on a solution to do this automatically, hopefully available very soon. In the meantime, there are two workarounds: execute your query through the API or, in some file-related cases, you can rely on the Yara VT module to create and deploy a Livehunt rule.

3. Is there any documentation on the VT website for all this info?

Yes, here you can find general manuals and dedicated documentation for the API. Another good resource is our getting started site. You can find more resources linked in the training slides.

4. Can we have sessions on hunting part of VT like this.

Yes, we will be having quarterly “Hunting with VT” sessions (at a minimum).

5. Can we use regex in queries?

You can use regex in VT Grep queries. The following is an example using wildcards for a hexadecimal sequence of bytes: content:{686f6c61 ?? 6d756e646f}.

There are no wildcards for most of the regular VT Intelligence queries with the exceptions of “name:” and “domain_regex:”, because we use full text search. In some cases you can achieve the same effect by combining search terms with the “AND” keyword.

6. Can you point out a location for all the most useful queries?

We are working on a Cheat Sheet which will be available very soon, stay tuned.

7. Can you see the content tab in the free version?

This is only available to VT Enterprise customers.

8. Can you use wildcards in date notations when searching?

Date notations are quite flexible even without wildcards. For example, for malware submitted to VT in January this year you can use the following:

p:10+ fs:2022-01-01+ fs:2022-01-31-

You can get malware submitted for the last 5 days with the following query:

p:10+ fs:5d+

9. What is your keyboard? Super nice sound.

DROP CTRL + Kaihua Speed Silver + T0mb3ry SA Carbon

10. Does “crowdsourced…:malware_name” will give all the rules sigma/yara written for that malware?

Not really. Rules are not assigned to any malware or actor in particular, so we need to rely on the name of the rule. For instance:

crowdsourced_yara_rule:Sofacy OR crowdsourced_ids:Sofacy

provides you with files detected by the Yara or IDS rules with “Sofacy” in its name.

11. Does Virustotal collect samples from sources other than user submitted files? For example, does it passively scrape the Android App store to check for new apps created by APTs?

Yes! Just as an example, you can submit a file to VirusTotal from Process Explorer. Also, there are different research groups and other volunteers (thanks again to all of you!) who share new samples with the VT community.

12. How to fetch all the matched samples for a query by script instead of going through all pages?

You can use this API endpoint.

13. Sometimes I tried to perform behavior search using powershell commands, but it doesn’t work for me. For example, this one. When clicking to the powershell command itself, returns no results. Also, doing something like behavior:”PAAjAGcAeABwACMAPgAgAFIAZQBnAGkAcwB” does not work.

Thanks for the heads up! There is an issue when transforming super-long strings into a search query, we are already working on a fix.

Regarding the second question, when doing a full text search unfortunately it is not possible to use substrings (unless it is a separate word). For example:

behaviour_processes:”\”C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\” -EncodedCommand” – correct

behaviour_processes:”\”C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\” -EncodedCom” – incorrect

14. If I am trying to hunt a certain ransomware, and the actual PE Files are present on VT as per YARA Rules. How can I find the initial vector?

Searching for the initial infection vector is tricky and not always possible as it depends on VirusTotal’s visibility, but you can try the following ideas:

To find suspicious (p:5+ for 5 or more AV detections, as rule of thumb) files distributed as email attachment you can use tag:attachment p:5+. Then you can get full details in the “Relationship” tab for every resulting sample:

To find suspicious files known to be distributed in-the-wild you can use have:itw p:5+. Details, again, in the “Relationship” tab:

In some cases you can get clues about the distribution vector from the name used by the malware. For example, type:apk name:”delivery” p:20+

15. Do you have a link to all available VT “entity:” types?

That would be “file”, “url”, “ip”, “domain” and “collection”. You can find extensive information with documentation links on the slide #5 of PDF slides. This will also be available soon in VirusTotal’s documentation.

16. How can we utilize the VT API to upload our own PE files to sandboxes for dynamic analysis? I have been running it on some executables and most of the files error out during the sandbox execution (e.g. tries to open a file in the file system that doesn’t exist, etc).

Sandboxing is part of the executable processing pipeline, you can submit your files using this API endpoint. Regarding any technical issues including unexpected sandboxing behavior you can reach out to Virustotal Bot at the bottom of the website.

VirusTotal Support Bot

17. Can we have the option of moving back to the old color scheme in Retrohunts?

Thanks for your request, we’ll think about how to make the Yara editor pleasant for everybody.

18. Can you show an example of using language with word document search? How can I search for Follina samples with specific languages?

The “lang:” keyword finds all files whose Exif language property matches the language provided. In Follina case, following our training instructions, we can use the crowdsourced Yara rule with language clarification:

crowdsourced_yara_rule:SUSP_Doc_WordXMLRels_May22 lang:”farsi”

19. Is there a thinking on future development for GodMode to be able to label deployed malwares by sectors? like Healthcare?

Yes! Check our new “Threat Landscape” feature out.

20. Is there Mitre Attack type T. identifier search?

Yes, you can use the following keywords and specify any technique or tactic.

attack_technique:T1055

attack_tactic:TA0003

21. Is there a way to run custom tools on top of what is available?

You can always organize a custom post-processing of VirusTotal data by using our API. This is exactly what the “APT dashboard” we showed during the training does.

22. Were we able to search for a specific email and see all other files distributed by the email?

You can leverage VT Grep to search for email files with specific content and then pivot to the children entities as it appears under the Relationship tab, for example:

content:”suspicious@email.com” tag:email

23. How can we combine a domain and a file seen together?

If you want to get files downloaded from a specific domain (drive.google.com in the example below), you can use:

itw:drive.google.com fs:2022-10-01+

24. What about wildcards in androguard on receivers/services/activities?

Unfortunately, this data is indexed as full-text search, so no wildcards are allowed. However, if you feel that this is critical to you, please feel free to reach out.

25. What encodings are accepted by the “content” query parameter? Is it only plaintext and hexadecimal?

You can also use escaped UTF-8, check the VT Grep manual for details.

26. Why isn’t it possible to combine the “have” and “content” modifiers? I have the following error: “have can’t be combined with content modifier”, example: have:email_parents AND content:”Hello World!”

Content search is a different querying tool by design, that’s why it is not possible to combine with all the other keywords by default. We are collecting the feedback and adding compatibility with the most popular ones (tag, type, p, fs, etc). For more details please refer to VT Grep documentation.

27. How can I submit a yara or a sigma rule to VT for community use? Are they generally just obtained from curated open source?

Yes, we are always looking for solid and active repositories constantly updated with the latest malware signatures. You can find the number of such repositories in our Contributors list. If you do want to contribute, please let us know.

28. Will the APT dashboard be downloadable from GitHub? Would it be possible to share one of your jupyter notebooks, please?

At the moment we are not openly sharing such notebooks, which are mostly designed for demoing and internal research, and we are not really sure if they are solid enough for production environments. We are currently studying if this is something we will be doing in the near future. However, we are happy to help you build your own! Please feel free to let us know in case you are interested in this or any other ideas.

If you have any other questions, please feel free to reach out.

Happy hunting!

Continue reading Threat Hunting with VirusTotal→

Not a dream job: Hunting for malicious job offers from an APT

Posted on November 3, 2022 by Alexey Firsh

Tldr: A recent Mandiant’s blog described a series of targeted attacks over Whatsapp by an APT cluster named UNC4034. We found several additional cases in VirusTotal which we believe with high confidence are related to the same activity set.

According to the original publication, this activity is most likely related to North Korean actor and could be an extension of Operation “Dream Job”, leveraging targeted distribution of malicious ISO files. Based on Mandiant’s research, in the first stage the attacker sends a job offer at Amazon to the victim by email, followed by a WhatsApp web message where the attacker shares a malicious ISO file, pretending to be part of the selection process.

The original publication provides 2 hashes of ISO files named amazon_test.iso and amazon_assessment.iso respectively. Unfortunately, only the first one was found in VirusTotal:

8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0

Hunting for more samples

We started by trying to find the ISO we were missing in VirusTotal by searching for files with the same name:

name:”amazon_assessment.iso”

The search results provided us with one sample (dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031). In Mandiant’s publication both samples share the same configuration which can be found in an embedded Readme.txt file. The new sample seems to be the new variant with a different configuration, also in a Readme.txt file, as shown below:

New sample’s Readme.txt content

Both ISO files contain two files inside them – a Windows executable (apparently a poisoned version of Putty) and Readme.txt. We decided to search for all the ISO samples bundling only two specific files – Readme.txt and an *.exe file. Additionally, we filtered out all samples over 10Mb or submitted to VirusTotal before 2020. We obtained the following 6 samples, including the ones already discussed:

ISO sha256	Filename	ISO volume name
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b	amazon_test.iso	AMAZON_TEST
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031	Amazon_Assessment.iso	AMAZON_ASSESSMENT
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3	SA_Assessment.iso	AMAZON_ASSESSMENT
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5	IT_Assessment.iso	AMAZON_ASSESSMENT
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397	Dell_SE_Assessment.iso	DELL_SE_ASSESSMENT
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374	IBM_SSA_Assessment.iso	IBM_SSA_ASSESSMENT

Volume name (included in the ISO file metadata) can also be used as a pivoting point, as an alternative to the previous query, to find more samples in VirusTotal by clicking on them:

Example of ISO metadata

We could use the following query based on metadata that also filters out results based on the previous criteria:

metadata:ASSESSMENT tag:isoimage size:10mb-

Not only PuTTY

Although we didn’t deeply analyze the found samples, we spotted two more remote client tools in addition to Putty inside the ISO files – a weaponized versions of TightVNC Viewer and KiTTY (PuTTY’s fork).

ISO sha256	Filename	ISO volume name
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b	cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f69b4	PuTTY
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031	52ec2098ed37d4734a34baa66eb79ec21548b42b9ccb52820fca529724be9d54	PuTTY
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3	75771b5c57bc7f0d233839a610fa7a527e40dc51b2ec8cbda91fab3b4faa977f	KiTTY
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5	6af9af8aa0d8d4416c75e0e3f7a20dfe8af345fb5c5a82d79e004a54f1b670dc	KiTTY
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397	14f736b7df6a35c29eaed82a47fc0a248684960aa8f2222b5ab8cdad28ead745	TightVNC Viewer
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374	37e30dc2faaabaf93f0539ffbde032461ab63a2c242fbe6e1f60a22344c8a334	TightVNC Viewer

Interestingly, a couple of samples reveal forgotten pdb paths that could point to the attacker’s environment:

PDB path reveals “Work” folder

A TightVNC sample also included the following pdb path:

N:\2.MyDevelopment\3.Tools_Development\4.TightVNCCustomize\Munna_Customize\tightvnc\x64\Release\tvnviewer.pdb

Also, in some cases attackers reused the same ISO details for different campaigns. For instance, they didn’t change the volume name (Amazon related) with the ISO name they distributed (SA_Assessment or IT_Assessment).

Infrastructure

We extracted all the IP addresses from the Readme.txt files, as well as the contacted hosts during sandbox execution.

ISO sha256	IP from Readme.txt	IP from Sandbox
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b	137.184.15[.]189	–
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031	143.244.186[.]68	44.238.74[.]84
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3	147.182.237[.]105	3.137.98[.]129
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5	137.184.15[.]189	172.93.201[.]253
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397	–	44.238.74[.]84
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374	–	44.238.74[.]84

Please note these IPs are subject to double checking before adding them to any blocking list. By checking the VirusTotal IP report for any of them, you can find in the “Relations” tab the “Files Referring” section to obtain which files hardcode the IP address, and “Communicating Files” to get which files contacted the IP during sandbox execution:

Files with hardcoded 143.244.186[.]68

Conclusions

As a result of this quick research we identified additional samples that seem to be part of the same campaign described by Mandiant, in this case expanding the scheme behind its distribution to, apparently, Dell and IBM in addition to Amazon. Submissions of the identified samples are observed between June and September 2022.

In this post we described some ideas we used to identify these samples, but we encourage security researchers to both monitor additional activity and to dig into the newly found samples found to reveal further stage payloads. We created a VirusTotal Collection including the indicators associated with this malicious activity. As always, we are happy to hear any additional ideas to hunt for malicious campaigns.

Happy hunting!

Continue reading Not a dream job: Hunting for malicious job offers from an APT→

Hiding in plain sight: PhantomLance walks into a market

Posted on April 28, 2020 by Alexey Firsh

In July 2019, a sophisticated backdoor trojan in Google Play was reported. We conducted an inquiry of our own, discovering a long-term campaign, which we dubbed “PhantomLance”, its earliest registered domain dating back to December 2015. Continue reading Hiding in plain sight: PhantomLance walks into a market→

iOS exploit chain deploys LightSpy feature-rich malware

Posted on March 26, 2020 by Alexey Firsh

A watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the content of the landing page. Continue reading iOS exploit chain deploys LightSpy feature-rich malware→

Beware of stalkerware

Posted on April 3, 2019 by Alexey Firsh

Spyware might sound like a concept from a Hollywood movie, yet commercial versions of such programs – known in the cybersecurity industry as ‘stalkerware’ – are a daily reality for many people. For the price of just a few dollars, consumer spyware programs allow users to spy on their current or former partners, and even strangers Continue reading Beware of stalkerware→

BusyGasper – the unfriendly spy

Posted on August 29, 2018 by Alexey Firsh

In early 2018 we found a suspicious Android sample that, as it turned out, belonged to an unknown spyware family. Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat. Continue reading BusyGasper – the unfriendly spy→

Who’s who in the Zoo

Posted on May 3, 2018 by Alexey Firsh

ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind the operation infect Android devices using several generations of malware, with the attackers including new features in each iteration. Continue reading Who’s who in the Zoo→

Zero-day vulnerability in Telegram

Posted on February 13, 2018 by Alexey Firsh

In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service. Continue reading Zero-day vulnerability in Telegram→