Threat Hunting with VirusTotal

5 minute read

ByMert SARICA
1 August 2019
No comments

If you, like me, primarily use Twitter to stay updated on cybersecurity news and follow cybersecurity researchers, you may have come across tweets from security researchers such as Nick CARR from FireEye/Mandiant, Daniel BOHANNON, or John LAMBERT from Microsoft. In their tweets, they sometimes share new malware samples or discuss new techniques they discovered during their threat hunting activities on VirusTotal.

After years of requesting from my friends with VirusTotal accounts to download and send me interesting malware samples, I finally achieved a happy ending in early 2018 by purchasing a corporate VirusTotal account for Akbank Cyber Security Center. With a corporate account, as I mentioned in my blog post titled “On the Trail,” you can not only track the activities of cybercriminals but also become aware of cyber attacks targeting your organization and stay informed about the tactics and techniques used by cybercriminals.

Apart from cybercriminals, you can also come across files uploaded by employees preparing for social engineering tests within their own organization or penetration testing experts from cybersecurity consulting firms attempting to bypass antivirus systems.

It is often overlooked that files uploaded to VirusTotal can be viewed and downloaded by other members. This means that a sensitive file uploaded for malware detection purposes can suddenly become visible to third parties. In this article, I decided to provide guidance for those who want to conduct threat hunting on VirusTotal and raise awareness of information security by drawing attention to the points mentioned above.

When conducting threat hunting with VirusTotal Intelligence, we can leverage more than 50 keywords. For example, let’s say we want to find records that are uploaded from Turkey (submitter:TR), written in Turkish language (lang:”turkish”), detected by more than 10 antivirus software (positives:10), have a docx file type (type:docx), and were first uploaded in 2018 (fs:2018-01-01 T00:00:00+). By using these keywords, we can quickly find records that match these criteria. If we perform a similar search for xls, doc files, files containing PowerShell (tag:powershell), and files containing macros (tag:macros), we will come across numerous examples for analysis in a short time.

In one of the cases I encountered, I discovered a malicious individual creating a document containing macros to conduct a social engineering attack against a bank. When analyzing the macro using the oletools and CyberChef tools, I found that the executed macro sent copies of emails sent from Microsoft Outlook to a command and control center using unencrypted HTTP protocol with the help of PowerShell. By examining the file properties and searching for it on VirusTotal (metadata), I learned that the file was likely created by the bank’s audit team to perform a social engineering test rather than by a malicious individual. :)

When examining another example, the file named “aktivite20.docm,” I initially thought that I came across a malicious document used in a social engineering attack targeting a bank. Upon analyzing this well-crafted document, which was quite convincing in terms of persuasion, I discovered that it contained a macro utilizing PowerShell. Upon analyzing the macro file, I found that it disabled PowerShell script blocking and logging features when executed. Similar to the previous example, when examining the file properties, I learned that it was created by a penetration testing expert working as a consultant for a cybersecurity firm. :)

Looking at the two examples above, we should not forget that uploading files with malicious intent for penetration testing or social engineering tests to VirusTotal can provide clues to malicious individuals regarding scenarios and methods. It is also important to note that uploading a file to VirusTotal before conducting a red team exercise can significantly impede its success.

In another example, “zarina cv.docx,” I came across a suspicious resume file. Particularly in corporate environments, resumes that circulate between individuals can lead to the compromise of an organization if they contain malicious code and are sent to human resources employees via LinkedIn or email without the necessary security controls and measures in place. After opening the “zarina cv.docx” file with 7-Zip, I analyzed the “document.xml” file located in the “word” folder and found a carefully placed DDEAUTO command. The DDEAUTO command downloads a file named “final.exe” from the mediafire.com address and executes it in the TEMP folder. Although I couldn’t access the “final.exe” file as it was deleted, I could clearly see that the same individual attempted to upload a similar file containing an internal IP address to VirusTotal for antivirus scanning instead of mediafire. Based on this example, I would like to emphasize the importance of HR departments being extremely cautious when receiving resume files from candidates.

The last example that caught my attention was the file “TEMMUZ MAAŞ.xlsm.” When I analyzed the macro file inside the document using the oletools tool, I discovered that it downloads a file named “client.exe” from the web address http://xfl[.]mooo.com and then saves it as “cache1.exe” in the TEMP folder before executing it. The content of the “TEMMUZ MAAŞ.xlsm” file appeared to be realistic enough not to raise suspicion. When I searched for files associated with http://xfl[.]mooo.com both on VirusTotal and through retrohunt, I found numerous unrelated files. Some files were specific instruction files created for a particular organization, while others were user manuals for a product. It started to puzzle me whether there were individuals who managed to access these organization-specific files and inject macros into them, or if malicious actors were diligently creating such realistically macro-laden documents.

When I conducted a search specifically for the web address http://xfl[.]mooo.com and the associated resolved IP addresses, I came across the “srim2” file that was downloaded from one of the IP addresses. I downloaded the file and opened it using the 7-Zip tool, and upon examining the “config.json” file, it became apparent that it was a software used for mining Monero digital currency.

After deciding to take a brief look at the “client.exe” file, I began analyzing it using IDA Pro and Interactive Delphi Reconstructor tools. Here are the noteworthy findings:

After executing “cache1.exe,” it copies itself to the path C:\Users\admin\AppData\Local\Google Chrome Helper\chromehelper.exe.

It communicates with the following URLs: http://xredini[.]mooo.com , http://140[.]82.59.108/config, and http://45[.]76.3.86/min.

Decoding hidden strings with the help of IDAPython revealed the addresses xred[.]mooo.com , xredini[.]mooo.com, and xfl[.]mooo.com among the character strings.

It is capable of creating a scheduled task to create a Google Chrome Helper Update entry.

After finding files with the extensions .xls, .xlsx, .doc, .docx, it copies their contents to an Office file with a macro extension (e.g., docm, xlsm) created in the %TEMP% folder, replacing the original files with copies of the original files but with the names of the original files. (For example, it deletes the “Mert.docx” file on the desktop and creates “Mert.docm” in its place, copying the content of “Mert.docx” into it.)

It locates and modifies all executable files (exe) on the system, replacing them with the modified files. Upon execution, it runs both the original file and the malicious Office files (opened in the %TEMP% folder) in the Resource Directory section.

When searching for the character string “ABvgjdfL+hpQCgCT42VdO6m4GD” in VirusTotal, I came across numerous samples infected with this malware.
These findings provide valuable insights into the behavior and capabilities of the analyzed “client.exe” file.

In conclusion, by conducting threat hunting on VirusTotal, your organization can become aware of planned cyber attacks and social engineering attempts targeting your institution. Additionally, it allows your analysts to analyze the samples identified during threat hunting, helping them develop expertise in malware analysis.

Hope to see you in the following articles.

Show this post in PDF format

Print this page

Related Tags

Mert SARICA

Mert is a well-known and respected Cyber Security Researcher, Speaker and Blogger. He has been living and pursuing his career in the United States with an Alien of Extraordinary Ability visa (EB-1A), an employment-based green card, since October 2022.

As of February 2023, Mert has been working at SOCRadar® Extended Threat Intelligence as the Head of Security Research & Operations. SOCRadar is a cybersecurity company committed to democratizing threat intelligence and providing superior cybersecurity solutions to thousands of companies in hundreds of countries. SOCRadar's mission is to provide organizations of all sizes with the tools to counter cyber threats.

In his current position, Mert has been advising the CEO on strategic decisions that align with the company's mission, objectives, and overall goals.

He has often overseen strategic initiatives by working closely with various departments, such as product development, sales, and marketing. Also, he has been managing the day-to-day operations of the Security Analyst, Support, and Professional Services teams to ensure efficiency, quality, service, and cost-effective management of resources.

In addition, he has been driving innovation across the product by promoting new ideas and features.

Besides that, he has been managing, mentoring, and supporting a cadre of threat researchers, threat hunters, security analysts, and technical content writers who research cyber threats, vulnerabilities, and trends.

From October 2020 to September 2022, Mert demonstrated his expertise as an Executive Vice President / CISO of IT Security & Risk Management Group which incorporates Cyber Defense Center, Cyber Security Technologies, Cyber Security Architecture, Information Security & Risk Management teams (40 HCs) at Intertech. Intertech is an Information Technology subsidiary of DenizBank, owned by Emirates NBD

From January 2018 to September 2020 as the Vice President, Mert was responsible for the management of Akbank's Cyber Defence Center (CDC) which incorporates Vulnerability Management, Threat Detection, Threat Response & Intel, and Security Engineering teams. (26 HCs)

From 2007 to 2017 Mert was responsible for performing and managing penetration tests, malware analysis, security incident detection, and response as a Technical Lead in the Threat & Vulnerability Management team at IBTech. (Information Technology subsidiary of QNB Finansbank)

From 2014 – 2016 Mert instructed Malware Analysis course in Cyber Security Graduate Program at Bahcesehir University.

In 2003 Mert’s career journey began by discovering a security vulnerability on the e-portal web application of the Yeditepe University where he was studying at that time. After sharing his findings with the executives of the university, he was awarded an achievement grant and recruited as an Ethical Hacker. Mert graduated from Yeditepe University, Information Systems and Technologies in 2006 and Yeditepe University, Master of Business Administration program in 2010.

From the beginning of 2011, Mert spoke at more than 30 technical cyber security conferences. In addition, he was invited as a guest speaker to more than 40 universities to share his cyber security career journey and his profession “Ethical Hacker” to the students as a role model.

Author

Profilime Kim Baktı?

WhatsApp Dolandırıcıları

ABD Olağanüstü Yetenek Vizesi (O-1A)

Python’u Seviyorum :)

LinkedIn Dolandırıcıları

Mert SARICA

Antimeter Tool

WhatsApp Scammers

Exposing Pig Butchering Scam

How I Obtained the Green Card (EB-1A) in 5 Months