Connecting the dots with Virus Total

By: @BushidoToken

Introduction

Virus Total (VT) is one of the most useful tools in an analyst's toolbox. For a number of reasons, it is often the first place an anaylst may visit. This includes checking to see if a file is malicious, investigating a domain or IP address, as well as looking for malware samples and other indicators of compromise (IOCs). Any researcher or analyst should be well acquainted with VT. Its most powerful component is that anyone, from anywhere in the world can submit files and other IOCs. This means that researchers can uncover attack campaigns happening globally in near real-time, as well as those from months or years ago.

This blog covers how to utilise Virus Total for investigations and triage. The first and one of the most important things to remember is that something is uploaded to VT it is publicly accessible and submitted to over 70 antivirus engines for analysis.

The devil is in the details 👿

When looking at a new file for the first time, an analyst should establish the basic facts - such as detection rating, file type, size, and if it matches any threat hunting rules. These can then be built upon for the next stages of an investigation.

The next steps include investigating other file attributes that reveal more information about the file, including when it was compiled, when it was first submitted to VT, the filename, the code signing certificate, and other informative attributes.

This information can then be used to tell us more about the file: what type of malware it is and who the adversary who created is. 

Good vs Evil 🦸‍♂️

One of the most interesting aspects of cybersecurity is that private and public organisations share a lot of valuable, hard-earned knowledge for free. This is exemplified in Virus Total as malware researchers, sandboxes, EDRs, and antivirus companies often share the findings on specific files, which helps everyone. At the end of the day, it is the defenders protecting the computers and information versus the threat actors who wish to attack them. Good versus evil.

The 'community' tab is often the first place a researcher may look to find what other organisations or researchers have already found out about an IOC from their analysis of it. 

Silent cartographer 🌎

One of Virus Total's most power features is its VT Graph tool. The contents of CSV files can be imported into one graph automatically. VT Graph then maps the relations ships between imported domains, URLs, hashes, and IP addresses and displays them in a presentable format. A researcher can then investigate each IOC more closely and potentially uncover additional campaign artefacts just by double-clicking on each node.

IOCs can be gathered from open sources, shared by threat researchers, enriched and then imported into VT graph. This may help an organisation or law enforcement to better understand the scope of the campaign and the tactics, techniques, and procedures (TTPs) leveraged by the adversaries behind it.

Thrill of the hunt 🕵️‍♂️

IOCs are submitted to multiple sites, not just Virus Total. There are a growing number of free sandboxes where organisations can detonate suspicious files and URLs. This opens up more opportunities for researchers to investigate campaigns by cross-examining IOCs from multiple sources.

Researchers can pivot between these sandboxes and Virus Total and back to uncover a lot more details about ongoing and past campaigns. This is an important part of IOC enrichment and brings us closer to the goal of understanding and mitigating an adversary's tradecraft.

One final feature worth covering in this how-to blog is VT's search function. Although it is not abundantly clear in the tool's user interface, this is also a powerful resource for investigating attack campaigns. By searching for a malware or APT group's name (in lowercase only) Virus Total will reveal all the comments left by researchers and cybersecurity firms.

What is interesting about this search function is that a lot of comments are generated automatically by bots. If a file matches a YARA rule, researchers have created a bot that will leave a comment stating which YARA the file attribute's triggered. This is especially useful for tracking a specific APT or cybercriminal group's malicious software.

Conclusion

This Virus Total blog has covered how researchers and analysts can use some of VT's best (and free) features. To effectively leverage this tool a user should have an inquisitive mind and be willing to investigate things further, VT does a great job at providing a service for them to do so. 

References:

• https://www.virustotal.com/gui/file/0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589/detection
• https://www.virustotal.com/graph/embed/g92cdcc51532e43158cb3df4a616ed5b9aedadbada6cb4169811a7174426473d3
• https://www.virustotal.com/gui/search/unc2452/comments
• https://www.virustotal.com/gui/search/sunburst/comments
• https://www.virustotal.com/gui/search/nobelium/comments
• https://www.virustotal.com/gui/search/teardrop/comments
• https://twitter.com/VK_Intel/status/1367176969369096193?s=20
• https://www.virustotal.com/gui/user/BushidoToken/comments
• https://github.com/BushidoUK/Exploring-APT-campaigns