Virustotal Shares New Ideas to Track Threat Actors

In a recent presentation at the FIRST CTI in Berlin and Botconf in Nice, VirusTotal unveiled innovative methods to track adversary activity by focusing on images and artifacts used during the initial stages of the kill chain.

This approach aims to enhance threat hunting and detection engineering by examining samples built in the weaponization and delivery phases.

Traditionally, threat hunting and detection engineering have concentrated on the latter stages of the kill chain, from execution to actions on objectives.

This is due to the abundance of information available in these phases, making it easier to search for clues using endpoint detection and response (EDR), security information and event management (SIEM), and other solutions.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

VirusTotal’s new approach focuses on detecting suspicious Microsoft Office documents (Word, Excel, and PowerPoint), PDF files, and emails.

Analysts can quickly identify potential threats by leveraging colors commonly used in threat intelligence platforms—green for benign and red for malicious.

Exploring Embedded Files in Office Documents

When a Microsoft Office file is created, it generates a series of embedded XML files containing information about the document.

VirusTotal has identified three types of embedded files within Office documents that can be particularly useful for threat hunting:

1. Images: Often used by threat actors to make documents appear legitimate.
2. [Content_Types].xml: Specifies the content types and relationships within the Office Open XML (OOXML) document.
3. Styles.xml: Stores stylistic definitions for the document, providing consistent formatting instructions.

VirusTotal hypothesizes that if malicious Microsoft Word documents are copied and pasted during the weaponization process, the hashes of the [Content_Types].xml and styles.xml files will likely remain the same.

APT28 – Images

APT28 has been found to reuse images across different delivery samples.

For example, an image of a hand used in fake Word documents for hotel reservations was identified in multiple documents over several years.

SideWinder – Images

SideWinder, also known as RAZER TIGER, has reused images in their operations against military targets in Pakistan.

One notable example is the signature of Baber Bilal Haider, used in multiple documents.

Gamaredon – [Content_Types].xml and styles.xm

Gamaredon has reused styles.xml and [Content_Types].xml files in different documents, revealing new samples.

VirusTotal’s retrohunt identified patterns in these files, leading to the discovery of additional malicious documents.

AI to the Rescue

VirusTotal utilized the VirusTotal API to download and unzip a set of Office documents used for delivery, obtaining all embedded images.

They then used Gemini to automatically describe these images, aiding in the identification of suspicious documents.

PDF Documents and Email Files

Unlike Office documents, PDF files do not contain embedded XML files or images. However, Adobe Acrobat Reader generates a thumbnail of the first page in BMP format, which can be used for pivoting.

VirusTotal demonstrated this with examples from the Blind Eagle threat actor and phishing activities targeting Tinkoff Bank.

PDF BMP FilesEmail files often include company logos to deceive victims.

VirusTotal identified several mailing campaigns by leveraging these images, including campaigns impersonating universities and companies.

VirusTotal’s innovative approach to tracking threat actors by examining artifacts linked to initial spreading documents offers a valuable addition to traditional hunting techniques.

By incorporating AI and focusing on embedded files and images, analysts can enhance their ability to monitor and identify potential threats.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.