In our previous malware analysis post, we dissected a malware sample using Bromium – a tool that protects your system with a micro VM. In this post we will take our investigation in another direction and use VirusTotal to see if the files (and URLs) we have been looking at are recognized as malicious. If you would like to catch up on previous posts, links to Part 1 and Part 2 are below.
- A Modern Phishing Attack: Part 1 – Malware Delivery
- A Modern Phishing Attack: Part 2 – Malware Analysis with OfficeMalScanner
- A Modern Phishing Attack: Part 3 – Malware Analysis with Bromium
What is VirusTotal?
VirusTotal is a free online tool for analyzing malware and suspicious URLs. Google acquired the company in 2012, but it continues to operate independently. VirusTotal allows you to submit samples for inspection against over 60 antivirus / domain blacklisting services. This means that if you have a file (or link) you believe to be suspicious, you can submit it and see which AV companies flag the submission as malicious. This is a very handy tool for everyone that works on the defensive side of information security. We have a sample – so let’s see how it ranks!
Original Malware Submission
According to this initial report, only 3 of 60 AV engines recognized our sample as malicious! That is clearly not good if you are relying on technical controls to protect your organization against the latest threats. It is also important to note that included in this are many of the fancy “Next Gen” endpoint products. That’s right – Cylance, Crowdstrike, and whatever the other “machine learning AI” flavor of the day did not catch this at all. This is not good, and also means that we have a very fresh malware sample on our hands! So what can we do next?
Based on our previous malware analysis work, we know a bit about how the malware works. Mainly that it downloads a second stage malware executable from a specific URL. The good news is that we can also investigate those with VirusTotal.
Checking a Link With VirusTotal
In addition to AV engines, VT also allows for checking of URL’s / domains against a variety of blacklists. This helps the common defense by creating the ability to block hosts of malware when they are detected with a sort of crowd-sourced methodology. Let’s start with checking the root domain name from our malware: “trondyfeveryfeellnas[…]com”
NOTE: When we initially checked this domain at the time of the original sample collection, the result was clean. We did not take a screenshot at the time. The below screenshot is from ~1 week later.
The above shows that only 4/65 blacklists detected the domain name as being potentially hostile. Again, this is not good! We’re not done yet, however, let’s try directing VT to the second stage malware at “http\:\/\/trondyfeveryfeellnas[…]com/TZ/goboti.pyc”.
Hmm – 2/63 – we are actually doing worse with that URL. Wait a minute though – we have one more trick left.
Upload the 2nd Stage Directly to VirusTotal
Since we can safely download the 2nd stage of this malware onto our testing system, let’s do that and then upload the executable file straight to VirusTotal.
Now we’re talking! At least some vendors are identifying this malware as a “Trojan”, including some larger / better known companies.
What have we learned?
To wrap up this post and the Modern Phishing Attack series, let’s take a look back at some important lessons learned.
- Phishing campaigns are getting more sneaky in order to trick users that are becoming more aware
- Macros in Office documents are generally a bad thing – disable these if possible
- There are products, like Bromium, that offer fairly good protection and analysis of malware behavior
- More likely than not, endpoint protection products will not detect modern malware – it’s just too easy to disguise malicious programs
- Because users and endpoint products are not enough, there need to be additional layers of protection and detection to have real defense in depth. SIEM, network anomaly detection, and many other technologies should be part of a more complete/mature security stack.