Monday, January 22, 2024

Uncovering Hidden Threats with VirusTotal Code Insight

In the constantly changing world of cybersecurity, generative AI is becoming an increasingly valuable tool. This blog post shows various examples that elude traditional detection engines yet are adeptly unveiled by Code Insight. We explore diverse scenarios, ranging from firmware patches in DJI drones that disable red flight lights, to the covert theft of WhatsApp session cookies, phishing targeting Tesla customers, automated login attempts on the Medtronic CareLink Network, Bitcoin wallet attacks, Tik-Tok viewbots, unauthorized Netflix account access, cheaters for Roblox, and automation of Tinder’s match-making, along with a range of other scenarios.

Code Insight, based on Google Cloud Duet AI, was unveiled at RSA Conference 2023 as a novel feature of VirusTotal. It's specialized in analyzing code snippets and generating reports in natural language from a cybersecurity and malware expert's perspective. Since its introduction, millions of files have been analyzed by Code Insight. The reports generated are readily accessible for consultation and can be leveraged through the VirusTotal Enterprise service for large-scale result aggregation and exploitation. This functionality allows security teams to quickly and efficiently examine vast amounts of code, pinpoint potential threats, and enhance their overall security posture.

Let's delve into some intriguing anecdotal examples that demonstrate how we can uncover threats by utilizing the reports generated by Code Insight. These instances not only showcase the tool's analytical strength but also illustrate the practical applications of its findings in real-world cybersecurity scenarios.

Imagine working on the cybersecurity team at Roblox and wanting to explore what Code Insight has discovered. A simple query in VT Enterprise, such as codeinsight:Roblox, would yield more than 2,000 related files.


Continuing from the previous exploration with Code Insight, let's focus even more closely. Say you're an Anti-Cheat Software Engineer at Roblox interested in the "Murder Mystery 2" game. By refining your search in VT Enterprise to codeinsight:Roblox AND codeinsight:"Murder Mystery 2" AND codeinsight:cheat, the results are much more specific. This refined query leads to a fascinating find - a single file.


Initially received by VirusTotal as a text file, Code Insight correctly classifies it as a Lua script and provides a detailed report on its functionality. This example demonstrates Code Insight's precision in identifying and analyzing content within a specific context, proving invaluable for targeted cybersecurity investigations.

6cc2daf625f329f10c0771eea5924d868edf5445de6565acdd2e02d9c89f70b6

Shifting our focus, let's say we are now investigating a technique used to modify the firmware of DJI drones that turns off LED lights during flight. To discover if Code Insight has identified such modifications, we could use a targeted VT Enterprise search: codeinsight:DJI AND codeinsight:firmware AND codeinsight:lights. Voilà, the search results reveal this:

eb252a56cdfe3c66ba45b4a87863d0dafb18dce49ea42bcbb766e769dbba9e6e

As the previous examples demonstrate, locating interesting samples through the “codeinsight:” operator is remarkably easy. This is largely due to the fact that the searches are conducted within the natural language reports generated by AI, which analyze the code and functionality of files. This approach significantly simplifies the task of finding relevant cybersecurity threats.

Next, we'll present more intriguing cases that have been detected using Code Insight, further showcasing its effectiveness in the cybersecurity landscape: .

Stealing cryptocurrency by replacing addresses from the clipboard

0cf3a43dca5fdb2df9fd6743c8ecac228c1b27823ad0134fc92f384c6b497245

Script that automates the process of logging into the Medtronic CareLink Network

56742933e6384a2911a4f27ab14c927941ece836f34e5fa7699caf17f4a1dd72

Script that steals WhatsApp session cookies

4d128460d2426ba0a47dfe70b3d54ee6e9d331c7889bef61974b3fd5af0e38c3

More examples:

These are just a few examples of how Code Insight can augment our threat intelligence processes and assist in identifying new targeted threats. We encourage you to try it in your investigations, experiencing its capabilities in enhancing your cybersecurity efforts. Stay tuned, as we will soon announce new features for Code Insight. Until then, happy hunting!

Monday, January 01, 2024

Monitoring malware trends with VT Intelligence

Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
VT Intelligence can be a powerful tool for monitoring malware trends, enhancing your detection capabilities and enabling proactive defense against evolving threats. To leverage it effectively, analysts can refine searches with threat indicators relevant to their business, technologies and to the malware trends occurring at the moment. Analysts can use this intelligence to identify and hunt emerging malicious samples and investigate new trends and capabilities.

To begin with a simple query we will search for new files (“entity:files”) first seen during the last week (“fs:7d+”) and detected by AV vendors as keylogger (“engines:keylogger”) with more than 5 positives (“p:5+”).

In our second query we search for fresh (“fs:7d+”) Windows, Linux or MacOS files (“type:peexe or type:elf or type:macho”). To focus on popular/emerging malware, we will use the submissions modifier with a relatively high number (“submissions:10+”), these thresholds serve as illustrative examples and can be adjusted according to the investigation.

Finally, we will look for Zip files (“type:zip”) that potentially contain ransomware. For discriminating using verdict of AV engines we use the “engines” keyword (“engines:ransom or engines:ransomware”) and use both “ransom” and “ransomware” strings as some engines use different criteria for verdicts. An alternative way of detecting ransomware is through dedicated YARA rules (“crowdsourced_yara_rule:ransomware”).

You can learn more about file search modifiers in the documentation.
As always, we would like to hear from you.
Happy hunting!