Tuesday, October 13, 2020

, , , , ,

Tracing fresh Ryuk campaigns itw

Ryuk is one of the most dangerous Ransomware families. It is (allegedly) run by a specialized cybercrime actor that during the last 2 years mainly focused on targeting enterprise environments. The amount of bitcoins demanded in their ransom attacks varies depending on the target. Some of the wallets used by the group to collect the ransom payments reached millions of dollars in a few weeks.

Protecting against such attacks is one of the main priorities for any CISO or security team. This is a problem that should be approached from different perspectives, being prevention (likely) the most relevant one.

Now, what can be done in terms of prevention? Information is power, the first thing we need is understanding how the new campaigns are operating. Is this distributed through phishing or exploiting any vulnerabilities? Do they use brute force attacks? Maybe all together?

In addition to the TTPs described above, we want as many technical details as possible. This will result in very valuable Indicators of Compromise we can use for protecting our infrastructure: deploying networking indicators to disrupt malware communication, making sure our Yara rules will detect all the components of the attack, launching regular scans in our infrastructure to detect any artefact used in the campaign.

We need to quickly deploy our fishing nets to catch everything related to fresh new campaigns! And then to keep monitoring for a while to make sure we keep our systems updated as attackers evolve.

In this blogpost we will describe how we used VirusTotal to detect and monitor new Ryuk activity. However this is a very specific case where we want to show how our IDA plugin can save us a lot of time when dealing with certain samples.

If you want to learn more about how you can keep your organization safe from ransomware and how to easily leverage VirusTotal to monitor ransomware activity, please join us for our next Anti-ransomware workshop - English (Live November 4th, 1pm ET) and Spanish (Live October 28th, 17:00 CEST) versions available.

Starting the investigation

Two weeks ago new files were uploaded to VirusTotal (1, 2). According to the crowdsourced YARA rule that identified them, these files looked like Ryuk malware.




A closer look revealed that these samples have been probably dumped from memory: the disassembled code showed plenty of memory mapped addresses, the import table was missing and the samples crashed when executed - they were definitively corrupted PE files.

Given these were fresh samples, we certainly wanted to know more about them, especially if they were part of a bigger campaign. In such cases, one of our best allies is looking for similar samples that could also be part of the attack. However, when working with memory dumps we need to be careful, given that probably some segments and memory mapped addresses will be execution specific. If we include any of such specifics in our search, we won't be able to find other samples.

IDA plugin to the rescue

One of the options would be to rebuild the samples we found, which is an extremely time consuming process. Instead, we can use the VirusTotal IDA plugin (see original blog post announcement) to help us search for the original sample. Using the "search for similar code" functionality we can create a query that will ignore all the memory mapped addresses, being a perfect choice for our problem.

Taking a look at the samples with IDA, we can see there are many functions that aren't properly identified by the disassembler engine given the use of anti-disassembly techniques. Precisely for this reason, they are good choices for searching for code similarity.



We just need to select the code, right-button, and search for similar code. The resulting query will take care of ignoring all the memory mapped addresses we wanted to get rid of.



The resulting listing with all the files found shows very close first submission time. Also, some of them report behaviour activity, meaning they executed in the sandboxes without crashing: maybe one of them could be our original sample.

Picking one of our initial samples and another one with behavioural information, we can see that:
  • They don't show up as similar when doing a similarity search (as expected).
  • They have some long sequences of bytes in common.

Is this our sample?

At this point we feel confident that the new sample found is the one we were looking for. Indeed, starting from this sample and taking a look at the (undetected) function located at 0x35008A60, we select a large sequence of instructions with the IDA plugin (as we did before) for a new search. This results in only 4 files that match the query generated: our two initial samples, another file that's also corrupted, and the previously chosen sample that detonated in our sandboxes. Therefore, this is the second time that we get this file when looking for similar code.

Going deeper, we'll see that it shares the same PE entry point that our two initial corrupted files. Furthermore, their WinMain functions are the same. Initially it looks like a quite simple function, composed of only three blocks of code. But, after overcoming the anti-disassembly trick implemented to confuse IDA, we can compare both function graphs to see the similarity. We conclude that we found the original sample.



What now?

At the time of this research there isn't any Yara rule detecting the original sample and it has 28/71 positives. Inside this file we can find encrypted strings that are extremely useful for pivoting to find additional samples. These strings are included in the corrupted files as well, stored in the ".gfids" segment at the end of the file. In other words, they aren't located in the ".data" segment as seen in the original sample. This new location reveals that probably these strings were initially encrypted and became decrypted after execution, thus they can be seen as footprints of the original sample.



Using the VT-IDA plugin we can search for other files that contain these encrypted strings. As expected, the four files found before are listed now, but there are two other samples that were submitted three days prior to our original sample and can also be investigated.

Moreover, all these new strings can be used to improve the original Yara rule that brought us here, or to create a new one! Remember to keep it running as a LiveHunt to make sure you keep track of any new Indicators of Compromise and to detect anything new attackers use in their campaigns. You can find all the details about the campaign described in this blogpost in the following VT-Graph.

This post was co-authored by Vicente Diaz.

Monday, August 24, 2020

, , , , , ,

Learn how malware operates so you can defend yourself against it

TL;DR: VirusTotal is hosting an APJ webinar on August 27th showcasing our advanced threat enrichment and threat hunting capabilities, register for the webinar, it is free.

Following the EMEA webinar that we recently conducted (watch on demand if you missed it), we want to spread the word about all the features and capabilities your team can take advantage of with VirusTotal. Our mission is to improve security for billions of users by coordinating and empowering distributed security teams, acting as the nexus of the security industry, and it is with you, our community of users, that we are able to execute on it.



Join our upcoming webinar “Advancing Threat Intelligence & Hunting with VirusTotal” where we will run you through a detailed and comprehensive overview of VirusTotal Intelligence and Hunting capabilities. This will showcase the search capabilities within VirusTotal to help sift through the vast amount of malware and how it may be pertinent to your organization as well as ways to track this threat for future variants. An investigation can start from IoC’s with little context, and how an analyst may leverage the data in VirusTotal can help uncover additional variants and the techniques attack groups may be utilising. Learn how VirusTotal can supercharge your team in regards to:

  • Security threat enrichment
  • Incident response
  • Threat hunting
  • Fraud and brand protection
Specifically, among other things, you will understand how:
  • A SOC level 1 analyst can use static information, crowdsourced metadata and inter-observable relationships generated by VirusTotal in order to confidently act on an alert, even when the pertinent IoC is fully undetected.
  • An incident responder can leverage file similarity search in order to map out an entire threat campaign and generate network IoCs to mitigate a breach or proactively defend his organization.
  • Identify variants and other threats to augment your organization’s prevention and detection capabilities.
  • Uncover vectors which adversaries may be using to target your organization and your customers.
  • A threat hunter can automatically generate optimal YARA rules to track adversaries and pivot through the dataset to discover their TTPs.
Knowledge is power, learn how malware operates so you can defend yourself against it.

Stay positive, remain resilient, fight the bad guys.

Tuesday, June 09, 2020

VirusTotal += Cynet

We welcome the Cynet engine to VirusTotal. In the words of the company:

“Cynet 360 is an autonomous breach protection platform that includes multi-layered anti malware capabilities including AI-based static analysis, process behavior monitoring, memory monitoring, sandboxing, and granular whitelisting, interlocking together to protect against malicious executables, exploits, scripts, Macros, LOLbins, malicious process injection and other fileless attacks. Cynet 360 protection ranges across the entire malware lifecycle identifying malicious attributes in either the pre-execution stage by analyzing the file in its binary form or across multiple stages throughout the process execution.”

Cynet has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by Virus Bulletin, an AMTSO-member tester.

Wednesday, May 27, 2020

, , , , , ,

I did not know you could do X, Y, Z with VirusTotal

TL;DR: VirusTotal is hosting an EMEA webinar on June 4th showcasing our advanced threat enrichment and threat hunting capabilities, register for the webinar, it is free.

I did not know you could do X, Y, Z with VirusTotal”, this is the most common feedback that we hear coming from our users whenever we jump in calls, demos or give a talk at conferences. Our mission is to improve security for billions of users by coordinating and empowering distributed security teams, acting as the nexus of the security industry, and it is with you, our community of users, that we are able to execute on it.


Join our upcoming webinarSupercharging Your Security Operations with VirusTotal” where we will run you through a detailed and comprehensive overview of how VirusTotal can step up your security operations, from SOC Level 1 analysts confronted with IoCs for which they have very little context, to advanced threat hunters tracking state-sponsored attacks. Learn how VirusTotal can supercharge your team in regards to:

  • Security threat enrichment
  • Incident response
  • Threat hunting
  • Fraud and brand protection
Specifically, among other things, you will understand how:

  • A SOC level 1 analyst can use static information, crowdsourced metadata and inter-observable relationships generated by VirusTotal in order to confidently act on an alert, even when the pertinent IoC is fully undetected.
  • An incident responder can leverage file similarity search in order to map out an entire threat campaign and generate network IoCs to mitigate a breach or proactively defend his organization.
  • A threat hunter can automatically generate optimal YARA rules to track adversaries and pivot through the dataset to discover their TTPs.
  • A threat intel analyst can pivot over URLs, Domains and IPs to burn down threat campaigns not by studying the malware itself, but rather the CnC panels controlling it. Furthering such pivoting to uncover a specific threat actor operating a given cybercrime malware family. 
  • An ecrime/anti-fraud analyst can leverage network infrastructure searches to study phishing campaigns against a financial institution, and extend those searches into the file corpus in order to identify fraudulent apps impersonating his organization. 
  • Automate all of the above and start thinking about live data enrichment to step up your onion-layered security model and complement your security stack.
Knowledge is power, learn how malware operates so you can defend yourself against it.

Stay positive, remain resilient, fight the bad guys.

Wednesday, February 26, 2020

, , , , , , , , ,

Uncovering threat infrastructure via URL, domain and IP address advanced pivots a.k.a. Netloc Intelligence




Quick links:
https://support.virustotal.com/hc/en-us/articles/360001387057
https://developers.virustotal.com/v3.0/reference#intelligence-search
https://github.com/VirusTotal/vt-py

Ten years ago, VirusTotal launched VT Intelligence; a critical component of VT Enterprise which offers users the capability to search over VirusTotal's dataset using advanced search modifiers. VT Intelligence allows security professionals to pinpoint malware based on its structural, behavioural, binary, metadata, etc. properties to uncover entire threat campaigns.

For example, the following search query instructs VirusTotal to search for all documents that make use of macros whose static analysis seems to reveal some kind of payload execution and that when executed in a dynamic analysis environment (sandbox) reach out to a URL (highly suspicious sequence of events):
type:docx tag:macros tag:run-file behaviour_network:http



By drilling down within the VT corpus and identifying these kinds of suspicious patterns, analysts can discover new threats and build the defenses for them.

However, this approach has certain limitations. In the context of an attack, hashes/files are one of the last observables, to mitigate a threat, often analysts must begin by studying the campaign at the network level. A single domain/URL/IP address might be used to distribute thousands of server-side polymorphic variants of the same malware family. Similarly, very often it is far easier to discover new threat campaigns by focusing on the network side of things, has an adversary set up a new domain to distribute his malware? Can I block such domain in my network perimeter defenses (IDS, firewalls, webproxy etc.) even before he leverages it to distribute malware? VT Graph allows you to understand this easily:



As you can see, by blocking the domain bbvaticanskeys[.]com we would be, all of a sudden, killing the chances of our organization’s users downloading any malware that it delivers now or in the future and we would also be preventing the exfiltration of data to the domain if the compromise had already taken place. Note that hundreds of different variants communicate with the domain. In an onion layered security model it is important to build defenses not only against the bullets, but also against the gun, the bad actor porting the gun and the organization to which they belong.



Enter VT Intelligence’s netloc faceted search layer. We are supercharging the investigation capability of VT Enterprise customers by allowing a myriad of search modifiers over the domains, IPs and URLs that VirusTotal scans and sees in its backend processes, at no extra cost. This new functionality has been seamlessly rolled out to your accounts and it will simply consume search quota in the same manner that traditional VT Intelligence and VT API queries do.

So what exactly does this mean for investigators? VirusTotal can now power numerous new use cases:

Discover new threat campaign infrastructure set up via builders/kits and perform early blocking at the network perimeter level


Often adversaries instrument their attacks via trojan builders, exploit kits, command-and-control panels, etc. It is basically tooling that allows less technical crooks to set up an attack or that accelerates the time to launch a campaign.

The catch is that these kits often lead to repeated patterns that can be used to identify an attack:
  • Common URL path subsequences.
  • Uncommon HTTP ports.
  • Distinctive server HTTP response headers.
  • Repeated URL GET/POST parameters across campaigns.
  • etc.
Repetition of server setup patterns is something you can easily observe by browsing over something like URLhaus:



With the netloc intelligence module you can now launch searches like:

entity:url query_field:worker query_value:universal - Silentbruter malware
entity:url path:"fre.php" - LokiBot CnC
entity:url port:7000 path:gw
entity:url path:"/zehir/z3hir"
entity:url path:"bstr.php"
entity:url path:"tuk_tuk.php"
entity:url path:"/private/checkPanel.php"

With regards to path commonalities, Virus Bulletin recently published an article on dissecting the C&C panel deployments, it clearly portrays how new malware variants and threat infrastructure can be identified by focusing on CnC kit patterns:



The author’s observations are easily backed with the following VT Intelligence search:
entity:url path:"PvqDq929BSx_A_D_M1n_a.php"

By focusing on the newest sightings first, you can immediately discover new infrastructure being set up by attackers. You can block the pertinent domains/IPs long before they may impact your organization and very often long before blocking technologies catch up on the malware that they deliver.

Track threat actors by revealing new threat infrastructure operated by the same group


Sometimes the patterns do not surface in the URL itself but rather in the domain registration details, SSL certificates, DNS TXT records, etc. It is not uncommon to see attackers registering new domains with the same email address or identical fake physical address. The new netloc intelligence component allows you to pivot over (anonymized - privacy preserving) whois details.

Let’s look at an interesting reported campaign:

New Advanced Phishing Kits Target Digital Platforms
“We hit pay dirt. Whois records for both of these name servers reveal more than a thousand additional malicious domains using similar naming conventions.”

Name servers:
ns1.anx[.]link
ns1.anx-dns[.]link
ns1.anxdns[.]io

We can craft a whois search to identify other domains making use of the same name servers
entity:domain whois:"ns1.anx.link"

We can also do it at the DNS records level:
entity:domain ns_record:"ns1.anx.link"
entity:domain txt_record:"tsdomain"

Note that all these pivots surface as quick links on basically every section in the details of observable reports, meaning that when looking at a particular IP/domain you can immediately jump to other related infrastructure:



This is something that applies to pretty much every information block, not only to the Whois lookup. For example, you may click on an SSL thumbprint to discover other IPs that make use of a given SSL certificate. This builds upon our existing capabilities to discover other infrastructure operated by a same group, namely our pDNS dataset:
https://www.virustotal.com/gui/ip-address/206.54.170.81/relations

Other interesting commonly reused artefacts that can be searched for are trackers or cookie names.

Protect your brand and discover phishing campaigns


Phishing sites against a particular bank or online service will often make use of typosquatting or will contain the name of the given service as a subdomain of an illegit domain. This allows investigators to find URLs in the dataset that do not belong to the original brand:
entity:url hostname:"*gmail*" p:1+

This said, sometimes the attackers will avoid including the legit name in the domain string so as to prevent easy detection. In those cases we can still discover new phishing campaigns. For instance, let us focus on websites that make use of GMail’s favicon:
https://www.virustotal.com/gui/search/entity:url%20main_icon_dhash:%2200e8e0968ee8d48a%22/urls



Similarly, we can look into certain indexed metadata, such as the title of the page or meta tags:
entity:url title:"Sign in - Google Accounts" p:5+

More generally, you might just be interested in keeping up with the phishing landscape:
entity:url AND (category:phishing OR engines:phishing) AND positives:3+


Feed your IDS/SIEM/webproxy blocks, etc. with IoCs based on anomalous or suspicious patterns


Sometimes you do not really know what you are hunting for, but you can unearth threats by focusing on highly suspicious sightings. Why would someone configure a server to return an “image/jpeg” HTTP response header when serving a Windows executable? The only reason is probably to try to circumvent very basic web proxy filtering:
entity:url header_value:"image/jpeg" tag:downloads-pe



This logic can also be applied to URL paths, the extension modifier tries to identify file extension within URL paths:
entity:url extension:jpg tag:downloads-pe

On this front, identifying double extension tricks also comes to mind as an easy hunting dork:
entity:url path:".jpg.exe"

Similarly, attackers tend to reuse deception techniques such as spamming users to deceive them into downloading malicious documents that claim to be some kind of invoice or payment request (e.g. Emotet spreading):
entity:url header_value:"attachment;filename" header_value:"invoice" tag:downloads-doc
entity:url header_value:"attachment;filename" header_value:"payment" tag:downloads-doc



Executable downloads on non-standard HTTP ports are often worth deeper inspection:
entity:url tag:downloads-pe port:81+ NOT port:443 NOT port:8080

Open directories are also a common place to hunt for malware:
entity:url tag:opendir tag:contains-pe p:1+

As well as executables served via bare IP address URLs that are repeatedly submitted to VirusTotal:
entity:url tag:ip tag:downloads-pe submissions:20+

Same goes for DGA-like patterns:
entity:domain tag:dga detected_communicating_files_count:10+ communicating_files_max_detections:10+

Malicious domains can also be surfaced by focusing on their relationships, in these cases we do not track particular actors or campaigns but rather high numbers of malicious sightings around the pertinent network locations:

entity:domain detected_downloaded_files_count:1+ detected_urls_count:1+ detected_communicating_files_count:1+ detected_referring_files_count:1+

entity:ip detected_downloaded_files_count:1+ detected_urls_count:1+ detected_communicating_files_count:1+ detected_referring_files_count:1+

When considering detections of connected entities, probably the most interesting search is to identify undetected URLs that download some kind of malicious file:
entity:url positives:0 response_positives:10+

All of these suspicious sightings can be extended to your own organization’s properties in order to dig deeper into threats that interact directly with your domains or IP ranges:
entity:domain domain:"*.google.com" detected_communicating_files_count:10+ communicating_files_max_detections:10+



Filters on the IP address CIDR are also allowed, to focus exclusively on your network ranges:
entity:ip ip:"35.224.0.0/12" AND ((detected_communicating_files_count:10+ communicating_files_max_detections:10+) OR (detected_downloaded_files_count:10+ downloaded_files_max_detections:10+))

All of this said, we acknowledge that the current facets and indexed data might not be perfect. Over the coming months we will be adding new modifiers based on more use cases that you may have, so please do not hesitate to contact us with suggestions and feature requests. We are pretty certain that one the most prevalent asks will be to expose some kind of YARA-like Livehunt capability in order to set up notifications for new network-level sightings: more on that front later this year.

The described functionality is now also exposed via APIv3:
https://developers.virustotal.com/v3.0/reference#intelligence-search
https://github.com/VirusTotal/vt-py

Oh, and one last thing, you may have already noticed that we recently added domain and IP address verdicts to extend the reputation capabilities that we already offered for files and URLs.

Happy hunting!

Thursday, February 20, 2020

, , , , , , ,

VirusTotal MultiSandbox += QiAnXin RedDrip


VirusTotal would like to welcome QiAnXin RedDrip to the multi-sandbox project! QiAnXin is now sending execution behavior reports to the VirusTotal ecosystem for a wide variety of file types.





In their own words:
QiAnXin RedDrip Sandbox, developed by QI-ANXIN Threat Intelligence Center, is a cloud‐based malware analysis service provided to security researchers, analysts as well as ordinary individuals. Based on hardware virtualization technology, the sandbox contains less traits inside the monitored guest system that the malware could be aware of. The runtime environment also gets tailored to behave like a potential victim, rather than an analysis machine. We do this through invalidating available checkpoints, simulating keyboard/mouse interactions, and so on. It is able to handle many file types, probe and trigger infection vectors. These features help us to discover APTs easier and result in the discovery of zero-day attacks in the wild. By using the service, people gain better understanding of the malware and could perform intelligence hunting more conveniently.

On VirusTotal you can find the QiAnXin reports on the Behavior tab:



Here are some interesting samples to highlight QiAnXin RedDrip’s capabilities:


LNK File


Example:
529177610e30a96c2c8a5b40f5015ce449eb611e06d5d75e66730236cc83bdc6

Within the processes and services actions section we can see that the victim would launch a VBE script silently in the background while opening the HWP document. HWP files are popular in South Korea.



Knowing about this, advanced users can then leverage VT Intelligence modifiers to build logic to flag suspicious LNK files, for instance:
type:lnk behaviour_processes:start

 

RAR File with malicious DLL side loading with goodware EXE


Example:
9155afcf50ee1c2a4b217034ddd43ceb48ea8ead94fa6d9e289753f2fadb82dc

This RAR file is interesting because it contains a trusted, and digitally signed WinWord executable from Microsoft, as well as a malicious DLL to be side loaded. Attackers often use DLL side loading to avoid detection.



As usual in our multisandbox effort, network observations contribute to the file’s relations, meaning that we can use VT Graph to shed light into a threat campaign:


 

A ZIP file that contains executables and scripts


Example:
97eabe0eda591b9a7059b71156f5d3a50f371c2a6a9ef7136943b8b80925704c

RedDrip will use 7z to decompress ZIP packages, it will run through the package contents and identify interesting files to execute. This is particularly useful for multi-modular malware, where a given malicious file has certain dependencies and will not be executed unless it can find them. Packaging up all dependencies in a single bundle overcomes this limitation.

Outlook email


Example:
216ac0a63ce9103a1b5c7d659806675e7188893e98fbaed56e9a90a2a17b53c7

This example illustrates email being used as an attack vector by adversaries. In this example there is a malicious document attachment that gets extracted and runs a powershell script. RedDrip extracts the attachment and opens/executes it, revealing the entire attack chain and allowing us to tie network infrastructure to the original bait.



If we switch over to the relations tab, the network-recordings are immediately visible. We can see that the contacted URLs, domains and IPs are most likely benign. From here would could pivot and continue investigating in VT Graph:



Most importantly, the fact that RedDrip will follow subsequent executions allows performing advanced searches to identify suspicious patterns in VT Intelligence, for instance:

type:outlook behaviour_processes:"winword.exe" have:behaviour_network

This enables us to unearth malicious files that may not yet be detected. This particualr query is asking VirusTotal to return all those outlook messages that upon being opened have launched Microsoft Word (they contained a document attachment) and gave rise to network communications (the document reached out to some URL, domain or IP, probably as a consequence of an exploit or a macro execution).

 

MS Word Document


Example:
e5b3792c99251af6a9581cd2e27e5a52b9c39c6d704985c4631a0ea49173793e

By now, given all of the previous examples, it is obvious that RedDrip will open documents and execute macros. It records all of the activity observed for the macro and any subsequent payloads that it may drop or download:


Switching over to the relations tab we can see how it relates to other contacted URLs, Domains, and IP addresses, and the detections of those entities. This is rich contextual information to make better decisions even when an individual file might not yet be widely detected.


All of the actions are also indexed in VT Intelligence, such that a simple click on the pertinent observation allows us to discover other samples exhibiting a given pattern. For instance, we can click on the HTTP requests in order to get to other files that reach out to the same URL:

VT Intelligence will then automatically surface commonalities (shared patterns) that may be used as IoCs in your security toolset:


Seeing the wide variety of file types handled by QiAnXin RedDrip, it is a very interesting addition to the VirusTotal multi-sandbox project.

Welcome and happy hunting! 

Monday, February 10, 2020

, , ,

Official VirusTotal Plugin for IDA Pro 7

ATTENTION: In order to use the content search functionality you will need to have access to VT Intelligence. If you want to jump straight ahead and install the plugin, please refer to its GitHub repository.





VirusTotal is very excited to announce a beta release of a new plugin for IDA Pro v7 which integrates VT Intelligence’s content search directly into IDA.

This plugin adds a new "VirusTotal" entry to the IDA Pro context menu (disassembly and strings windows), enabling you to search for similar or exact data on VirusTotal. It translates the user selection into a query that VTGrep understands.

The current beta release provides the following search options:
  • Search for bytes: it searches for the bytes contained in the selected area.
  • Search for string: it searches for the same string as the one selected in the Strings Window.
  • Search for similar code: identifies memory offsets or addresses in the currently selected area and ignores them when searching.
  • Search for similar code (strict): same as above but it also ignores all the constants in the currently selected area.
  • Search for similar functions: same as "similar code" but you don’t need to select all the instructions that belong to a function. Just right-click on one instruction, and it will automatically detect the function boundaries, selecting all the instructions of the current function.



Using VTGrep content search to trace DTrack samples


As an example of how this plugin can speed up the analysis process, we have conducted a preliminary analysis of the DTrack sample that appeared last October 2019. As a reminder, this malware was used in an attack against the Kudankulam Nuclear Power Plant (KKNPP - India) on September 4, 2019, but was not publicly acknowledged by India’s Nuclear Power Corporation of India Limited (NPCIL) until nearly the end of October.

It's not the first time that a DTrack sample reuses code from previous attacks. Indeed, if we search for the string dkwero38oerA^t@# (VT Intelligence query: content:"dkwero38oerA^t@#") we can find 79 samples in VirusTotal that contain this string, and some of them are DTrack samples.



This string is used as a key to compress a "C.TMP" file containing files and directories of "C:\" (one zip file per connected device). There's another interesting string (abcd@123) that's used to encrypt a zip file containing all the evidence collected. There are a total of nine occurrences of this second string in the VirusTotal database.

These results can serve as a starting point to dive into previous versions of this sample. Additionally, we can look for similar code in the VirusTotal database. If we select the WinMain function's code, one sample shows up that looks promising.



Comparing both WinMain functions, we can see that they are almost identical; they only differ in the values of memory addresses and offsets. Therefore, we can argue that we've just found another version of the current sample because this match points to another file that starts with the same code.


Thus, just one click ahead of the WinMain function, we are driven to another sample that looks interesting.

There’s another approach we can take to find related samples. We can search for identical sequences of strings. Although generated code usually changes between compilations, strings are placed in the same order inside the file. Taking a look at the strings used for gathering information about the current IP addresses, running processes, and open ports, we can jump to another sample that looks similar.



We’ve just landed on another sample that shares code with our DTrack file. Taking a look at the disassembly, we can see a lot of similar functions (401B10, 402EB0, 4020E0, 403730, etc.). Even the function located at 11933B0 (related to the last search) seems to be a more completed version of the function located at 4038B0 in this last sample ("sct.jpg").

Keep in mind that the number of samples shown depends on your license type. Standard licenses allow 90 days retrospection, but Threat Hunter PRO will allow you to go back in time one year.

As we continue to develop this plugin here is some additional functionality that we are considering for future releases:
  • Display a preview of the detection results in an IDA Pro window.
  • Automatically identify domains, IPs and URLs contained in the strings of the file and summarize their detection information.
  • Automatically suggest a YARA rule to detect the file.
  • VT Enterprise shortcuts, such as searching for similar files.
  • Automatically rank strings according to interest.
  • Annotations community and collaborative RE.
  • Improve the searching for similar functions (fuzzy hashes).
  • Enrich the disassembly with behavior information obtained from our sandboxes.

VirusTotal is interested in user feedback and priorities. Please do not hesitate to contact us to rank these features and suggest additional ones.