Threat hunting is different to traditional threat management measures in the sense that usually they tend to be reactive rather than proactive. Threat hunting offers an active approach to deal with cyber threats. It can be defined as the procedure to proactively search for threats or suspicious activity based on partial information. We can use this approach to find new unknown malicious activity, to spot suspicious anomalies or to find additional malicious artefacts used known by attackers during their campaigns.
How VirusTotal can help you?
VirusTotal service is continuously being fed by the main cyber security vendors whose we already have partnership agreements. Furthermore, as we always state, the community is our principal pillar and thanks to both, VirusTotal has one of the most up to date services in terms of threats. Our hunting capabilities help our customers to:
- Find new unknown malicious activity and actors.
- Spot suspicious anomalies that might be abused by cybercriminals.
- Find additional malicious artefacts used by known attackers.
LiveHunt is a service that allows our customers to hook onto the stream of files submitted to VirusTotal and get notified whenever one of them matches a certain (YARA) rule. This processing of the malware flow with your own rules allows you to do things such as classify them by family, discover new malware files not detected by antivirus engines, collect files written in a given language or packed with a specific run-time packer, create heuristic rules to detect suspicious files, etc. LiveHunting leverages the benefits of YARA's versatility acting on the huge amount of files processed by VirusTotal every day. On top of that, you can use the VirusTotal YARA module, specifically designed to provide all the power of VirusTotal to YARA rules.
LiveHunt is the perfect service for monitoring any new suspicious activity according to your own criteria.
RetroHunt allows you to create a YARA rule and apply it back in time to the existing dataset in order to discover early versions of attacks that you might have recently discovered and understand how an attacker has evolved over time. A Retrohunt job takes around ~3-4 hours to complete and scans over 600TB of files sent to VirusTotal during the past year. A simple click transfers all Retrohunt matches into VirusTotal GRAPH in order to visually lay out a threat campaign in a nodes graph, allowing you to understand commonalities and threat infrastructure. Files matching your rules can be downloaded for further offline study, the entire process can be automated with a REST API.
You can find detailed information about the creation of YARA rules in the YARA documentation.
Retrohunt allows us to find additional malware related to our investigations or map an entire campaign by matching YARA rules against VirusTotal’s historical file corpus.
In this example, we use the relationships in the file we are investigating to get additional samples and malicious infrastructure. This will allow us to find commonalities among the samples we will use to create a YARA rule for a Retrohunt job. We will aso leverage Crowdsourced YARA rules for further pivoting.
In the video, we will use strings and metadata for our YARA. Files matching your rules can be downloaded for further offline study and the entire process can be automated with a VirusTotal API.
Find the needle in the haystack
VirusTotal Intelligence’s malware hunting capability allows you to write YARA rules, and then have every new file VirusTotal receives tested against that rule collection, allowing you monitoring any suspicious activity or tracking any actor of your choice and react accordingly.
Additionally, in this example we use the VirusTotal module for YARA. This is a special module that can be used for LiveHunt rules and allows you to check for any metadata we know about the file in addition to all the capabilities of traditional YARA rules. For instance, you can add checks about when the rule was submitted and from where, what was the AV detection, how it behaves when detonated in the sandbox, and much more.
In the video, we want to create a rule to be notified every time suspicious files that match certain behavior or metadata are uploaded to VirusTotal.
Hunting using the power of VirusTotal Diff
VirusTotal DIFF is a powerful tool that allows finding common sequences of code between different files. Additionally, it also takes into account the prevalence of the common code across the entire VirusTotal dataset, allowing us to select a relevant block of code we can use for our searches. Not only that, we can use it to create YARA rules for hunting.
How to do it?
1. Go to VirusTotal Search: https://www.virustotal.com/gui/home/search
2. Search for your suspicious item (example in the video: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c)
3. Search for similar file, using similarities tools in the platform. In the video example we use the similarity in behavior using VirusTotal JUJUBOX Sandbox.
4. Select the files you want to apply VirusTotal Diff .
5. Select the patterns you are interested in generated by VirusTotal Diff and create your YARA rule for your VirusTotal LiveHunt or VirusTotal RetroHunt.
Note that you can also apply the VirusTotal Diff tool to any hash as long as it exists in VirusTotal.
Click here for seeing the result of the previous query.