VirusTotal has introduced innovative techniques to track adversary activities by focusing on images and artifacts used during the early stages of the kill chain. This shift in approach promises to enhance threat hunting and detection engineering efforts by analyzing samples created during the weaponization and delivery phases. The new methods represent a significant departure from traditional practices that primarily concentrate on the latter stages of the kill chain, emphasizing execution and actions on objectives.
VirusTotal, a subsidiary of Google, provides a free online service enabling the analysis of files and URLs for potential malware and other types of threats. The platform, launched in 2004, aggregates multiple antivirus engines and website scanners to improve the detection rate of potential threats. Users can submit files, URLs, domain names, and IP addresses for analysis. The service offers insights into the nature of the threats and shares the results with the cybersecurity community, contributing to collective threat intelligence.
VirusTotal has historically concentrated on the latter stages of the kill chain, leveraging information from endpoint detection and response (EDR) and security information and event management (SIEM) tools. However, the recent presentation at the FIRST CTI in Berlin and Botconf in Nice revealed a new focus on the weaponization and delivery phases, analyzing embedded files and images in Microsoft Office documents and PDFs. This shift aims to catch threats earlier in the kill chain by scrutinizing artifacts often used by threat actors.
In the past, the emphasis was on the latter stages due to the availability of more information, making it easier for analysts to detect and respond to threats. The new approach by VirusTotal, focusing on the initial stages, is expected to uncover potential threats much earlier. By examining elements like document metadata, embedded images, and XML files, the platform provides analysts with new tools for early detection. This method allows for a more proactive defense mechanism, which could prevent many attacks before they fully develop.
Analyzing Embedded Files
VirusTotal has identified several types of embedded files within Office documents that are valuable for threat hunting. These include images, [Content_Types].xml files, and styles.xml files. The platform’s research has shown that threat actors often reuse these files, making it possible to track and identify malicious activities. For instance, APT28 and SideWinder have been found to reuse images in different malicious documents, while Gamaredon uses consistent XML files across varied samples. By identifying these patterns, VirusTotal can link different threats to a single actor.
AI Integration
The integration of AI plays a crucial role in VirusTotal’s new approach. The platform uses the VirusTotal API to download and analyze Office documents, isolating embedded images. The AI tool, Gemini, then describes these images, helping analysts identify suspicious documents. This automated analysis significantly enhances the efficiency of the threat detection process. Additionally, the platform has demonstrated the utility of examining PDF and email files, where similar techniques can uncover phishing campaigns and other malicious activities.
Key Inferences
• Early-stage analysis of embedded files and images can reveal threat actor patterns.
• AI tools like Gemini streamline the identification of suspicious documents.
• Reuse of specific XML and image files links multiple threats to single actors.
VirusTotal’s innovative methods provide a valuable addition to traditional threat hunting techniques. By focusing on the initial phases of the kill chain and incorporating AI, the platform enables more proactive threat detection. Analysts can now identify and respond to threats more quickly, potentially preventing attacks before they escalate. This approach not only enhances the security landscape but also fosters a more collaborative environment for sharing threat intelligence. As cyber threats evolve, VirusTotal’s methods offer a forward-thinking solution for the cybersecurity community.
