Threat Hunting with VirusTotal

If you, like me, primarily use Twitter to stay updated on cybersecurity news and follow cybersecurity researchers, you may have come across tweets from security researchers such as Nick CARR from FireEye/Mandiant, Daniel BOHANNON, or John LAMBERT from Microsoft. In their tweets, they sometimes share new malware samples or discuss new techniques they discovered during their threat hunting activities on VirusTotal.

After years of requesting from my friends with VirusTotal accounts to download and send me interesting malware samples, I finally achieved a happy ending in early 2018 by purchasing a corporate VirusTotal account for Akbank Cyber Security Center. With a corporate account, as I mentioned in my blog post titled “On the Trail,” you can not only track the activities of cybercriminals but also become aware of cyber attacks targeting your organization and stay informed about the tactics and techniques used by cybercriminals.

Apart from cybercriminals, you can also come across files uploaded by employees preparing for social engineering tests within their own organization or penetration testing experts from cybersecurity consulting firms attempting to bypass antivirus systems.

It is often overlooked that files uploaded to VirusTotal can be viewed and downloaded by other members. This means that a sensitive file uploaded for malware detection purposes can suddenly become visible to third parties. In this article, I decided to provide guidance for those who want to conduct threat hunting on VirusTotal and raise awareness of information security by drawing attention to the points mentioned above.

When conducting threat hunting with VirusTotal Intelligence, we can leverage more than 50 keywords. For example, let’s say we want to find records that are uploaded from Turkey (submitter:TR), written in Turkish language (lang:”turkish”), detected by more than 10 antivirus software (positives:10), have a docx file type (type:docx), and were first uploaded in 2018 (fs:2018-01-01 T00:00:00+). By using these keywords, we can quickly find records that match these criteria. If we perform a similar search for xls, doc files, files containing PowerShell (tag:powershell), and files containing macros (tag:macros), we will come across numerous examples for analysis in a short time.

In one of the cases I encountered, I discovered a malicious individual creating a document containing macros to conduct a social engineering attack against a bank. When analyzing the macro using the oletools and CyberChef tools, I found that the executed macro sent copies of emails sent from Microsoft Outlook to a command and control center using unencrypted HTTP protocol with the help of PowerShell. By examining the file properties and searching for it on VirusTotal (metadata), I learned that the file was likely created by the bank’s audit team to perform a social engineering test rather than by a malicious individual. :)

Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal

When examining another example, the file named “aktivite20.docm,” I initially thought that I came across a malicious document used in a social engineering attack targeting a bank. Upon analyzing this well-crafted document, which was quite convincing in terms of persuasion, I discovered that it contained a macro utilizing PowerShell. Upon analyzing the macro file, I found that it disabled PowerShell script blocking and logging features when executed. Similar to the previous example, when examining the file properties, I learned that it was created by a penetration testing expert working as a consultant for a cybersecurity firm. :)

Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal

Looking at the two examples above, we should not forget that uploading files with malicious intent for penetration testing or social engineering tests to VirusTotal can provide clues to malicious individuals regarding scenarios and methods. It is also important to note that uploading a file to VirusTotal before conducting a red team exercise can significantly impede its success.

In another example, “zarina cv.docx,” I came across a suspicious resume file. Particularly in corporate environments, resumes that circulate between individuals can lead to the compromise of an organization if they contain malicious code and are sent to human resources employees via LinkedIn or email without the necessary security controls and measures in place. After opening the “zarina cv.docx” file with 7-Zip, I analyzed the “document.xml” file located in the “word” folder and found a carefully placed DDEAUTO command. The DDEAUTO command downloads a file named “final.exe” from the mediafire.com address and executes it in the TEMP folder. Although I couldn’t access the “final.exe” file as it was deleted, I could clearly see that the same individual attempted to upload a similar file containing an internal IP address to VirusTotal for antivirus scanning instead of mediafire. Based on this example, I would like to emphasize the importance of HR departments being extremely cautious when receiving resume files from candidates.

Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal

The last example that caught my attention was the file “TEMMUZ MAAŞ.xlsm.” When I analyzed the macro file inside the document using the oletools tool, I discovered that it downloads a file named “client.exe” from the web address http://xfl[.]mooo.com and then saves it as “cache1.exe” in the TEMP folder before executing it. The content of the “TEMMUZ MAAŞ.xlsm” file appeared to be realistic enough not to raise suspicion. When I searched for files associated with http://xfl[.]mooo.com both on VirusTotal and through retrohunt, I found numerous unrelated files. Some files were specific instruction files created for a particular organization, while others were user manuals for a product. It started to puzzle me whether there were individuals who managed to access these organization-specific files and inject macros into them, or if malicious actors were diligently creating such realistically macro-laden documents.

Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal

When I conducted a search specifically for the web address http://xfl[.]mooo.com and the associated resolved IP addresses, I came across the “srim2” file that was downloaded from one of the IP addresses. I downloaded the file and opened it using the 7-Zip tool, and upon examining the “config.json” file, it became apparent that it was a software used for mining Monero digital currency.

Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal
Hunting with VirusTotal

After deciding to take a brief look at the “client.exe” file, I began analyzing it using IDA Pro and Interactive Delphi Reconstructor tools. Here are the noteworthy findings:

  • After executing “cache1.exe,” it copies itself to the path C:\Users\admin\AppData\Local\Google Chrome Helper\chromehelper.exe.
  • It communicates with the following URLs: http://xredini[.]mooo.com , http://140[.]82.59.108/config, and http://45[.]76.3.86/min.
  • Decoding hidden strings with the help of IDAPython revealed the addresses xred[.]mooo.com , xredini[.]mooo.com, and xfl[.]mooo.com among the character strings.
  • It is capable of creating a scheduled task to create a Google Chrome Helper Update entry.
  • After finding files with the extensions .xls, .xlsx, .doc, .docx, it copies their contents to an Office file with a macro extension (e.g., docm, xlsm) created in the %TEMP% folder, replacing the original files with copies of the original files but with the names of the original files. (For example, it deletes the “Mert.docx” file on the desktop and creates “Mert.docm” in its place, copying the content of “Mert.docx” into it.)
  • It locates and modifies all executable files (exe) on the system, replacing them with the modified files. Upon execution, it runs both the original file and the malicious Office files (opened in the %TEMP% folder) in the Resource Directory section.
  • When searching for the character string “ABvgjdfL+hpQCgCT42VdO6m4GD” in VirusTotal, I came across numerous samples infected with this malware.
    These findings provide valuable insights into the behavior and capabilities of the analyzed “client.exe” file.
  • Hunting with VirusTotal
    Hunting with VirusTotal
    Hunting with VirusTotal
    Hunting with VirusTotal
    Hunting with VirusTotal
    Hunting with VirusTotal
    Hunting with VirusTotal

    In conclusion, by conducting threat hunting on VirusTotal, your organization can become aware of planned cyber attacks and social engineering attempts targeting your institution. Additionally, it allows your analysts to analyze the samples identified during threat hunting, helping them develop expertise in malware analysis.

    Hope to see you in the following articles.

    image_pdfShow this post in PDF formatimage_printPrint this page
    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You May Also Like
    Read More

    Antimeter Tool

    Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest…
    Read More
    Read More

    WhatsApp Scammers

    Introduction I recently received my share of calls and messages from foreign cell phone numbers, disturbing almost everyone, especially in Turkey, who has used the WhatsApp application in recent days. Of course, as in my articles on other scams (Exposing Pig Butchering Scam, LinkedIn Scammers, Instagram Scammers), I rolled up…
    Read More
    Read More

    New Job, New Me

    It’s been quite a journey, after 10 long years filled with career successes and six promotions, I started my role as a Mid-Level Security Specialist at IBTech in June 2007. Just last week, I bid farewell to my position as Technical Leader. It turns out that leaving behind colleagues you’ve…
    Read More