![]() ![]() However, this is not the first time APT malware has been uploaded to VirusTotal for analysis. Making the malware samples available to the public is a huge win for security researchers. Many in the security research community do not believe the first CNMF uploads were linked to APT28 by coincidence, as recently the US Department of Homeland Security (US DHS) Initiated a “Name and Shame” campaign against treat actors who could not be brought to justice through normal judicial means. ![]() APT28 took advantage of this and found a vulnerability in Absolute’s code to hijack this persistence mechanism to keep computers perpetually infected. With a product like " LoJack for Laptops", which allows organizations to track lost and stolen computers and other assets, an organization would, by definition, want persistence as to not allow a thief to simply wipe the tracking software off the computer rendering the LoJack software ineffective in finding the lost or stolen device. When originally discovered, this marked the first UEFI-based rootkit with several persistence methods to keep reinfecting cleaned and reimaged machines. The first malware samples CNMF uploaded to VirusTotal was attack code developed by Russia-linked APT28 (FancyBear) to leverage an exploit in the LoJack (by Absolute Software) UEFI BIOS code. Other web security services such as forward web proxies will take in security feeds from threat intelligence organizations like VirusTotal to add to its own threat intelligence database to block known malicious files and URLs. Services such as ZULU, which analyze websites on several criteria to determine if it is benign or malicious, will take VirusTotal scores into account before rendering its verdict. While it is likely nation states, whose malware has been caught and uploaded to VirusTotal by CNMF, will adapt and develop new tactics, techniques, and procedures, it forces those attackers to spend time and resources innovating instead of attacking in the arms race with security researchers. Not only can users now check to see which anti-virus solutions will detect and block the malicious files, they are also available for deeper forensic analysis to expose tactics, techniques, and procedures used by nation state-backed attackers. ![]() In this case, CNMF is making the malware samples freely available so organizations that subscribe to VirusTotal’s feeds can proactively block files known from previous attack campaigns by nation state attackers. Files and URLs submitted to VirusTotal are permanently stored and become available to anyone who wishes to examine or analyze them. The authors can easily determine if their code has been discovered or blocked by most major security vendors, but they also run the risk and increase the chances of being discovered. When malware authors upload their work to VirusTotal, it acts as a double-edged sword. ![]() The results of the analysis are freely shared publicly and with the participating security vendors in order to improve their catch rate (win-win-win). It is a completely free service and legitimate users would normally upload a file to check if it is malicious or to find out if code they are writing would be incorrectly flagged (false positive) as malicious by any AV engines or blacklisting services. The data is uploaded to VirusTotal for analysis and run through over 70 different anti-virus engines and blacklisting services from most of the major security vendors. What exactly is VirusTotal? VirusTotal is an online security platform used by developers and security researchers to upload code, URLs, or files they wish to be analyzed. ![]()
0 Comments
Leave a Reply. |