VirusTotal's Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture accordingly.
In this post, we will play the role of a CTI analyst working for a Singaporean financial institution.
As a first step, we search for threat actors that traditionally both targeted the financial industry and Singaporean companies.
For the moment let's focus on TA505, which seems more active at the moment.
The Threat Actor card provides details on the actor, which seems to target organizations in the financial, healthcare, retail, and hospitality sectors across Europe, Asia Pacific region, Canada, India and the United States.
According to the description TA505 seems related to Dridex banking trojan and Locky ransomware activity.
In VirusTotal we can find two categories for TTPs:- The First are TTPs directly ingested from MISP and MITRE.- The second shows TTPs obtained from sandbox analysis of the IOCs related to a particular actor.
In this case, for TA505 we can find the following Toolkit TTPs:. The T1486 tactic seems potentially related to the use of ransomware, such as Locky, by this actor.
This seems like a good point for us to retrieve some fresh data and understand this actor's recent activity.
Attack technique:T1486 threat actor:TA505 ls:2024-01-01+ engines:ransom.
The Telemetry tab provides information about submissions and lookups, which helps us understand malware family's distribution and timeframes of operations.
The Collection's Rules panel provides details on crowdsourced Yara, sigma and IDS rules that match different indicators files in this collection.
This could help to enhance detection capabilities for this threat.
Collection's commonalities refer to characteristics, behaviors, or technical attributes shared by a set of indicators, which helps to identify patterns.
Remember you can always follow Threat Actor and/or collections and receive fresh new IOCs through the IoC Stream.
Threat Landscape empowers CTI teams with insights for prioritizing threats, understanding threat actors and tracking their operations pivoting between Threat Actors <=> Collections <=> IOCs.
This provides actionable details based on the technical capabilities of the malware used in these campaigns, including a set of TTPs based on sandbox detonation that we can use both for hunting and monitoring.
This helps us to quickly create effective monitoring and hunting strategies for malware families and threats actors, as well as effective protections adjusted to recent campaigns and malicious activity.
If you have any suggestions or want to share feedback please feel free to reach out here.
This Cyber News was published on blog.virustotal.com. Publication date: Tue, 12 Mar 2024 18:13:05 +0000