In a recent presentation at the FIRST CTI in Berlin and Botconf in Nice, VirusTotal unveiled innovative methods to track adversary activity by focusing on images and artifacts used during the initial stages of the kill chain.
Traditionally, threat hunting and detection engineering have concentrated on the latter stages of the kill chain, from execution to actions on objectives.
VirusTotal's new approach focuses on detecting suspicious Microsoft Office documents, PDF files, and emails.
Analysts can quickly identify potential threats by leveraging colors commonly used in threat intelligence platforms-green for benign and red for malicious.
When a Microsoft Office file is created, it generates a series of embedded XML files containing information about the document.
Images: Often used by threat actors to make documents appear legitimate.
Xml: Specifies the content types and relationships within the Office Open XML document.
Xml: Stores stylistic definitions for the document, providing consistent formatting instructions.
VirusTotal hypothesizes that if malicious Microsoft Word documents are copied and pasted during the weaponization process, the hashes of the.
APT28 has been found to reuse images across different delivery samples.
An image of a hand used in fake Word documents for hotel reservations was identified in multiple documents over several years.
One notable example is the signature of Baber Bilal Haider, used in multiple documents.
Xml files in different documents, revealing new samples.
VirusTotal's retrohunt identified patterns in these files, leading to the discovery of additional malicious documents.
VirusTotal utilized the VirusTotal API to download and unzip a set of Office documents used for delivery, obtaining all embedded images.
They then used Gemini to automatically describe these images, aiding in the identification of suspicious documents.
Unlike Office documents, PDF files do not contain embedded XML files or images.
VirusTotal demonstrated this with examples from the Blind Eagle threat actor and phishing activities targeting Tinkoff Bank.
VirusTotal identified several mailing campaigns by leveraging these images, including campaigns impersonating universities and companies.
VirusTotal's innovative approach to tracking threat actors by examining artifacts linked to initial spreading documents offers a valuable addition to traditional hunting techniques.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 29 May 2024 13:35:40 +0000