Virustotal Shares New Ideas to Track Threat Actors

In a recent presentation at the FIRST CTI in Berlin and Botconf in Nice, VirusTotal unveiled innovative methods to track adversary activity by focusing on images and artifacts used during the initial stages of the kill chain.
Traditionally, threat hunting and detection engineering have concentrated on the latter stages of the kill chain, from execution to actions on objectives.
VirusTotal's new approach focuses on detecting suspicious Microsoft Office documents, PDF files, and emails.
Analysts can quickly identify potential threats by leveraging colors commonly used in threat intelligence platforms-green for benign and red for malicious.
When a Microsoft Office file is created, it generates a series of embedded XML files containing information about the document.
Images: Often used by threat actors to make documents appear legitimate.
Xml: Specifies the content types and relationships within the Office Open XML document.
Xml: Stores stylistic definitions for the document, providing consistent formatting instructions.
VirusTotal hypothesizes that if malicious Microsoft Word documents are copied and pasted during the weaponization process, the hashes of the.
APT28 has been found to reuse images across different delivery samples.
An image of a hand used in fake Word documents for hotel reservations was identified in multiple documents over several years.
One notable example is the signature of Baber Bilal Haider, used in multiple documents.
Xml files in different documents, revealing new samples.
VirusTotal's retrohunt identified patterns in these files, leading to the discovery of additional malicious documents.
VirusTotal utilized the VirusTotal API to download and unzip a set of Office documents used for delivery, obtaining all embedded images.
They then used Gemini to automatically describe these images, aiding in the identification of suspicious documents.
Unlike Office documents, PDF files do not contain embedded XML files or images.
VirusTotal demonstrated this with examples from the Blind Eagle threat actor and phishing activities targeting Tinkoff Bank.
VirusTotal identified several mailing campaigns by leveraging these images, including campaigns impersonating universities and companies.
VirusTotal's innovative approach to tracking threat actors by examining artifacts linked to initial spreading documents offers a valuable addition to traditional hunting techniques.


This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 29 May 2024 13:35:40 +0000


Cyber News related to Virustotal Shares New Ideas to Track Threat Actors

Virustotal Shares New Ideas to Track Threat Actors - In a recent presentation at the FIRST CTI in Berlin and Botconf in Nice, VirusTotal unveiled innovative methods to track adversary activity by focusing on images and artifacts used during the initial stages of the kill chain. Traditionally, threat ...
5 months ago Cybersecuritynews.com
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
9 months ago Microsoft.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
11 months ago Feeds.fortinet.com
VirusTotal: Generative AI is Great at Detecting, Identifying Malware - Generative AI engines similar to OpenAI's ChatGPT and Google's Bard will become indispensable tools for enterprises and cybersecurity operations in detecting and analyzing malicious code in a real-world environment, according to researchers with ...
11 months ago Securityboulevard.com
AI Boosts Malware Detection Rates by 70% - Threat intelligence-sharing platform VirusTotal has unveiled new research showing how AI can be used by cyber defenders to enhance malware analysis. Through the research, VirusTotal found that AI is extremely effective in analyzing malicious code, ...
11 months ago Infosecurity-magazine.com
Operation Morpheus took down 593 Cobalt Strike servers used by threat actors - Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers. Threat actors may have exploited a zero-day in older iPhones, Apple warns. Nation-state ...
4 months ago Securityaffairs.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
11 months ago Microsoft.com
CIS Establishes the Alan Paller Laureate Program - Alan Paller, co-founder of the Center for Internet Security and internationally recognized leader in cybersecurity, passed away suddenly in 2021. His passing was a big loss for CIS, as Alan had helped guide CIS for over 20 years. In 1999, he had ...
1 year ago Cisecurity.org
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
9 months ago Thedfirreport.com
Know your enemies: An approach for CTI teams ~ VirusTotal Blog - VirusTotal's Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture ...
8 months ago Blog.virustotal.com
New ATM Malware family emerged in the threat landscape - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Raspberry Robin spotted using two ...
5 months ago Securityaffairs.com
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
5 months ago Microsoft.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
10 months ago Cyberdefensemagazine.com
What Is Threat Modeling? - Threat modeling emerges as a pivotal process in this landscape, offering a structured approach to identify, assess, and address potential security threats. Threat Modeling Adoption and Implementation The successful adoption of threat modeling within ...
10 months ago Feeds.dzone.com
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
9 months ago Techrepublic.com
Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
9 months ago Techrepublic.com
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
11 months ago Unit42.paloaltonetworks.com
Companies Must Strengthen Cyber Defense in Face of Shifting Threat Actor Strategies - Critical for organizations to understand attackers' tactics, techniques, and procedures. The 2023 mid-year cyber threat report card portends an ominous outlook with staggering data including the fact that 332 million cryptojacking attacks were ...
10 months ago Cyberdefensemagazine.com
Windows Incident Response: Human Behavior In Digital Forensics, pt III - Digital forensics can provide us insight into a threat actor's sophistication and situational awareness, which can, in turn, help us understand their intent. Observing the threat actor's actions helps us understand not just their intent, but what ...
10 months ago Windowsir.blogspot.com
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com
From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence - This article summarizes the malware families seen by Unit 42 and shared with the broader threat hunting community through our social channels. We also included a number of posts about the cybercrime group TA577 - who have distributed multiple malware ...
10 months ago Unit42.paloaltonetworks.com
How to Use Threat Intelligence Feeds for SOC/DFIR Teams - Threat intelligence feeds provide real-time updates on indicators of compromise, such as malicious IPs and URLs. Security systems can then ingest these IOCs to identify and block potential threats, which essentially grants organizations immunity to ...
6 months ago Cybersecuritynews.com
CERT-UA warns of malware campaign conducted by threat actor UAC-0006 - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Recent DarkGate campaign exploited ...
5 months ago Securityaffairs.com
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities - SUMMARY. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, and the Israel National Cyber Directorate-hereafter referred to as "The authoring agencies"-are ...
11 months ago Cisa.gov

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)