Continuing our initiative of sharing VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, we are proud to announce our “Deception at scale: How malware abuses trust” report.
This time, we focused on different techniques used by malware to bypass defenses and make social engineering attacks more effective.
We encourage you to read the full report, but below you can find some of the main findings:
- Ten percent of the top 1,000 Alexa domains have distributed suspicious samples.
- 0.1 percent of legitimate hosts for popular apps have distributed malware.
- 87% of the more than one million signed malicious samples uploaded to VirusTotal since January 2021 have a valid signature.
- In a growing social engineering trend, 4,000 samples either executed or were packed with legitimate apps installers.
- There has been a steady increase in the number of malware visually mimicking legitimate applications, with Skype, Adobe Acrobat, and VLC comprising the top three.
- 98% of samples, including legitimate installers in their PE resources, were malicious.
You can download the full report here.
To help stop cyberattacks that rely on the malware that VirusTotal can track, we provide below the technical details that support our conclusions presented in the report.
To help stop cyberattacks that rely on the malware that VirusTotal can track, we provide below the technical details that support our conclusions presented in the report.
Abusing legitimate domains to distribute malware
One of the most effective social engineering techniques consists of hiding malware by packaging it into installation packages with legitimate software. This becomes a supply chain attack when attackers get access to the official distribution server, source code, or certificates.
We checked files submitted to VirusTotal and distributed from well-known legitimate domains. Below you can find an example how to obtain this information using VirusTotal Intelligence:
entity:file itw:global-download.domainofyourchoice.com type:zip fs:2020-01-01+
From the almost 80,000 unique files found, 78 of them were detected by more than 5% of antiviruses as potentially malicious. Here we list the top 5 most detected files:
Execution Parents
Execution Parent is a VirusTotal’s in-house relationship, linking a file to its “parent” file (that was created during sandbox execution). This type of relationship can be visualized in the Relations tab, the image below shows the list of execution parents for a legitimate Telegram installer:
In this example, almost a half of all the Execution Parents for a legitimate installer seem malicious. We used this approach to find suspicious execution parents of legitimate installers. Below you can find top 5 of most detected execution parents with known distribution URLs:
In order to monitor such activity, the following query provides legitimate Telegram installers having known execution parents.
entity:file itw:updates.tdesktop.com have:execution_parents
We might use this list of files to check if any of their execution parents look suspicious. This can be easily automated using VirusTotal’s API, you can find an example in Appendix I at the end of this post.
Compressed Parents
This is a similar approach to the previous one, with the difference that legitimate installers will be found bundled inside compressed files (ZIP, RAR, but also other installer executables like NSIS, MSI, etc). Compressed Parents are also found in the Relations tab.
We found around 24% of Compressed Parents are detected as malicious by several antiviruses. Here are some examples of most detected Compressed Parents, with their known distribution URLs:
The ProtonVPN sample from the above list is an interesting example. This iZIP archive contains three files: two executables and one text file.
The first executable has a high detection rate and it appears to be a Jigsaw ransomware sample. The second executable is the official ProtonVPN installer, as seen in the “ITW Urls” section in the Relations tab:
The last file is a text document with instructions for potential victims:
Malware visually disguised as legitimate software
VirusTotal can be an effective tool to search for visual similarities among files and websites, which is great for detecting malware stealing icons from legitimate apps.
We can follow the same way to reveal files abusing Telegram’s icon:
main_icon_dhash:f09ea26161a2ccf0 p:2+
Typically, we’d want to first search for a legit Telegram installer and click on its icon when listed in VirusTotal intelligence to obtain the value of the main_icon_dhash. We can add additional file-specific search modifiers to the previous query, like “have:itw” to find how it is being distributed.
We can use the same technique for finding all the URLs that use a given favicon (again Telegram). The following query does this, skipping a few parent domains we know are legitimate:
entity:url main_icon_dhash:e89e436964638ee8 AND NOT ( parent_domain:”tdesktop.com” OR parent_domain:”telegram.org” OR parent_domain:”telegram.me” OR parent_domain:”t.me” )
The fuzzy_domain keyword is another very useful search modifier. Based on Levenshtein Distance, it is perfect to find typosquatting attacks by listing all the misspelled domain names:
entity:domain fuzzy_domain:telegram.org AND NOT ( parent_domain:”tdesktop.com” OR parent_domain:”telegram.org” OR parent_domain:”telegram.me” OR parent_domain:”t.me” )
There are many additional modifiers we can leverage. You can find extended documentation here for domains, IP addresses, and URLs.
Exploiting valid certificates
Malware signed with a valid certificate might trick the user (and security software) to believe they are legit applications. The following query reveals more than one million suspicious files signed with valid certificates since 2021:
p:5+ fs:2021-01-01+ sigcheck:”valid” not (signature:invalid or signature:”not have a valid signature” or tag:invalid-signature or tag:revoked-cert)
We can also filter by a specific Certificate Authorities. The following query finds suspicious samples signed by Microsoft Root CA (“Microsoft Root Certificate Authority”) and detected by at least five antiviruses:
fs:2021-01-01+ signature:CDD4EEAE6000AC7F40C3802C171E30148030C072 p:5+ sigcheck:”valid” not (signature:invalid or signature:”not have a valid signature” or tag:invalid-signature or tag:revoked-cert)
Conclusions
Our research helps us understand the dimension of the techniques discussed – some of which are evidently growing in popularity. At the same time, we found some samples which seemed interesting enough to take a second look.
It is equally important to know what techniques malware adopts to increase its effectiveness as it is to be able to do something about it. The analysis and description of the deception techniques described in the report, along with the implementation ideas shared in this post, will help to actively monitor and understand the evolution of future campaigns.
At VirusTotal, we will keep sharing both our visibility and best practices to protect against new attacks and to keep our world a little bit safer. As always, we are happy to hear from you.
Happy hunting!
Appendix I
Example on how to use VirusTotal’s API to find suspicious execution parents of software distributed through a legitimate domain:
import requests
import json
import urllib
headers = {
“Accept”: “application/json”,
“x-apikey”: ” # VT API key
}
def get_execution_parent(file_hash):
“””Returns file parents with more than 5 detections in VT.
Args:
file_hash: str, file to check.
“””
url = f’https://www.virustotal.com/api/v3/files/{file_hash}/execution_parents’
while url:
response = requests.get(url, headers=headers)
response.raise_for_status()
data = response.json()
for item in data[‘data’]:
try:
positives = item[‘attributes’][‘last_analysis_stats’][‘malicious’]
if int(positives) > 5:
print(f'{item[“attributes”][“sha256”]} – {positives}’)
Except KeyError:
continue
if ‘links’ in data and ‘next’ in data[‘links’]:
url = data[‘links’][‘next’]
else:
url = None
def get_files_with_execution_parent(target_domain):
“””files found itw in a given domain having execution parent.
Args:
target_domain: str, domain to check
“””
url = ‘https://www.virustotal.com/api/v3/intelligence/search’
while url:
response = requests.get(url, headers=headers, params={‘query’: f’entity: file have: execution_parents itw: {target_domain}’})
response.raise_for_status()
data = response.json()
for item in data[‘data’]:
get_execution_parent(item[‘attributes’][‘sha256’])
if ‘links’ in data and ‘next’ in data[‘links’]:
url = data[‘links’][‘next’]
else:
url = None
target_domain = ‘target.legit-domain.com’
print(f’Checking suspicious execution parents for files downloaded from:{target_domain}’)
print(f’ [sha256] – [AV positives]’)
get_files_with_execution_parent(target_domain)
Source: https://blog.virustotal.com/2022/08/deception-at-scale.html