Ausnahme gefangen: SSL certificate problem: certificate is not yet valid 📌 VirusTotal += Mandiant Permhash: Unearthing adversary infrastructure and toolkits by leveraging permissions similarity

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 VirusTotal += Mandiant Permhash: Unearthing adversary infrastructure and toolkits by leveraging permissions similarity


💡 Newskategorie: Malware / Trojaner / Viren
🔗 Quelle: blog.virustotal.com

Last Monday our colleagues over at Mandiant rolled out Permhash. In their own words, Permhash is an extensible framework to hash the declared permissions applied to Chromium-based browser extensions and APKs allowing for clustering, hunting, and pivoting similar to import hashing and rich header hashing. We are excited to announce that we have been working closely with Jared Wilson on the Mandiant side to support Permhash similarity pivoting in VirusTotal.

VirusTotal already supports multiple similarity pivots: vhash (VirusTotal’s home-grown static feature hash), behash (same concept but for dynamic analyses), ssdeep, imphash, TLSH, telfhash, main icon dhash, etc. We have blogged extensively in the past about how similarity can be used to expand context and map out threat campaigns, we even hosted a joint webinar with Trend Micro and Trinity Cyber on this very topic. But let’s see how Permhash builds upon VirusTotal’s threat hunting swissknife and provides yet another orthogonal vehicle to track threat actors and their toolkits, going beyond IoCs and rather focusing on repeatable toolkit patterns.

In their article, Mandiant writes about UNC3559 and CHROMELOADER. UNC3559 is a financially motivated threat cluster that has distributed the CHROMELOADER dropper since at least early 2022. CHROMELOADER is a dropper that subsequently downloads a malicious Chrome extension, which can display advertisements in the browser and capture browser search data. Mandiant shares a particular CHROMELOADER manifest, you can use that initial input to pivot to other similar files via Permhash, and you can combine it with other search modifiers to narrow down results to actual Chrome Extensions as opposed to manifests:
 

permhash:d4d1b61f726a5b50365c8c18b2c5ac7ab34b3844e0d50112f386dfd875b6afac type:crx

With a single click we get to 19 other potential variations by the same threat group, many of them with low detection coverage by the industry (we are starting to get proactive):

Now we can dig further into these to understand the group’s infrastructure and modus operandi. For instance, we can leverage VirusTotal Commonalities to identify patterns that repeat themselves across all variations, as well as distribution infrastructure:
 
 
That’s how, among other ranked aggregations, we are able to identify the following in-the-wild distribution URLs, all of which were fully undetected at the time of writing:
 

The use of the .xyz TLD and archive.zip file name stand out as a repeatable pattern that may be combined with others to climb the pyramid of pain and hunt for the group based on behavioral patterns and TTPs, as opposed to hashes. At the same time, Commonalities allow us to understand even more about the distribution vectors and kill chain:

Indeed, the execution parents tell us about those files that when detonated in our sandboxes drop the Chrome extensions under study. That’s how we can learn that the first stage malware consists of both DMG files (6 files, example) and Powershell scripts/commands (3 files, example):

By the way, VirusTotal Code Insight comes in very handy in understanding the 3 powershell scripts that drop Chromeloader (see for yourself):

By iteratively calculating the commonalities of the first stage malware we can identify other repeatable patterns to detect these campaigns and even understand when and where has this group been active based on crowdsourced telemetry gathered from VirusTotal’s open community:

It seems to have been a relatively targeted campaign mostly targeting US orgs and active during July 2022.

This is by no means an exhaustive investigation but rather a quick post showcasing how Permhash similarity can work with other features in VirusTotal to mature our hunting program. As you can see, while EDR tools and other security technologies might not yet generate Permhash fingerprints to support threat hunting use cases, VirusTotal’s pivots and analytical capabilities allow us to translate it into actionable intelligence in the form of hashes but also related network indicators and repeatable patterns that may indeed be logged in common security telemetry being ingested in SIEMs/XDRs/TDRs/etc.

Moreover, now that we have a group of variants as opposed to a single instance, we can study those files or even leverage tools like VTDIFF to build a YARA rule that can be used to hunt within our environment or to track relevant adversaries going forward in time (Livehunt) and take proactive actions as they evolve. 

Oh, and one more thing, stay tuned because we will soon provide consolidated similarity searching across all similarity pivots taking into account prevalence and overlaps to identify best matches without having to search for each different similarity vector (vhash, ssdeep, permhash, imphash, etc.). 

Happy hunting!





...



📌 VirusTotal += Mandiant Permhash: Unearthing adversary infrastructure and toolkits by leveraging permissions similarity


📈 200.39 Punkte

📌 Toolkits, Toolkits, Toolkits!


📈 66.62 Punkte

📌 Mandiant Announces Inaugural Recipient of its 2022 Mandiant Academy Quarterly Grant Program


📈 33.79 Punkte

📌 The Tectonic Shift in React Ecosystem: Unearthing the Future with Next.js, Remix, Gatsby, Vite, QGP, and Astro


📈 32.53 Punkte

📌 Unearthing a 10-Year Old SUDO Vulnerability - Wheel - PSW #683


📈 30.75 Punkte

📌 Unearthing Ransomware Characteristics Using Classification Taxonomy


📈 30.75 Punkte

📌 Unearthing the 'Attackability' of Vulnerabilities that Attract Hackers


📈 30.75 Punkte

📌 DEF CON 29 Recon Village - Manabu Niseki - Adversary Infrastructure Tracking with Mihari


📈 27.34 Punkte

📌 HYAS Raises $16 Million to Hunt Adversary Infrastructure


📈 27.34 Punkte

📌 IronNet Launches IronRadar to Automatically Block Adversary Infrastructure


📈 27.34 Punkte

📌 IronNet releases IronRadar to proactively block adversary infrastructure


📈 27.34 Punkte

📌 UK NCSC warns of new class of Russian cyber adversary threatening critical infrastructure


📈 27.34 Punkte

📌 Accenture, IBM, Mandiant join Elite Cyber Defenders Program to secure critical infrastructure


📈 25.48 Punkte

📌 Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt Typhoon’ Hackers in US Critical Infrastructure


📈 25.48 Punkte

📌 Authorization and Amazon Verified Permissions - A New Way to Manage Permissions Part XIV: AVP Getting Started


📈 24.82 Punkte

📌 Get Your Hands on Plesk Extensions and Toolkits This ‘HoliDeals’ Season (Part 1)


📈 23.99 Punkte

📌 Most Widely Used Plesk Extensions and Toolkits This ‘HoliDeals’ Season (Part 2)


📈 23.99 Punkte

📌 TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download


📈 23.99 Punkte

📌 CVE-2023-24592 | Intel oneAPI Toolkits and Component Software prior 2023.1 path traversal (intel-sa-00841)


📈 23.99 Punkte

📌 Building a simple Agent with Tools and Toolkits in LangChain


📈 23.99 Punkte

📌 Data Theorem enhances Cloud Secure platform with ML-based hacker toolkits and visualizations


📈 23.99 Punkte

📌 Is malware abusing your infrastructure? Find out with VirusTotal!


📈 23.41 Punkte

📌 AI Show | Similarity and Scoring in Azure Cognitive Search


📈 23.33 Punkte

📌 Similarity and Scoring in Azure Cognitive Search | AI Show


📈 23.33 Punkte

📌 AI Show | Similarity and Scoring in Azure Cognitive Search


📈 23.33 Punkte

📌 Graph Similarity and its Applications to Hardware Security


📈 23.33 Punkte

📌 Using similarity to expand context and map out threat campaigns


📈 23.33 Punkte

📌 Binary Analysis and Similarity Platform


📈 23.33 Punkte

📌 Text embedding and sentence similarity retrieval at scale with Amazon SageMaker JumpStart


📈 23.33 Punkte

📌 Apple design chief talks new MacBook Air midnight color inspiration, similarity with MacBook Pro, and more in interview


📈 23.33 Punkte

📌 A Similarity between CSS and Python


📈 23.33 Punkte











matomo