If you work in the cyber security branche, the chance is very high that you use VirusTotal, it is a great source to use, you can enrich information, dig up information and a lot more. There is just one thing at VirusTotal which got my attention, it made me think of the social media network Facebook.
It is the freaking like or dislike button
Now what I am going to say has not been tested yet, but I do have a feeling that the community part in VirusTotal is an added value, it provides additional information, but in this age of fake news, fake information and deception, it made me think of the following scenario.
Virustotal as a certainty check
I mentioned it earlier above, a lot of people in the branche use Virustotal as a source for information, some of these people have their souls in security, they understand what they are doing and where to look at, but there are also a lot of ‘sheep’ (sorry), these people do not perform their own research (first mistake) and because the lack of knowledge, they believe what is said on the web, these are the same people that download and install ransomware removal tools from fake malware removal sites.
The community on VirusTotal can provide valuable information, but what would happen if a threat actor would consider VirusTotal in its attack plan?
The scenario: Fake comments on the VirusTotal community
Now just sit back, relax, and imagine with me. There is a threat actor, which is going to attack company XYZ, this attack is going to be an advanced persistent threat, the attacker will follow the cyber kill chain, and it will use legitimate environments for its C&C and droppers. This threat actor has taken the unique hashes of its malware/attack files, and it is going to monitor VirusTotal for those hashes. If the hash pops-up on VirusTotal, the threat actor will initiate a bot (VirusTotal API can be found here), or it will just hire people to post fake information about the indicator of compromise.
- This hash, has been downloaded from a legitimate environment, and I have performed my own research, and you can find the findings here at website IMHACKINGY.ooo (this TLD exists).
- False positive – ignore it
- I’m from company BBX and we apologize for the false positive, this screensaver has been updated and you can download the new version at IMBBX.io
- Website XYZ has done a research here, you should read it (Exploit Kit site)
This makes it possible that the researcher that is looking into the report, might:
- Click on the first website and get fake information and instructions about the attack
- See it as a false positive and ignore it
- Download a new version of the malware (or simply inform the threat actor that deeper research is being performed)
- Infect another device via an exploit kit infected environment
VirusTotal did think about it’ish
There is something which VirusTotal has done; Virustotal does give profiles with a trusted account an higher value with likes and dislikes, but hey, this is public information, and a threat actor can easily setup multiple trusted accounts at VirusTotal. It is very easy to get trusted.
It is not only VirusTotal
If you think about it, it actually amazes me that not one threat actor has setup a fake/real removal guide for when it’s malware has been detected, the fake/real removal guide can allow an re-entry into the network (not certain, but it does give info).
What do you think?