Analyze VirusTotal Metadata to profile hackers

An independent researcher has analyzed for years the metadata on submissions to VirusTotal service identifying patterns related to many bad actors.

VirusTotal is the Google owned company which offers free checking of URLs and files for viruses and other malicious code, its systems use up to 54 different antivirus software to scan files and URLs provided by the userscheck. Cyber criminals are aware of the existence of the VirusTotal services and are starting to use them to test their malicious codes, the independent security research Brandon Dixon has noticed that many threat actors ordinary used VirusTotal with this purpose. Authors of malware are using VirusTotal to improve evasion techniques before spread the code in the wild.

Brandon Dixon has discovered that many categories of bad actors are using the service, including high-profile APT, to make their code transparent to security solutions and using the VirusTotal service like a sort debugging environment.

One of the most prolific groups monitored by Dixon belongs to the popular collective Comment Crew team, revealed by Mandiant for the first time in his report on APT1 collective and its link with Chinese PLA.

“There’s certainly irony”  “I wouldn’t have expected a nation state to use a public system to do their testing.” Dixon said.

Dixon tracked submissions to VirusTotal for years identifying many hacking teams and distinct bad actors, including at least two entities linked to state-sponsored teams. In some cases, the expert noticed that bad actors have submitted again an old malware to evaluate its detection rate.

Dixon has designed an algorithm to analyze metadata associated with the submissions to VirusTotal service, the data collected allowed the researcher to spot patterns and clusters of files submitted by two well-known APT  believed to be based in China and in Iran.

“Over weeks and months, Dixon watched as the attackers tweaked and developed their code and the number of scanners detecting it dropped. He could even in some cases predict when they might launch their attack and identify when some of the victims were hit—code that he saw submitted by some of the attackers for testing later showed up at VirusTotal again when a victim spotted it on a machine and submitted it for detection. ” reports a blog post published by Wired.

Another popular threat actor monitored by the research is the group known as NetTraveler which was responsible of numerous cyber espionage campaigns on a large scale. NetTraveler was spotted by KasperskyLab team targeting over 350 high profile victims from 40 countries, the experts believe the team is operating from China and hacked government entities, diplomatic and military organizations for a decade.

The analysis conducted by Dixon on has an immense value, from the observation of VirusTotal submission over the time it is possible to understand how hackers work, which improvement they have made for their code and which is their cyber capabilities. These information allows analysts to track a profile of the threat actors which could help to solve problem of attribution in case of attack, improve the detection capabilities and prediction of further offensives.

“The data provides a rare and fascinating look at the inner workings of the hacker teams and the learning curve they followed as they perfected their attacks. During the three months he observed the Comment Crew gang, for example, they altered every line of code in their malware’s installation routine and added and deleted different functions. But in making some of the changes to the code, the hackers screwed up and disabled their Trojan at one point. They also introduced bugs and sabotaged other parts of their attack. All the while, Dixon watched as they experimented to get it right.” states the Wired Post.

Now that the analysis has been revealed it is interesting to see if bad actors will continue to use the services offered by VirusTotal to check malicious code.

Pierluigi Paganini

(Security Affairs – VirusTotal, malware)