TLDR:
- VirusTotal presented new methods to track threat actors focusing on images and artifacts in the initial stages of the kill chain.
- These methods involve examining embedded files in Microsoft Office documents, PDF files, and email files to enhance threat hunting and detection.
In a recent presentation at the FIRST CTI in Berlin and Botconf in Nice, VirusTotal introduced innovative approaches to track adversary activity by analyzing images and artifacts used at the beginning of the kill chain. Traditionally, threat hunting has focused on later stages of the kill chain, but VirusTotal’s new method shifts the focus to the early stages to improve detection and threat hunting.
VirusTotal’s new approach involves inspecting suspicious Microsoft Office documents, PDF files, and emails. By leveraging colors commonly used in threat intelligence platforms, analysts can quickly identify potential threats. The company has identified three types of embedded files within Office documents that can be valuable for threat hunting: images, [Content_Types].xml, and styles.xml.
The presentation also highlighted how threat actors like APT28, SideWinder, and Gamaredon reuse images and embedded files in their operations. VirusTotal demonstrated the use of AI, specifically the VirusTotal API and Gemini, to identify suspicious documents by processing embedded images.
Unlike Office documents, PDF files do not contain embedded XML files or images, but Adobe Acrobat Reader generates a thumbnail of the first page in BMP format. VirusTotal demonstrated how this thumbnail could be used for pivoting. Additionally, email files often include company logos to deceive victims, and VirusTotal showcased how they leveraged these images to track threat actors.
VirusTotal’s new ideas for tracking threat actors offer a valuable addition to traditional hunting techniques. By incorporating AI and focusing on embedded files and images, analysts can improve their ability to monitor and identify potential threats.