Dissecting a cryptomining attack

Learn how malware analysts use a combination of VirusTotal Graph, VirusTotal Intelligence and VirusTotal Malware Hunting in order to shed light into malware investigations. This video showcases how different VirusTotal tools are used together to fully characterise a cryptomining attack. As the value of cryptocurrencies has risen, illicit cryptocurrency mining has become mainstream, these attacks can render organization's servers useless since the attacker ends up monopolising all CPU cycles for the mining activity.

 

Connect the dots with Graph

VirusTotal receives a large number of files and URLs every day, and each of them is analysed by antivirus solutions and other tools and sandboxes to extract rich information. These data points are critical for our ecosystem, they connect the dots and shed light into the links between entities. While performing threat investigations it is common to pivot over many different indicators (files, URLs, domains and IP addresses) to get the full picture, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.

 

A Google-like search engine for malware

VirusTotal Intelligence is like a blend of Google and Facebook, but for malware research. It’s like Google in that you can search for malware samples using any number of parameters, and quickly find a result. It’s like Facebook in that it then shows you a detailed profile of that sample: how it works, what it does, crumbs it leaves behind, etc. Its capabilities include, but are not limited to, malware threat hunting, clustering analysis, and relationship and behavior visualization. This short video specifically focuses on how you can use more than 40 search modifiers in order to pinpoint malware matching your criteria.

 

Find the needle in the haystack

One of the engineers on the VirusTotal team created a language many analysts are probably familiar with, YARA. For those who don’t know, YARA is a language and library that allows you to write your own malware signatures and then scan files to see if they match whatever rule you’ve written. VirusTotal Intelligence’s malware hunting capability allows you to write YARA rules, and then have every new file VirusTotal receives, tested against that rule. When you receive new indicators of compromise for some malware family, malware hunting is the place you should run to first. You want to be alerted when new files match any of your rules, so that you can make sure you are on the cutting edge of how malware is evolving and that you are best positioned to make sure your network and systems are ready for it.