[German]A small hint for people who upload from time to time suspicious files to VirusTotal and have them checked for malware. VirusTotal has now been extended with the Bitdam Sandbox.
Advertising
The VirusTotal website allows you to upload examples of ominous files in which malware is suspected. The files are then checked in various virus scanners – a fine thing. Over the following Tweet I just found an extension.
VirusTotal expands with BitDam sandbox/scannerhttps://t.co/LV2QmVfFHS pic.twitter.com/WaOABKx40y
— Catalin Cimpanu (@campuscodi) January 29, 2020
This is now something of a turbo for suspicious file analysis, as BitDam runs the example in a sandbox and scans for malware activity. In the VirusTotal blog you can read about this:
BitDam Advanced Threat Protection (ATP) is a cloud-based engine that proactively detects threats, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and zero-day attacks contained in files and URLs. BitDam's patented attack-agnostic technology shows remarkably higher protection rates compared to engines that are based on knowledge of previous threats. It learns the normal code-level executions of business applications such as MS-Word and Acrobat Reader, creating a whitelist knowledge-base. Based on this knowledge, the detection engine determines whether a given file or weblink is malicious or not, regardless of the specific malware it may contain.
The blog post discusses an example of uploading an Excel XLS table with a macro in a hidden worksheet. This macro accesses specific cells in a hidden sheet to retrieve the payload. It then runs a power shell script with a hidden command line. The power shell script creates a .NET-related process to compile the payload.
(VirusTotal with BitDam ATP, Source: VirusTotal)
Advertising
BitDam does not only scan the file (see image above) and generate execution reports that show what the uploaded file does. The scanner uses behavior-based detection decisions. Therefore BitDam reports that the file has been detected as malware.
(VirusTortal BitDam Malware detection, Source: VirusTotal)
Exciting story, I think. You can read more details in the VirusTotal blog post. Also take a look at the BitDam blog post Sandboxes Are Not Foolproof. And please note: Before you upload sensitive files, read their terms and conditions.
