IT

Things Make VirusTotal More Reliable: Last One is the key to Effective Malware Analysis

August 14, 2024 One Comment Bharath Thiravium
  • Emerging Formats: New and unconventional file types increasingly used to deliver malware payloads while evading traditional detection engines.
  • Email Attachments: Malicious files disguised as legitimate documents, spreadsheets, or archives delivered through phishing and spear-phishing campaigns.
  • ISO Files: Disk image files exploited to bypass Mark-of-the-Web security warnings and deliver malware directly to victim machines.
  • ZeroFox & VirusTotal Collaborates in the Thread Detection Mission
    • Advanced Menace Recognition
    • Amplified Viewability
    • Impact on Society
    • Applications in Real Life
    • Views from Industry
VirusTotal malware analysis cybersecurity

VirusTotal's latest Malware Trends Report provides a comprehensive analysis of the evolving threat landscape, highlighting the techniques and file formats that cybercriminals are increasingly exploiting to deliver malicious payloads. The report draws on data from millions of file submissions and URL scans processed by VirusTotal's multi-engine scanning platform, offering unique insights into the tactics, techniques, and procedures (TTPs) used by threat actors worldwide.

The findings reveal a clear shift in attacker behaviour — moving away from traditional executable files toward less scrutinised formats that are more likely to bypass endpoint security solutions. Understanding these trends is essential for security teams, malware analysts, and IT professionals who need to stay ahead of the threat curve and protect their organisations from increasingly sophisticated attacks.

Emerging Formats:

Emerging malware file formats threat analysis

The VirusTotal report identifies a significant increase in the use of non-traditional file formats for malware delivery. Attackers are constantly experimenting with new container and archive formats that are not yet well-supported by all antivirus engines, giving them a window of opportunity to deliver payloads before detection signatures are updated.

Among the emerging formats identified in the report are OneNote files (.one), which saw a dramatic spike in malicious use following Microsoft's decision to block macros in Office documents by default. Attackers quickly pivoted to embedding malicious scripts and executables within OneNote files, exploiting users' familiarity with the format and their tendency to trust files that appear to come from colleagues or business partners.

Other emerging formats include compiled HTML help files (.chm), Windows shortcut files (.lnk), and various archive formats such as .7z, .rar, and .zip with password protection. Password-protected archives are particularly effective at evading automated scanning because the contents cannot be inspected without the password, which is typically provided separately in the phishing email.

Email Attachments:

Malicious email attachments cybersecurity threat

Email remains the most common initial access vector for malware delivery, and the VirusTotal report confirms that malicious email attachments continue to be a primary tool in the attacker's arsenal. Despite decades of security awareness training, users continue to open suspicious attachments, making email-based attacks consistently effective.

The report highlights a notable evolution in the types of attachments being used. While macro-enabled Office documents (.docm, .xlsm) were the dominant format for years, Microsoft's macro-blocking policy has forced attackers to adapt. The result is a diversification of attachment types, with threat actors now using a wider variety of formats to achieve the same goal of executing malicious code on the victim's machine.

HTML smuggling — a technique where malicious payloads are encoded within HTML files and decoded by the browser when the attachment is opened — has also seen significant growth. This technique is particularly effective because the malicious payload is never written to disk in its final form until the HTML file is opened, making it difficult for email security gateways to detect.

ISO Files:

ISO files have emerged as one of the most significant trends in malware delivery identified in the VirusTotal report. An ISO file is a disk image that, when mounted on a Windows system, appears as a virtual drive. Crucially, files extracted from or executed within a mounted ISO image do not carry the Mark-of-the-Web (MOTW) attribute that Windows applies to files downloaded from the internet.

The MOTW attribute is what triggers Windows SmartScreen and other security warnings when users attempt to open downloaded files. By delivering malware inside an ISO container, attackers can bypass these warnings entirely, significantly increasing the likelihood that the malicious payload will be executed without any security prompt alerting the user.

The VirusTotal data shows a sustained increase in ISO-based malware delivery, with threat actors using ISO files to deliver a wide range of payloads including remote access trojans (RATs), information stealers, and ransomware droppers. The technique has been adopted by both sophisticated nation-state actors and commodity malware operators, indicating its broad effectiveness across different threat categories.

ZeroFox logo

ZeroFox & VirusTotal Collaborates in the Thread Detection Mission

In a significant development for the cybersecurity community, ZeroFox and VirusTotal have announced a strategic collaboration aimed at enhancing threat detection capabilities across both platforms. This partnership combines ZeroFox's expertise in external threat intelligence — particularly in monitoring the open, deep, and dark web for emerging threats — with VirusTotal's unparalleled multi-engine malware scanning and file analysis capabilities.

The collaboration enables a bidirectional flow of threat intelligence that benefits both platforms and their respective user communities. ZeroFox's threat intelligence feeds are integrated into VirusTotal's analysis pipeline, enriching file and URL scan results with contextual information about threat actors, campaigns, and indicators of compromise (IOCs) that would not otherwise be available from file scanning alone.

For security analysts and incident responders, this integration means that a single VirusTotal query can now surface not just antivirus detection results but also rich contextual intelligence about the threat actor behind a piece of malware, the campaign it is associated with, and the broader infrastructure being used to deliver and control it. This dramatically reduces the time required to move from initial detection to a full understanding of the threat.

Advanced Menace Recognition

The ZeroFox and VirusTotal collaboration introduces advanced menace recognition capabilities that go beyond traditional signature-based detection. By combining behavioural analysis, machine learning models, and external threat intelligence, the integrated platform can identify threats that would evade any single detection method.

ZeroFox's AI-powered threat detection models are trained on vast datasets of malicious content collected from across the internet, enabling them to recognise patterns and indicators of malicious intent even in previously unseen files and URLs. When these models are applied to the file submissions processed by VirusTotal, the result is a significant improvement in detection rates for zero-day threats and novel malware variants.

The advanced menace recognition system also incorporates threat actor profiling, linking malware samples to known threat groups based on code similarities, infrastructure overlaps, and tactical patterns. This attribution capability is invaluable for organisations that need to understand not just what attacked them, but who and why — information that is essential for making informed decisions about response and remediation.

Amplified Viewability

One of the most significant benefits of the ZeroFox and VirusTotal collaboration is the amplified viewability it provides into the threat landscape. VirusTotal processes millions of file submissions and URL scans every day, creating an unparalleled window into the malware ecosystem. ZeroFox's external threat intelligence adds a crucial additional dimension — visibility into the channels and communities where threats are planned, developed, and distributed before they reach their targets.

This amplified viewability enables earlier detection of emerging threats. By monitoring dark web forums, criminal marketplaces, and social media platforms for discussions of new attack techniques and malware tools, ZeroFox can provide advance warning of threats that are being prepared but have not yet been deployed. When this intelligence is integrated with VirusTotal's scanning infrastructure, security teams can begin preparing defences before the first attack occurs.

The combined platform also provides improved visibility into the full lifecycle of a malware campaign — from initial development and testing through deployment, command-and-control communication, and eventual takedown. This end-to-end visibility is essential for understanding the true scope and impact of a threat and for developing effective countermeasures.

Impact on Society

The societal impact of effective malware detection and threat intelligence cannot be overstated. Malware attacks cause enormous harm to individuals, businesses, governments, and critical infrastructure. Ransomware attacks have shut down hospitals, disrupted supply chains, and compromised the personal data of millions of people. Information-stealing malware has enabled financial fraud, identity theft, and corporate espionage on a massive scale.

By making VirusTotal more reliable and expanding its threat detection capabilities through the ZeroFox collaboration, the cybersecurity community gains a more powerful tool for protecting society from these harms. Faster and more accurate detection means that malware campaigns can be disrupted earlier, reducing the number of victims and the overall damage caused.

The democratisation of threat intelligence — making high-quality security data available to organisations of all sizes through platforms like VirusTotal — is particularly important for smaller organisations that lack the resources to maintain dedicated threat intelligence teams. By providing access to the same quality of intelligence that large enterprises rely on, these platforms help level the playing field and improve the overall security posture of the digital ecosystem.

Applications in Real Life

The practical applications of the enhanced VirusTotal platform extend across a wide range of real-world security use cases. Security operations centre (SOC) analysts use VirusTotal as a first-line triage tool, quickly determining whether a suspicious file or URL is known malicious before investing time in deeper analysis. The integration of ZeroFox intelligence enriches these triage results with contextual information that helps analysts prioritise their response efforts.

Incident responders use VirusTotal to investigate the scope of a compromise, identifying all the malicious files and infrastructure associated with an attack. The enhanced platform's ability to link samples to known threat actors and campaigns significantly accelerates this process, enabling faster containment and remediation.

  • Threat hunting: Security teams use VirusTotal's retrohunt and livehunt features to search for malware samples matching specific patterns, proactively identifying threats before they are reported by victims.
  • Malware research: Security researchers use VirusTotal to study malware families, track the evolution of threat actor TTPs, and develop new detection signatures and countermeasures.
  • Vulnerability management: Organisations use VirusTotal to check whether exploits for specific vulnerabilities are being actively used in the wild, helping them prioritise patching efforts.
  • Supply chain security: Software vendors and their customers use VirusTotal to verify the integrity of software packages and updates, detecting supply chain compromises before they cause harm.

Views from Industry

The cybersecurity industry has responded positively to the ZeroFox and VirusTotal collaboration, recognising it as a significant step forward in the collective effort to combat cybercrime. Industry analysts and security practitioners have highlighted several aspects of the partnership that they believe will have the greatest impact on the field.

Security analysts emphasise the value of the contextual intelligence that the collaboration brings to VirusTotal's results. The ability to move from a file hash to a full threat actor profile in a single query represents a significant productivity improvement for analysts who previously had to consult multiple separate intelligence sources to build the same picture.

Chief Information Security Officers (CISOs) at organisations that rely on VirusTotal for threat intelligence have noted that the enhanced platform helps them make better-informed decisions about security investments and incident response priorities. By providing a clearer picture of the threat landscape and the specific risks facing their organisations, the platform enables more strategic and effective security management.

Malware researchers have highlighted the improved attribution capabilities as particularly valuable. Being able to link new malware samples to known threat groups based on code similarities and infrastructure overlaps accelerates the research process and helps the community build a more complete understanding of the threat actor ecosystem.

For Linux & Cloud blogs follow: Techlinux

Share This Post

Bharath Thiravium

Bharath Thiravium is a cybersecurity analyst and technical writer at AthenaS Business Solutions, specialising in malware analysis, threat intelligence, and helping organisations defend against evolving cyber threats.

One Response

AthenaS Reader
August 15, 2024

Excellent breakdown of the VirusTotal report findings! The section on ISO files bypassing Mark-of-the-Web was eye-opening. The ZeroFox collaboration sounds like a game-changer for threat intelligence.

Leave a Reply

Your email address will not be published. Required fields are marked *