Bad guys, both crime and cyber espionage, use Virustotal as a means to test their exploit code. Sounds silly, but it’s true and not true as in they used it a few years ago, but true as in they used it a couple of days ago. In fact, some actor likely tested their code the same day you got around to reading this post. When I mention these comments to most security researchers, their response is mostly disbelief and usually followed up with questions like “can’t these guys run their own anti-virus testing” or “oh, well you mean just the script kiddies trying to hone their skills”. While I can’t say why these actors use Virustotal, I can 100% say that they do.
For the past couple years, I have mined Virustotal data through various techniques to identify patterns in user behavior through the files they upload. Instead of focusing on the file, I wanted to focus on the unique hash that described the person uploading the file. When I started doing this work, it was back before Virustotal had all the data they did now and to the best of my knowledge, before anyone thought to find the bad guys through automated means and at scale. Today, I have more bad guy activity then I can handle and think it’s finally time to let the rest of the community in on the Virustotal secret.
Wired has drafted an article summarizing a lot of the work I did over the years and this blog post will provide those seeking guidance on how they too could unearth suspicious actors within Virustotal. I wrote a short paper to describe some of what I learned through the years about different accounts and also included the algorithm code I use to score activity. To this day, the techniques and algorithm serve me well in finding new and interesting activity in countries not typically blogged about.
Aside from the paper and algorithm, I figured it would be worthwhile to give anyone who was interested in learning more a good case study of information. I have made a Google document available to the public depicting all the PlugX activity identified that appeared to be actor testing. In order to easily distinguish between file detections, I have highlighted no detections as green, five or less detections as yellow and the rest as red. All activity is sorted by date, so it’s easy to see how actors “drive to zero” when doing their testing. This activity has been going on since April 2013 and in some cases, files (exact hashes) uploaded to Virustotal were lated seen used inside of file targeting those in Hong Kong.