In the world of malware analysis, there is sometimes confusion between the terms “artifacts” and “indicators of compromise (IOCs).” This is understandable because many malware analysis engines don’t distinguish between the two.
First, let’s define the terms. When a malware sandbox dynamically analyzes a threat, it collects pieces of forensic data observed during runtime. This collected data is referred to as “analysis artifacts” and typically includes files, URLs, IPs, processes, and registry entries which were used, created, or modified as part of the malware execution.
An Indicator of Compromise (IOC), on the other hand, is a piece of forensics data directly related to a given threat, that can be used to identify the presence of a threat in a system or a network. IOCs can be a combination of certain artifacts or a single artifact.
The issue for malware analysts is how does one find these meaningful IOCs, small in size, among an enormous pile of artifacts? This search carries with it some issues, foremost a “fear of false positives” because misclassifying an artifact as an IOC can lead to false alerts and potentially create a direct negative impact on the production network.
Further, incorrectly identified IOCs have limited value in threat intelligence due to insufficient context. There is also difficulty integrating analysis across systems in heterogeneous environments due to a proliferation of proprietary formats. These issues are why security teams still use mostly manual, time-consuming methods to extract IOCs that are reliable and actionable.
But the task of manually sorting through artifacts to find relevant IOCs is now much easier with the release of VMRay Analyzer 3.3. VMRay’s automated analysis filters IOCs and artifacts, freeing up DFIR teams to spend less time parsing through artifacts and more time responding to incidents.
In this latest release, the key innovation is the use of the VMRay Threat Identifier (VTI) system to flag artifacts that are associated with unusual behavior. Going by these rules, when a single artifact by itself is an IOC, the analyzer marks it as malicious. Further, when the artifact is weaker but used in combination with other artifacts, then VMRay marks them as an IOC, but it has an unknown or suspicious severity.
This means that IOCs are now defined as a subset of artifacts, by adding to each artifact an “IOC” flag. To make this even more powerful, VTIs are now also used to better determine the maliciousness of an IOC. This new capability – automated scoring and flagging of IOCs – lets security teams easily extract actionable threat intelligence from dynamic malware analysis. Accurate IOC identification is necessary to perform an effective incident response to malware such as spyware, remote access trojans (RATs), and bots.
Below is an analysis of a Word document that used macros to download a RAT known as Remcos. A RAT is a type of malware that allows outsiders to monitor and control your computer or network. RATs, like most types of malware, often piggyback on legitimate-looking files like documents in an email or within a large software package. This type of malware can be difficult to detect once installed as they generally don’t slow down a computer and the malware operator can often fly below the computer operator’s radar. Sometimes users can be infected by a RAT for years without noticing anything wrong.
Figure 1: IOC tab that shows the created mutex with the name “Remcos-WLC63H”
Looking to the IOC tab in the VMRay analysis of the code sample, the user can see there were 130 artifacts in all, of which 12 were IOCs. One of the IOCs, highlighted in the screenshot below, was a mutex. This file is helpful as some malware families tend to use recurring name patterns which helps to identify the family and detect an infected system. In the mutex file below the name is prefixed with “Remcos” which is a well-known RAT.
Another assist for identification of the code sample is in the IP section of the IOC tab, users can see the code sample downloads and executes Remcos using PowerShell. The payload is hosted on grupo-omega[.]com[.]ar which is an artifact with a suspicious verdict.
Figure 2: IOC tab shows the connected IP to the corresponding domain grupo-omega[.]com[.]ar which hosts the payload.
In the File section of the IOC tab, users can see the three files that were IOCs labeled malicious. The section at the bottom of the screenshot below shows meta-information about the highlighted “PO.exe” file (downloaded in Figure 2 above):
Figure 3: IOC tab shows the downloaded payload file “PO.exe” with additional information including its hash values and the resource URL.
And the screenshot below shows the related VTIs (malicious behavior) of the PO.exe file:
Figure 4: IOC tab that shows the related VTIs that triggers on the payload file “PO.exe”.
As one can see from the analysis above, VMRay’s unique IOC filtering system allows users to not only identify code samples as malware but also identify the specific actions and files modified by the malware. Armed with this information, security teams are well equipped to enact a swift and effective response.