Threat Hunting using YETI and Elastic Stack
During our continuous threat intelligence research efforts we came across a very handy open-source platform called YETI – Your Everyday Threat Intelligence.
According to YETI’s documentation:
“YETI is a platform meant to organize observables, indicators of compromise, Tactics, Techniques and Procedures (TTPs), and knowledge on threats in a single, unified repository. YETI was born out of frustration of having to answer the following question:
‘where have I seen this artifact before?’
Another reason why YETI was born is to provide an alternative for Googling shady domains to tie them to a malware family”.
The developers did a great job incorporating multiple feeds to a single view with search capabilities and an awesome relationship graph:
In this blog post we show how to leverage Elastic Stack in conjunction with YETI’s capabilities to conduct active threat hunting and find 0-detection malware quickly.
Elastic Stack Integration
Although working with the platform’s web interface is really nice, we also wanted to be able to work with the data in a different way so we could gain our own insights.
Elastic Stack provides scalability, fast ingestion of data, ability to create quick correlations and visualization graphs to help draw conclusions. That’s why we decided to migrate YETI’s data into Elastic Stack using a simple integration script we wrote. The script is available on BreakingMalware Github and its flow is illustrated in the following graph:
To index YETI’s data to elasticsearch the following code can be used:
from yeti_to_elasticsearch import YetiFeedSender
sender = YetiFeedSender("yeti-feeds", excluded_feeds=("AsproxTracker"),
Having the data indexed in Elastic Stack enables leveraging YETI for active threat hunting.
In the following sections we will show how YETI can be used to find 0-detection malware samples, investigation leads and interesting insights.
Threat Hunting Visualization
Gozi (a.k.a Ursnif) is one of the most popular financial/stealing malwares today, actively developed and deployed 12 years since it first appeared. Gozi’s infection usually starts by using phishing emails, containing malicious attachments or links. The malware continues to evolve, deploying varied anti-debugging tricks and execution techniques such as steganography, obfuscated code, using LOLBINS and etc.
Since this malware is so popular and updated repeatedly, we would like to track it down using Kibana (a UI component available within the Elastic Stack) to shed light on how many Gozi-related variants are being indexed every day.
We can notice a big spike on the 26th of March, 2019. Cross-referencing with Google Trends, we can verify there was a big interest over Gozi on this date.
This interest emerged after Cybaze-Yoroi ZLab uncovered a new Ursnif malware campaign targeting Italy, leveraging different techniques including the “AtomBombing” code injection technique discovered by our research team.
Finding Unknown Threats
One of the feeds that is collected by YETI is the Hybrid Analysis Public Feed. Hybrid Analysis is a public sandbox service used to analyze suspicious files execution. Using this feed we generated the following pie chart, showing Hybrid Analysis threat level to VirusTotal detection ratio:
Drilling down with these conditions:
- Threat Level == Malicious.
- VirusTotal Score
Will result in the following:
It can be a great start for finding unknown threats and APTs. For instance, it took us roughly 30 minutes to get these no detection / low detection / not uploaded findings (at the time of writing):
ESP HACK APEX.js
After a short investigation of CS01.vbs we managed to find the following H-Worm samples by looking for “CREATEOBJECT("DYNAMICWRAPPERX")” string occurrences in pastebin:
And by looking at similar samples in Hybrid Analysis:
- afccf369ac6148dc8511e5a82c11c9064dc33fb9fb3008aec8289b1027731915 (3/54)
- 05bd21ca68530c08d85077013a08a912f0a2eda9e97af2b30b2fd275a3b6079a (7/59)
Threat Hosting Domains
YETI includes various feeds that publish domains related to suspicious/malicious executions. Using YETI’s indexed data it is possible to easily get the top 10 domains related to malware downloads:
It’s also possible to check which one of the domains is still active:
These queries can help focus on malicious domains during investigations and track active campaigns using the “online” status.
YETI is a great example for an open-source project that can simplify and enhance the work performed by researchers and threat hunters.
Combining YETI and a big data platform such as Elastic Stack can be leveraged for powerful insights and findings. There are plenty of interesting use cases that can be further examined using the data provided, and more threat campaigns and malicious techniques to discover.
We discussed our work with YETI’s community developers and they see it as a great future addition to their growing platform. We loved collaborating with the YETI project and will be happy to contribute to more open-source platforms.
- YETI - https://yeti-platform.github.io/
- YetiToElastic - https://github.com/BreakingMalwareResearch/YetiToElastic