Threat Hunting using YETI and Elastic Stack

Combining YETI, an open-source threat intelligence project, with Elastic Stack is a great way to simplify and enhance the work performed by researchers and threat hunters.

 

During our continuous threat intelligence research efforts we came across a very handy open-source platform called YETI – Your Everyday Threat Intelligence.


According to YETI’s documentation:


“YETI is a platform meant to organize observables, indicators of compromise, Tactics, Techniques and Procedures (TTPs), and knowledge on threats in a single, unified repository. YETI was born out of frustration of having to answer the following question:

where have I seen this artifact before?’

Another reason why YETI was born is to provide an alternative for Googling shady domains to tie them to a malware family”.

The developers did a great job incorporating multiple feeds to a single view with search capabilities and an awesome relationship graph:

yeti blog fg1

Figure 1: Browse a live feed of observables https://yeti-platform.github.io

yeti blog fg2

Figure 2: Enrich investigation with relationship graphs https://yeti-platform.github.io

In this blog post we show how to leverage Elastic Stack in conjunction with YETI’s capabilities to conduct active threat hunting and find 0-detection malware quickly.


Elastic Stack Integration

Although working with the platform’s web interface is really nice, we also wanted to be able to work with the data in a different way so we could gain our own insights.


Elastic Stack provides scalability, fast ingestion of data, ability to create quick correlations and visualization graphs to help draw conclusions. That’s why we decided to migrate YETI’s data into Elastic Stack using a simple integration script we wrote. The script is available on BreakingMalware Github and its flow is illustrated in the following graph:

Elastic Stack Integration v3


To index YETI’s data to elasticsearch the following code can be used:


from yeti_to_elasticsearch import YetiFeedSender

sender = YetiFeedSender("yeti-feeds", excluded_feeds=("AsproxTracker"),
elastic_hostname="="<elasticsearch hostname>",
elastic_port=<elasticsearch port>)
sender.extract_and_send()

Having the data indexed in Elastic Stack enables leveraging YETI for active threat hunting.


In the following sections we will show how YETI can be used to find 0-detection malware samples, investigation leads and interesting insights.


Threat Hunting Visualization

Campaign Tracking

Gozi (a.k.a Ursnif) is one of the most popular financial/stealing malwares today, actively developed and deployed 12 years since it first appeared. Gozi’s infection usually starts by using phishing emails, containing malicious attachments or links. The malware continues to evolve, deploying varied anti-debugging tricks and execution techniques such as steganography, obfuscated code, using LOLBINS and etc.


Since this malware is so popular and updated repeatedly, we would like to track it down using Kibana (a UI component available within the Elastic Stack) to shed light on how many Gozi-related variants are being indexed every day.


yeti blog fg3

Figure 3: Gozi spike on the 26th of March 2019

We can notice a big spike on the 26th of March, 2019. Cross-referencing with Google Trends, we can verify there was a big interest over Gozi on this date.


yeti blog fg4


Figure 4: Gozi interest in Google Trends in March 2019

This interest emerged after Cybaze-Yoroi ZLab uncovered a new Ursnif malware campaign targeting Italy, leveraging different techniques including the “AtomBombing” code injection technique discovered by our research team.


Finding Unknown Threats

One of the feeds that is collected by YETI is the Hybrid Analysis Public Feed. Hybrid Analysis is a public sandbox service used to analyze suspicious files execution. Using this feed we generated the following pie chart, showing Hybrid Analysis threat level to VirusTotal detection ratio:

yeti blog fg5


Figure 5: Hybrid Analysis threat to level to VirusTotal detection ratio

Drilling down with these conditions:

  • Threat Level == Malicious.
  • VirusTotal Score <= 5.

Will result in the following:yeti blog fg6

Figure 6: Hashes classified as malicious by Hybrid Analysis with low detections on VirusTotal

It can be a great start for finding unknown threats and APTs. For instance, it took us roughly 30 minutes to get these no detection / low detection / not uploaded findings (at the time of writing): 

File Name
Hash
Malware Type
VT Score

Av.js

4ff921531d9cb5c21b3ee081a5fd1c52d12690332dd1ea1608230b8de918ac09

vjW0rm

-

ESP HACK APEX.js

b2dc457d16afa43c943b31021052b939d58aedfcdf2fad8e25e5b96edc71d180

vjW0rm

5/56

CS01.vbs

61c96cdb88877b3c737a1022bb6355e8489d2cc2019ecbcc15be978186552174

H-Worm

5/53

After a short investigation of CS01.vbs we managed to find the following H-Worm samples by looking for “CREATEOBJECT("DYNAMICWRAPPERX")” string occurrences in pastebin:



And by looking at similar samples in Hybrid Analysis:


Threat Hosting Domains

YETI includes various feeds that publish domains related to suspicious/malicious executions. Using YETI’s indexed data it is possible to easily get the top 10 domains related to malware downloads:yeti blog fg7

Figure 7: Top 10 malware domains related to malware downloads

It’s also possible to check which one of the domains is still active:yeti blog fg8

Figure 8: Top 10 domains related to malware download with active status

These queries can help focus on malicious domains during investigations and track active campaigns using the “online” status.


Summary

YETI is a great example for an open-source project that can simplify and enhance the work performed by researchers and threat hunters.


Combining YETI and a big data platform such as Elastic Stack can be leveraged for powerful insights and findings. There are plenty of interesting use cases that can be further examined using the data provided, and more threat campaigns and malicious techniques to discover.


We discussed our work with YETI’s community developers and they see it as a great future addition to their growing platform. We loved collaborating with the YETI project and will be happy to contribute to more open-source platforms.


References


IOCs


vjW0rm

H-Worm
Related Blog Posts