Source URL: https://cloud.google.com/blog/topics/threat-intelligence/backscatter-automated-configuration-extraction/
Source: Cloud Blog
Title: Backscatter: Automated Configuration Extraction
Feedly Summary: Written by: Josh Triplett
Executive Summary
Backscatter is a tool developed by the Mandiant FLARE team that aims to automatically extract malware configurations. It relies on static signatures and emulation to extract this information without dynamic execution, bypassing anti-analysis logic present in many modern families. This complements dynamic analysis, providing faster threat identification and high-confidence malware family attribution. Google SecOps reverse engineers ensure precise indicators of compromise (IOC) extraction, empowering security teams with actionable threat intelligence to proactively neutralize attacks.
Overview
The ability to quickly detect and respond to threats has a significant impact on potential outcomes. Indicators of compromise (IOCs) serve as crucial breadcrumbs, allowing cybersecurity teams to identify and mitigate potential attacks while expanding their search for related activity. VirusTotal’s existing suite of tools to analyze and understand malware IOCs, and thus the Google Threat Intelligence platform by extension, is further enhanced with Backscatter.
VirusTotal has traditionally utilized dynamic analysis methods, like sandboxes, to observe malware behavior and capture IOCs. However, these methods can be time-consuming and may not yield actionable data if the malware employs anti-analysis techniques. Backscatter, a service developed by the Mandiant FLARE team, complements these methods by offering a static analysis capability that directly examines malware without executing it, leading to faster and more efficient IOC collection and high-confidence malware family identification. Additionally, Backscatter is capable of analyzing sandbox artifacts, including memory dumps, to improve support for packed and obfuscated malware that does successfully execute in dynamic environments.
Within the Google Threat Intelligence platform, Backscatter shines by identifying configuration data, embedded IOCs, and other malicious artifacts hidden within malware uploaded by users. It can pinpoint command-and-control (C2 or C&C) servers, dropped files, and other signs of malware presence, rapidly generating actionable threat intelligence. All of the extracted IOCs and configuration attributes become immediately pivotable in the Google Threat Intelligence platform, allowing users to identify additional malware related to that threat actor or activity.
Complementing Dynamic Analysis
Backscatter enables security teams to quickly understand and defend against attacks. By leveraging Backscatter’s extracted IOCs in conjunction with static, dynamic, and reputational data, analysts gain a more comprehensive view of potential threats, enabling them to block malicious communication, detect and remove dropped files, and ultimately neutralize attacks.
Backscatter’s static analysis approach, available in Google Threat Intelligence, provides a valuable addition to the platform’s existing dynamic analysis capabilities. This combination offers a more comprehensive threat intelligence strategy, allowing users to leverage the strengths of both approaches for a more robust security posture.
Backscatter in GTI and VirusTotal
Backscatter is available to Google SecOps customers, including VirusTotal Enterprise and its superseding long-term Google Threat Intelligence platform. While detecting a file as malicious can be useful, more clarity about the specific threat provides defenders with actionable intelligence. By providing a higher confidence attribution to a malware family, capabilities and behaviors can be approximated from previous reporting without requiring manual analysis.
Figure 1: Google Threat Intelligence identifies that a service has extracted DONUT and ASYNCRAT malware configurations from the file (link)
Embedded data such as C2 servers, campaign identifiers, file paths, and registry keys can provide analysts with additional contextual information around a specific event. Google Threat Intelligence helps link that event to related activity by providing pivots to related IOCs, reports, and threat actor profiles. This additional context allows defenders to search their environment and expand remediation efforts.
Figure 2: Google Threat Intelligence displays that Backscatter was able to extract the DONUT payload
Figure 3: Google Threat Intelligence displays that Backscatter was able to extract the DONUT payload’s ASYNCRAT configuration
By taking a static approach to extracting data from malware, Backscatter is able to handle files targeting different environments, operating systems, and execution mechanisms. In the previous example, the DONUT malware sample is x86 shellcode and was not able to be executed directly by a sandbox.
Backscatter in the Field
Mandiant Managed Defense leverages Backscatter to deliver faster and more accurate identification and analysis of rapidly emerging malware families. This enables them to more quickly scope threat activity and more rapidly provide customers with pertinent contextual information. From distribution campaigns providing initial access, to ransomware operations, to targeted attacks by state-sponsored actors, Backscatter aims to provide actionable threat intelligence to enable security teams and protect customers.
Figure 4: Google Threat Intelligence displays a phishing campaign involving UNC2500 using the BLACKWIDOW and DARKGATE backdoors
One example threat group is UNC2500, which primarily distributes malware via email attachments and links to compromised websites. Many of the malware families used by this group, such as QAKBOT and DARKGATE, are supported by Backscatter, allowing Managed Defense customers to proactively block IOCs extracted by Backscatter.
Figure 5: UNC2500 provides initial access to UNC4393 to deploy BASTA ransomware
Looking Ahead
Backscatter stands as a testament to Google SecOps’ commitment to providing cutting-edge tools for combating cyber threats. By offering a fast and efficient way to extract IOCs through static analysis, Backscatter empowers security teams to stay one step ahead of attackers. Incorporating Backscatter into their workflow, Google Threat Intelligence customers can strengthen their cybersecurity defenses and safeguard their valuable assets.
AI Summary and Description: Yes
**Summary:** The text discusses Backscatter, a tool from the Mandiant FLARE team that enhances malware configuration extraction through static analysis. By providing faster threat identification without dynamic execution, Backscatter complements existing analysis methods and empowers security teams with actionable intelligence, thus improving overall cybersecurity efficacy.
**Detailed Description:**
The text provides an in-depth look into the functioning and significance of Backscatter, particularly in the realm of enhanced cybersecurity through advanced threat detection capabilities. Here are the major points highlighted:
– **Tool Development and Purpose:**
– Backscatter is a tool designed by the Mandiant FLARE team to automatically extract malware configurations.
– It employs static signatures and emulation to collect data without executing the malware, effectively bypassing certain anti-analysis measures.
– **Enhanced Threat Detection:**
– The integration of Backscatter allows security teams to quickly identify and mitigate potential attacks using the extracted Indicators of Compromise (IOCs).
– This tool enhances the existing dynamic analysis capabilities provided by VirusTotal and the Google Threat Intelligence platform.
– **Operational Benefits:**
– Backscatter complements legacy dynamic analysis methods (such as sandboxes), which may be hindered by malware exhibiting anti-analysis behavior, by offering a faster static analysis mechanism.
– It analyzes sandbox artifacts, which include memory dumps, to better handle packed and obfuscated malware.
– **Functionality Within Google Threat Intelligence:**
– Backscatter improves the functionality of the Google Threat Intelligence platform by pinpointing command-and-control servers, dropped files, and other malware indicators directly from uploaded samples.
– Extracted IOCs and configurations can be pivoted in real-time for comprehensive threat analysis and contextual understanding.
– **Support for Security Teams:**
– Security analysts can leverage a combination of static, dynamic, and reputational data alongside Backscatter’s analysis for a more rounded view of potential threats.
– This holistic view allows for effective blocking of malicious activities and proactive threat neutralization.
– **Practical Application:**
– Mandiant Managed Defense utilizes Backscatter for quick identification and analysis of emerging malware families, enabling swift threat scoping and contextual reporting.
– Specifically referenced threat groups (e.g., UNC2500) and their malware types (QAKBOT, DARKGATE) demonstrate Backscatter’s direct application in real-world scenarios.
– **Future of Cybersecurity Tools:**
– Backscatter exemplifies ongoing efforts by Google SecOps to advance cybersecurity tools, allowing security teams to remain ahead of evolving threats by integrating static analysis capabilities into their operations.
This text provides actionable insights for cybersecurity professionals, underscoring the value of advanced static analysis tools in improving incident detection and response times, ultimately leading to stronger defense measures in the face of continuous cyber threats.