US Cyber Command starts uploading foreign APT malware to VirusTotal

USCYBERCOM said it plans to regularly upload "unclassified malware samples" to VirusTotal.
Written by Catalin Cimpanu, Contributor

On Monday, the Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.

The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.

In addition, USCYBERCOM also created a new Twitter account where it would tweet a link to all new VirusTotal malware uploads.

USCYBERCOM's decision was met with universal praise by leading voices from the cybersecurity private sector.

"This is a great initiative and we believe that if more governments would do the same, the world would be safer. We salute their initiative and are of course paying close attention to what they upload," said Costin Raiu, Director of Global Research & Analysis Team at Kaspersky Lab.

"We believe that having more files in VirusTotal increases the value to the entire community," said Mike Wiacek, CSO, and co-founder of Chronicle, Alphabet's cyber-security division and the company behind VirusTotal.

"In fact, the first submission, for LoJack malware, included files that weren't previously in VirusTotal," Wiacek told ZDNet today via email.

That new file was rpcnetp.dll, a file that together with the second --rpcnetp.exe-- have been utilized to infect victims with the Computrace/LoJack/LoJax malware.

Craiu told ZDNet that Kaspersky has been tracking this malware for years; malware which came back to life this year in new campaigns, as detected by Netscout and ESET.

LoJax is currently the first documented case of a UEFI rootkit used in the wild, and the malware has been tied to APT28, a codename used to identify a nation-state cyber-espionage group that has been associated by several Western countries to Russia's military intelligence agency GRU.

USCYBERCOM's decision to make these two particular malware samples its first two uploads didn't go unnoticed by the infosec community. Some sharped-eye pundits immediately categorized it as a new name-and-shame effort on the part of Western governments, which have been very active this year in exposing and indicting Chinese, Russian, Iranian, and North Korean hackers.

"It remains to be seen exactly how this new initiative will unfold," John Hultquist, director of intelligence analysis at FireEye told ZDNet in an email today.

"But what is striking about this initiative is it lacks many of the contextual elements of the name and shame strategy. Whereas that strategy involves a tremendous amount of context which has to be scrutinized throughout the government, this initiative could be less encumbered by those considerations," Hultquist said.

"There will undoubtedly still be a strategy behind these disclosures, since disclosures always have consequences for intelligence operations, but their simplicity may allow for simpler, faster action, something the government has historically struggled with."

On the other hand, there are those security researchers who purposely stay away from politically-charged attributions when dealing with APT malware.

For example, in an interview with ZDNet, Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET, was far more interested in how USCYBERCOM's VirusTotal uploads might influence an APT group's upcoming operations, rather than the political downfall that follows.

"As far as exposing hacking toolsets, it does not necessarily automatically render the tools totally useless, but it is likely to at least cause the attacker to adapt," Dorais-Joncas told us. "For example, ESET has been exposing [APT28]'s toolset evolution for years, and yet the group is still using a lot of the same tools, albeit with additional improvements added over time."

"I would say exposing full [tactics, techniques, and procedures] on top of actual samples would be more harmful to attackers, as they would need to change their entire attack workflow (think spreading and infection mechanisms, persistence, communication protocols, etc)," Dorais-Joncas said. "It does not look like USCYBERCOM is providing such context together with the samples they are sharing, so that might limit the upside of their initiative."

"Only time will tell if samples shared by USCYBERCOM will turn up to be interesting for researchers or not - it really depends on what they choose to share," the ESET researcher added. "I'm inclined to give them the benefit of the doubt for now."

But the infosec community also had another gripe with USCYBERCOM's new sharing practice, and that's with what the DOD considers "unclassified malware samples."

Both ESET's Dorais-Joncas and FireEye's Hultquist shared the same opinion on this topic --that even if the agency used the term "unclassified malware samples," this doesn't necessarily mean we'll get your run-of-the-mill malware such as adware and basic downloaders.

"This effort may very well expose us to new threats, which require serious analysis," Hultquist said.

"I would also not presume that unclassified malware will automatically already be known to researchers," Dorais-Joncas also added.

"In general, I would say more sample sharing can only lead to equal or better protection because any new sample security vendors can obtain helps them improve their detection databases and thus better protect their respective customers."

As for Wiacek, the Chronicle CSO would more than love to see other intelligence and law enforcement agencies to follow in the DOD's footsteps.

"We invite other U.S. and international agencies to participate in a similar manner," Wiacek said. "We are happy to see new members in the VirusTotal community."

Related coverage:

Editorial standards