Ofuscating an IOC signature before analyzing on VT

[francoisihry]

Let's say your company received a suspicious file.

You need to analyze the file on VT but you don't want the attacker to know that you submitted a hash of its malicious file.

If the hash has never been analyzed on VT, it's easy for the attacker to figure out if you did it as VT let you know the last time that the file was analyzed.

Is there a way to "obfuscate" the file signature so that you can submit it and get a good result but the attacker will ignore that you checked its file ?

[saadkadhi]

@francoisihry The VirusTotal analyzer has two flavors. VirusTotal_GetReport will simply query VT for the latest available report associated to a file. To do this, it does not send the file but its hash. If the file has never been analyzed, it will return 0 results. The attacker, unless they take over VT infrastructure or yours, will never know that you have asked for the report.

As you know the analyzers are also TLP-aware. As such, you can prevent your analysts from submitting files through VirusTotal_Scan, the other flavor which indeed submits the whole file instead of its hash.

If you really need to analyze the file on VirusTotal instead of asking if it has been seen, then you have to take a risk-guided decision based on what needs to be done in your investigation vs. what the attacker can know about your progress.

To the best of my knowledge, there is no simple way of 'obfuscating' a file to fool an attacker and without fooling the AV engines on VT at the same time. Please note that some attackers might have a VTI subscription and as such may spot you anyway thanks to their YARA rules.