Monday, February 17, 2025

Backscatter: Automated Extraction of Configurations

Overview

Potential results are significantly impacted by the speed at which hazards may be identified and addressed. As essential breadcrumbs, indicators of compromise (IOCs) enable cybersecurity teams to spot and stop possible attacks while broadening their search for associated activities. With Backscatter, VirusTotal’s current toolkit for analysing and comprehending malware IOCs and therefore, the Google Threat Intelligence platform is significantly improved.

Sandboxes and other dynamic analysis techniques have long been used by VirusTotal to track malware activity and record IOCs. These approaches, however, can be laborious and could not produce useful information if the virus uses anti-analysis measures. The Mandiant FLARE team’s Backscatter service enhances existing techniques by providing a static analysis feature that directly inspects malware without running it, resulting in high-confidence malware family identification and quicker and more effective IOC collecting. In order to enhance support for packed and obfuscated malware that does successfully run in dynamic contexts, Backscatter can now analyse sandbox artefacts, such as memory dumps.

Backscatter excels in the Google Threat Intelligence platform by locating configuration information, embedded IOCs, and other harmful artefacts concealed in user-uploaded malware. It quickly produces actionable threat intelligence by identifying dropped files, command-and-control (C2 or C&C) servers, and other indications of malware presence. The Google Threat Intelligence platform instantly pivots all of the captured IOCs and configuration information, enabling users to find more malware associated with that threat actor or behaviour.

Enhancing Dynamic Analysis

Security personnel can swiftly comprehend and counter assaults with backscatter. Analysts can identify and eliminate lost files, prevent malicious communication, and neutralise assaults by utilising Backscatter’s retrieved IOCs in combination with static, dynamic, and reputational data to provide a more complete picture of possible threats.

The static analysis method, which is accessible through Google Threat Intelligence, is a useful supplement to the dynamic analytic features already offered by the platform. Users may take use of the advantages of both methodologies for a stronger security posture with this combination, which provides a more thorough threat intelligence strategy.

Backscatter in GTI and VirusTotal

Customers of Google SecOps, such as VirusTotal Enterprise and its successor long-term Google Threat Intelligence platform, may access it. Although identifying a file as harmful might be helpful, defenders receive actionable knowledge when the threat is more clearly defined. Capabilities and behaviours can be estimated from prior reports without the need for human investigation by offering a higher confidence attribution to a malware family.

Google Threat Intelligence identifies that a service has extracted DONUT and ASYNCRAT malware configurations from the file
Image credit to Google Cloud

C2 servers, campaign identities, file locations, and registry keys are examples of embedded data that might provide analysts more background information about a particular event. By offering pivots to relevant IOCs, reports, and threat actor profiles, Google Threat Intelligence assists in connecting that incident to related activities. Defenders are able to search their surroundings and broaden cleanup efforts because to this extra context.

Google Threat Intelligence displays that Backscatter was able to extract the DONUT payload
Image credit to Google Cloud
Google Threat Intelligence displays that Backscatter was able to extract the DONUT payload's ASYNCRAT configuration
Image credit to Google Cloud

Backscatter can handle files that target many contexts, operating systems, and execution methods since it uses a static approach to data extraction from malware. Since the DOUGHNUT malware sample in the preceding example is x86 shellcode, a sandbox was unable to run it directly.

Backscatter in the Field

Mandiant Managed Defence uses it to identify and analyse rapidly developing malware families more quickly and accurately. They are able to scope threat activities and give clients relevant contextual information more quickly as a result. Backscatter seeks to offer actionable threat intelligence to support security teams and safeguard consumers against anything from ransomware operations to distribution efforts that grant first access to targeted assaults by state-sponsored actors.

UNC2500 is one such threat organisation that mostly uses links to infected websites and email attachments to spread malware. Because Backscatter supports several of the malware families employed by this organisation, including QAKBOT and DARKGATE, Managed Defence clients may proactively block IOCs that Backscatter extracts.

Looking Ahead

Backscatter is evidence of Google SecOps’ dedication to offering state-of-the-art resources to counter cyberthreats. Backscatter gives security teams the ability to keep ahead of attackers by providing a quick and effective method for extracting IOCs through static analysis. Customers of Google Threat Intelligence may improve their cybersecurity defences and protect their precious assets by integrating Backscatter into their workflow.

Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.
RELATED ARTICLES

Recent Posts

Popular Post

Govindhtech.com Would you like to receive notifications on latest updates? No Yes