Posts: 13,828
Threads: 9,261
Thanks Received: 8,930 in 7,083 posts
Thanks Given: 9,617
Thanks Received: 8,930 in 7,083 posts
Thanks Given: 9,617
Joined: 12 September 18
20 June 23, 09:15
Quote:
Last Monday our colleagues over at Mandiant rolled out Permhash. In their own words, Permhash is an extensible framework to hash the declared permissions applied to Chromium-based browser extensions and APKs allowing for clustering, hunting, and pivoting similar to import hashing and rich header hashing. We are excited to announce that we have been working closely with Jared Wilson on the Mandiant side to support Permhash similarity pivoting in VirusTotal.
VirusTotal already supports multiple similarity pivots: vhash (VirusTotal’s home-grown static feature hash), behash (same concept but for dynamic analyses), ssdeep, imphash, TLSH, telfhash, main icon dhash, etc. We have blogged extensively in the past about how similarity can be used to expand context and map out threat campaigns, we even hosted a joint webinar with Trend Micro and Trinity Cyber on this very topic. But let’s see how Permhash builds upon VirusTotal’s threat hunting swissknife and provides yet another orthogonal vehicle to track threat actors and their toolkits, going beyond IoCs and rather focusing on repeatable toolkit patterns.
In their article, Mandiant writes about UNC3559 and CHROMELOADER. UNC3559 is a financially motivated threat cluster that has distributed the CHROMELOADER dropper since at least early 2022. CHROMELOADER is a dropper that subsequently downloads a malicious Chrome extension, which can display advertisements in the browser and capture browser search data. Mandiant shares a particular CHROMELOADER manifest, you can use that initial input to pivot to other similar files via Permhash, and you can combine it with other search modifiers to narrow down results to actual Chrome Extensions as opposed to manifests:
![[Image: Screenshot%202023-05-16%20at%2010.05.56%20PM.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaFT6SqQ3GznX15CYT0OFJ3R2vx0NFGSjA8_L-3nnLJ0PcWqbb7_7fIoXuad9KSfZQFQea5NiohEb9X6LQbph4CC0a9oqDNq-TrqDk31ksvAVwEagGN1xW7lgKXMkeqSQzySmQrApez4TL853Ba6wZzY_JOS7ITiG5GlgijJuEp7PNbryl5gwIVudozw/w640-h357/Screenshot%202023-05-16%20at%2010.05.56%20PM.png)
permhash:d4d1b61f726a5b50365c8c18b2c5ac7ab34b3844e0d50112f386dfd875b6afac type:crx
With a single click we get to 19 other potential variations by the same threat group, many of them with low detection coverage by the industry (we are starting to get proactive):
![[Image: Screenshot%202023-05-17%20at%2012.41.27%20PM.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQzSYTms7auQYhA4S_Vhdsf1eb15C75x-db1T5LkQTnFgxiWqMwnB7kNiFJjYft-JH2zPllQCtxbOG2qmBG4vdxbWDD62W_znypGlw0PBAp-yEi6l74AxGD2uO2EWY2OmOoSWo-TrJAofnmbH-ijMYu1HhcBD1a5SvCw2FM6oqcptKRJ0Ax2E58UXxRQ/s16000/Screenshot%202023-05-17%20at%2012.41.27%20PM.png)
Now we can dig further into these to understand the group’s infrastructure and modus operandi. For instance, we can leverage VirusTotal Commonalities to identify patterns that repeat themselves across all variations, as well as distribution infrastructure:
![[Image: Screenshot%202023-05-17%20at%2012.54.36%20PM.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmwgzxYaMJFuu4Jwt920A2HENZ8GdgclLt2pvRdr-c_KwdNzK4N-L208aZ2CWhFbECJO2NkAj7oBlmcg5O0t74E661bQZOTKYR3Kgd-Fbv_YDTxHs_VlwUMrTuBWLb5FepYDw0AhUIy8hcLS9Xp7biA8Jqts-_9-lUCuajDUVuxS0gHY4QCrAwmp2hYg/w640-h320/Screenshot%202023-05-17%20at%2012.54.36%20PM.png)
...
Continue Reading
VirusTotal += Mandiant Permhash: Unearthing adversary infrastructure and toolkits by
![[Image: Logo_VT_Horizontal.png]](https://1.bp.blogspot.com/-eNrJ344ipwk/XlaW63OVy9I/AAAAAAAAAF8/anLh0cnZwE8cYShNrki1m_Qm9Jx8Hw-5ACK4BGAYYCw/s1600/Logo_VT_Horizontal.png){kind=logo}
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
