Home » Database

AVID-2023-V003

Description

VirusTotal Poisoning

Details

McAfee Advanced Threat Research noticed an increase in reports of a certain ransomware family that was out of the ordinary. Case investigation revealed that many samples of that particular ransomware family were submitted through a popular virus-sharing platform within a short amount of time. Further investigation revealed that based on string similarity the samples were all equivalent, and based on code similarity they were between 98 and 74 percent similar. Interestingly enough, the compile time was the same for all the samples. After more digging, researchers discovered that someone used ‘metame’ a metamorphic code manipulating tool to manipulate the original file towards mutant variants. The variants would not always be executable, but are still classified as the same ransomware family.

References

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0601: Ingest Poisoning
  • Lifecycle stages: L03: Data Preparation

Affected or Relevant Artifacts

  • Developer:
  • Deployer: VirusTotal
  • Artifact Details:
    TypeName
    SystemVirusTotal

Other information

  • Vulnerability Class: ATLAS Case Study
  • Credits: McAfee Advanced Threat Research
  • Date Published: 2023-03-31
  • Date Last Modified: 2023-03-31
  • Version: 0.2
  • AVID Entry