Automation of binary analysis: From open source collection to threat intelligence

Abstract

Many open sources of binaries, including malware, have emerged in the landscape in recent years. Their quality compares very favourably with commercial sources, as emphasised by Thibaud Binetruy (Twitter influencer under a pseudonym, Société Générale CERT, 2020): “Integrating operational threat intelin your defense mechanisms doesn’t mean buying Threat Intel. You can start by using the [mass] of open source indicators available for free.” Some are provided by official sources (Abuse.ch, with data supplied by the Swiss national CERT, among others), while others are made available in more obscure ways, sometimes anonymously (VirusShare, VX-Underground, etc.). Our examination of these sources underlines the wide disparity in quality and quantity between them. We have had to take this diversity into account in our research, designing a dedicated platform that enables us to supply information to our binary analysis products and to conduct daily analyses of correlations between and within malware families on a large scale. This work can then be applied to concrete cases such as Babuk, Ryuk and Conti. We have been able to highlight links for these families by immediately identifying correlations, with additional manual analysis then confirming the genealogy of the samples precisely.