Cyber Threat Intelligence: Malware Bazaar on the Frontlines of Threat Intelligence

[Cartographer]

Welcome back, aspiring cyberwarriors!




In the complex realm of cybersecurity, professionals face a continuously evolving landscape of digital threats. To address this challenge, MalwareBazaar was introduced as a collaborative defense platform, revolutionizing the way cybersecurity experts analyze and combat malicious software.




Conceived by abuse.ch, a distinguished Swiss cybersecurity research organization, MalwareBazaar collects known malicious malware sample, enriches them with additional intelligence and provides them back to the community - for free. The platform was born from a critical observation: traditional methods of malware detection and analysis were fragmented, slow, and woefully inadequate against the cyber threats of the modern era.




At its core, MalwareBazaar*is more than a database - it is a living ecosystem of threat intelligence. The platform creates a unified environment where security researchers, organizations, and experts can rapidly exchange crucial information about emerging cyber threats.




The Collaborative Defense Mechanism




What truly sets MalwareBazaar apart is its commitment to collaborative defense. The platform transcends traditional boundaries of organizational and geographical limitations. A malware sample discovered in one corner of the world can be rapidly analyzed, classified, and shared with security professionals globally, creating a dynamic, real-time threat intelligence network.




This approach democratizes cybersecurity intelligence. Smaller organizations, which might lack extensive resources, gain access to the same high-quality threat information as large enterprises.




Getting Started With MalwareBazzar




To begin using MalwareBazaar, simply visit https://bazaar.abuse.ch/. You can search for and download samples without the need for registration.




By navigating to the “MalwareBazaar database” page, you can search for malware samples using various criteria, including hash values (MD5, SHA256, SHA1), imphash, TLSH hash, ClamAV signature, tags, or malware family.




The search syntax for Malware Bazaar follows this format: keyword:search_term. Below is a list of accepted keywords with example search terms:

• md5: md5:1b109efade90ace7d953507adb1f1563
  
  
• sha256: sha256:11b16ba733f2f4f10ac58021eecaf5668551a73e2a1 acfae99745c50bfccbb44
  
  
• signature: signature:CobaltStrike
  
  
• tag: tag:TA505
  
  
• file_type: file_type:rtf
  
  
• user: user:malware_traffic
  
  
• clamav: clamav:SecuriteInfo.com.Artemis1FBB04F6EAF7.17086.UNOFFICIAL
  
  
• yara: yara:win_asyncrat_j1
  
  
• serial_number: serial_number:51CD5393514F7ACE2B407C3DBFB09D8D
  
  
• issuer_cn: issuer_cn:Sectigo RSA Code Signing CA
  
  
• imphash: imphash:756fdea446bc618b4804509775306c0d
  
  
• tlsh: tlsh:8DD484F440EF10A2F25F852936ADBE9401B2B1C7DBDA5 E08137DE5311BBDA633A0564D
  
  
• telfhash: telfhash:52d0a7c198b4972c99e60578ed5c5bb2910621662 0070b20cf10a5d4d83b440f40db59
  
  
• gimphash: gimphash:b43f35a8610180bcb184238555a0858a6c160a2d8 72566e7e9633221308b34fd
  
  
• dhash_icon: dhash_icon:f8dcbeffbffecee8
  
  
  
  
  

For instance, let’s try to find samples of Conti ransomware. Conti is a malware developed by the Russia-based hacking group "Wizard Spider" in December 2019. Since its creation, it has evolved into a full-fledged ransomware-as-a-service (RaaS) operation, used by various threat actor groups to carry out ransomware attacks.




To find these samples, you can search using keywords related to Conti, such as:

• signature: signature:Conti
  
  
• tag: tag:Conti
  
  
• file_type: file_type:exe (or other file types)
  
  
  
  
  
  
  
  

By clicking on the hash, we can access additional information such as the first time the sample was observed, vendor detection details, and more. From there, you can also download the sample for further analysis. I think it goes without saying that attackers can download these samples and use them as well.




Why MalwareBazaar?




Many IT-security researchers heavily rely on publicly available information (OSINT) to hunt down new cyber threats, and OSINT is an invaluable resource for gathering threat intelligence. However, researchers often face a simple yet significant problem: malware samples referenced in blog posts, whitepapers, or mentioned on social media platforms like Twitter are typically not easily accessible. To obtain the malware samples needed for analysis, researchers are required to register on multiple online anti-virus scanning engines, sandboxes, or malware databases. The situation is even more challenging as some of these platforms impose download restrictions (limiting the number of samples that can be downloaded per day), while others are only accessible to paying users. This becomes a major obstacle in daily work.




This was the driving force behind the creation of MalwareBazaar - a platform that enables IT-security researchers to easily share malware samples with the community, without encountering download restrictions or having to pay expensive subscription fees.



What's The Difference Between MalwareBazaar And VirusTotal?




VirusTotal is a fantastic resource for threat intelligence and malware hunting. Unlike MalwareBazaar, VirusTotal operates as a multi-anti-virus scanner, allowing you to assess whether a specific file is malicious or benign.




However, there are a few limitations with VirusTotal:

• While you can upload as many files as you'd like to VirusTotal, downloading malware samples is restricted to paying users only.
  
  
• As of March 2020, only about one-third of all uploaded files are detected by at least one AV engine (according to VirusTotal statistics). This means that two-thirds of the uploaded samples are considered benign.
  
  
  
  
  

On the other hand, MalwareBazaar takes a different approach:

• MalwareBazaar focuses solely on tracking malware samples - no adware (PUA/PUP) or benign files.
  
  
• Unlike VirusTotal, MalwareBazaar is not a multi-anti-virus scanning engine.
  
  
• You can upload and download as many malware samples as you want, without any restrictions.
  
  
• It’s completely free!
  
  
  
  
  

Summary:




In an era of increasingly complex digital risks, MalwareBazaar stands as a powerful example of collective intelligence. It transforms the fragmented cybersecurity landscape into a cohesive, dynamic ecosystem where knowledge is shared and threats are rapidly identified.