Monday, October 30, 2023

, , , , , , ,

October 30th, 2023 - Holistic searching, VirusTotal connectors, GenAI chat bot, file similarity summaries and more

What’s new?


  • MITRE ATT&CK TTPs in threat {collection, actor} knowledge cards and open in MITRE ATT&CK Navigator. VirusTotal does not only aggregate detection engines but also dynamic analysis sandboxes. Mandiant CAPA and some of the sandboxes that we aggregate map out execution observations into MITRE ATT&CK tactics and techniques and Malware Behavior Catalog behaviors - see example report. When building threat {collection, actor} cards, VirusTotal aggregates all the mapped TTPs for all the IoCs linked to a given campaign/toolkit/actor and displays them in the TTP tab of the pertinent knowledge card. We’ve now included shortcuts to open these TTP mappings in MITRE ATT&CK Navigator.

  • New and enhanced relations in VirusTotal’s underlying threat graph. VirusTotal provides superior context about IoCs. Some of that context is based on relationships with other IoCs and adversary entities, for example: contacted domains, download URLs, resolved IP addresses, compressed bundle parents, execution first stages, etc. We’ve enhanced VirusTotal’s core threat graph as follows:
      • Added redirects to relationship. VirusTotal has been displaying target redirection URLs in the Details tab of URL reports for some time now, but this data point has never been added as a full-blown relationship displayed in the Relations tab and explorable via VT Graph. We have now rolled out the “redirects to” relationship.
      • Enhanced embedded URLs relationship with memory pattern URLs. VirusTotal extracts URL patterns from the raw binary body of files and builds the embedded URLs relationship with them. This data point is very interesting but also very easy to evade via obfuscation, packing and some other common anti-analysis techniques. To overcome this, as we execute uploaded files in multiple sandboxes, we are now extracting URL patterns from memory and also feeding the embedded URLs relationship with them.

  • VirusTotal Connectors. We’ve taken a significant step toward realizing the unified threat contextualization platform with VirusTotal Connectors. All your threat intel from third parties can now be seamlessly merged with VirusTotal's context. When faced with an unfamiliar file, hash, domain, IP address, or URL, having a singular view of threat intelligence not only expedites investigations but also helps eliminate detection blind spots. Learn more.

  • File similarity summary view. The concept of similarity is pretty straightforward: are two files similar? There are many ways to figure it out. That's why different similarity algorithms exist. Now, why is this useful? Attackers need tools for their attacks, basically malware. Malware in the end is a piece of software, built from frameworks, code and libraries, and takes some time and expertise to create. The result is that two different malware files built from the same developer using the same pieces or builders will look alike. Tracking similar files often allows you to track actors or campaigns and study them proactively to build effective measures against such threats. VirusTotal has supported a number of file similarity searches for a while now (vhash, behash, imphash, ssdeep, TLSH, icon dhash, etc.). Earlier this year we rolled out some functionality to search across all different similarity approaches available for a file, the “Best candidates in a single search” trigger. Similarity search result listings now display a “Similarity details” toggle to better understand the common data points across matching files.

  • Documentation chat assistant, a.k.a. VirusTotal bot. At VirusTotal we are committed to democratizing detection engineering and threat hunting. We acknowledge that VirusTotal Enterprise is a sophisticated tool and that not all organizations exhibit the same maturity when it comes to threat intelligence. We are now leveraging generative AI to accelerate our users’ maturity journey. Every single site within VirusTotal displays a small round floating message bubble in the bottom right hand corner. When clicking on it a chat dialog opens up. You can now ask questions (e.g. Can I match file metadata using YARA rules?) related to our documentation and it will summarize docs articles and point you in the right direction.

  • Service accounts API documentation. Late last year we rolled out service accounts in order to interact programmatically with VirusTotal leveraging API keys that are not tied to individual users. We have now documented API endpoints related to VirusTotal API service accounts.

What has changed?

  • McAfee-Gateway renamed to Skyhigh. Following McAfee Enterprise’s service renaming, the detection engine formerly known as McAfee-Gateway in VirusTotal has been renamed to “Skyhigh”.

Monday, October 2, 2023

, , , ,

October 2nd, 2023 - Strings searching, VMRAY screenshots and Private Scanning deletions

What's new?


  • VMRAY screenshots. VirusTotal not only analyzes files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts, including dynamic analysis sandboxes. Every executable (and other file formats) uploaded to VirusTotal gets detonated in both VirusTotal-developed and 3rd-party partner dynamic analysis environments to produce behavioral information such as domains contacted, payload download URLs, files created, registry keys set, etc. One of the 3rd-party sandbox vendor participating in this community effort is VMRay. VMRay has extended the data shared with VirusTotal to include screenshots produced during detonation, see example.

  • Delete private files and analyses, via API or UI. VirusTotal Private Scanning allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. Private scans have a default 24h TTL both for uploaded files and their corresponding reports. Users also have the option to extend this TTL. We’ve now added additional API and UI actions allowing users to delete both files and their corresponding reports before the TTL is met.

Monday, September 25, 2023

, ,

September 24th, 2023 - Technology integrations hub and assisted YARA rules with the IoC structure explorer

What's new?

  • VirusTotal to third-party technology integrations explorer. VirusTotal is the richest and most actionable crowdsourced threat intelligence suite. More than 3.6M users a month and tens of thousands of organizations world-wide rely on its threat reputation and context to be safer. Its popularity is such that most 3rd-party security technologies have built off-the-shelf turnkey integrations with our API, powering use cases such as automatic alert triage, event enrichment, false positive discarding, 2nd opinion detection and other threat detections and response flows. We recently started to document some of those home-grown and community/vendor-developed third-party integrations in our API reference. In order to make those integrations even more discoverable, we have rolled out an integrations explorer, including search, technology categories and more. It is by no means exhaustive, if you are missing an integration, please let us know.


Monday, September 11, 2023

, , , , , ,

September 11th, 2023 - Follow threat actors and collections via email, personal YARA matches on file reports, on-demand file scanning of downloaded URL content and more

What's new?

  • Personal YARA rule matches now showing up on file/hash reports following the crowdsourced YARA rule matches style. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Up until now, Livehunt YARA rule matches were only displayed in your IoC Stream. As of now, whenever you randomly search in VirusTotal or perform IoC lookups outside of VT Hunting, if the pertinent IoC happens to match one of your YARA rules, it will be called out as a red tag on IoC reports and the pertinent match will be detailed in the “Detection” tab, with pivot controls to jump into other similar files matching the same rule.

  • On-demand file scanning of downloaded URL content whenever the corresponding file has not yet been seen by VirusTotal. VirusTotal is world renown for file/hash reputation and context, however, these days the domain/IP/URL technical/tactical intelligence dataset is equally comprehensive, if not more. Indeed, VirusTotal allows you to submit URLs and get them checked against 85+ security vendors/blocklists. The analyzer does not stop at providing verdicts and reputation for URLs. One of the analysis components actually pulls the content hosted at the pertinent URL and, if deemed interesting, it will scan it with the antivirus/EDR/nextgen file scanners, building the corresponding parent-child relationship and producing contextual notions such as in-the-wild download URLs for files in the corpus. What do we mean by interesting content? It would be certain file types such as executables, documents, compressed bundles, etc. Specifically, we will not massively ingest random HTML content so as to prevent noise in our feeds. This said, we are now displaying the content pulled from all URLs - interesting or not - under the “Content” tab of URLs and we are allowing users to trigger manual file scans of such content within the “Details” and “Relations” tabs whenever such content was not automatically scanned by the platform.

  • VT Enterprise group user auto-add notifications. VirusTotal has been continually maturing on the enterprise readiness front, following our work on SSO/SAML or service accounts, we continue to improve security and enterprise controls. VirusTotal group administrators can define certain email patterns in their group profile settings so that whenever corporate users sign up to VirusTotal, they get automatically added to their enterprise groups. As of now, administrators can also set up their accounts to automatically notify them via email whenever new users get added to their groups via the email auto-add patterns.

  • Follow threat actors and collections via email. VirusTotal’s Threat Landscape module incorporates {attribution, threat actor profiling, campaign & toolkit knowledge cards} into our top VirusTotal packages. Users can subscribe or follow specific threat actors / campaigns / toolkits / incidents. When following a given threat entity, users get notified about any new IoC related to it via their personal IoC Stream. It is a vehicle to create tailored dissections of VirusTotal’s live dataset when focusing on relevant threats. As of now, users can also receive those notifications via email.


Monday, September 4, 2023

, , , ,

September 4th, 2023 - Download strings, malware config extraction in Private Scanning, new search modifiers and more

What's new?

  • Download file content strings. Other than a Threat Intelligence suite allowing its users to research world-wide emerging threat patterns, VT ENTERPRISE is also an automated malware analysis solution performing {reputational, static, dynamic, code, similarity} analysis of suspicious files. One of the static analysis components that run on files is strings extraction, it runs on absolutely all uploaded files and VT ENTERPRISE users can both download files and see the strings for files uploaded by themselves or any other VirusTotal Community user. As of now, users are not only able to see file strings within their browsers, they can also download full strings dumps for offline searching and analysis. Strings downloading is available in the content tab of file reports.

  • Malware config extraction in Private Scanning. VirusTotal Private Scanning allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. We have extended Private Scanning with Mandiant Backscatter. Backscatter understands common malware families and extracts configuration files, see example. Backscatter will identify malware families, C2s, decoys, dropzones, etc. Note that the entire malware configuration output is pivotable (click on any of its fields) and a new search modifier (malware_config:) powers the search, example - malware_config:amadey.

  • Default private scanning settings. VirusTotal Private Scanning allows its users to specify custom file/report retention periods (1 day by default) and file storage regions (US vs EU) to comply with applicable regulations. Having to select non-default retention periods and regions on every upload can be a tedious task, VirusTotal group administrators can now provide default values for these selections in the settings tab of their group profile.


  • New search VT Intelligence search modifiers - ssl_not_before and ssl_not_after. VT INTELLIGENCE is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We have added support for the following new modifiers, they allow users to monitor any newly issued HTTPS certificates as part of potential phishing campaigns:

Monday, August 21, 2023

August 21st, 2023 - VT Private Scanning regionalization, subscription invoices directly in your inbox and more

  • Subscription invoices directly in your inbox. VirusTotal is continually maturing on the platform maturity front, following our work on SSO/SAML and service accounts, we continue to improve beyond security controls and into other enterprise readiness areas. If you are paying VirusTotal Enterprise via credit card, you can now provide a list of email addresses in your VirusTotal Group settings page and the corresponding invoices will be emailed to those accounts in addition to being displayed in the “Invoices” tab of your VirusTotal Group profile.

  • Personal YARA rule matches now showing up on file reports as tags. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Up until now, Livehunt YARA rule matches were only displayed in your IoC Stream. As of now, whenever you randomly search in VirusTotal or perform IoC lookups outside of VT Hunting, if the pertinent IoC happens to match one of your YARA rules, it will be called out as a red tag on IoC reports.

  • File storage regionalization for VT Private Scanning. VirusTotal Private Scanning allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. We have extended VT Private Scanning to support file storage regionalization, users can now choose between the US and the EU.

  • VT Private Scanning “Inconclusive” verdict has been renamed to “Undetected”. VT Private Scanning does not leverage the multi-antivirus setup, but does emit opinionated verdicts about the maliciousness of files based on a multi-layered approach including sandbox detonation observations, YARA rule matches, static analysis and other advanced analysis components. We have renamed the “Inconclusive” verdict to “Undetected” as it was generating some confusion. This verdict indicates that there are no clear signs of maliciousness.


Monday, August 7, 2023

, , , , ,

August 7th, 2023 - Livehunt one-click wizards on IoC reports, Crowdsourced AI + NICS Lab and enterprise readiness++

What's new?


  • Crowdsourced AI += NICS Lab. We’ve extended our Crowdsourced AI initiative with a generative AI model from a research group of the Computer Science Department at the University of Malaga. The new model processes PowerShell files, not only strengthening our collective understanding of the code and its behavior, but also providing verdicts on the potential threat level of each file - categorizing them as malicious, suspicious, or benign. See example.

  • Keeping state around expansions and contractions of Behaviour sections. VirusTotal does not only run multiple antivirus/EDR solutions on files, it also brings together multiple sandbox dynamic analysis setups. These days we aggregate over 15 sandboxes covering 4 major operating systems (Windows, Linux, Android, OS X) and producing insights such as created/deleted files, registry keys set, contacted domains, synchronization mechanisms, etc. The output of these sandboxes is displayed in the Behavior tab of file reports. The information displayed in this tab is extremely exhaustive, we acknowledge that some users may only be interested in certain sections such as network communications. In order to improve relevance and discoverability, we are now storing state around section header contractions and expansions. This provides a personalized experience whereby upon loading new file reports users see the information that they deem important first. 

  • Flags for users with active 2FA authentication and corresponding search filters. VirusTotal has been continually maturing on the enterprise readiness front, following our work on SSO/SAML or service accounts, we continue to improve security controls. Group administrators now see a “2FA” badge next to users with active two-factor authentication in group user listings. Similarly, administrators can also filter those listings to focus on users that have or do not have active 2FA.


Monday, July 31, 2023

, , , ,

July 31st, 2023 - Malware trends report and adversary intelligence improvements

What's new?


  • Adversary Intelligence knowledge card summaries. VirusTotal’s Threat Landscape module incorporates {attribution, threat actor profiling, campaign & toolkit knowledge cards} into our top VirusTotal packages, allowing users to climb the pyramid of pain, moving from IoC matching into more of operational/strategic intelligence through TTPs, behavioral patterns and adversary profiling. We’ve improved {campaign/malware toolkit, threat actor, reference} cards with an initial summary tab concisely recording notions such as group aliases, motivations, targeted industries, targeted regions, suspected sponsors, related collections, relevant reporting, exploited vulnerabilities, etc. See example.

  • New filters across adversary intelligence knowledge cards. We’ve further improved the aforementioned knowledge cards and adversary intelligence listings by consolidating filtering capabilities with a new and more intuitive drop-down paradigm.

  • Improved labelling of regions, industries, etc. in references and their corresponding automated IoC collections. We are continuously improving the breadth and depth of our adversary intelligence knowledge cards. Along with the aforementioned summaries, you may have noticed a significantly higher number of reference cards with attribution, victimology and other threat activity profiling labels (see example reference card). In turn, these labels are also being applied to the automatic IoC collections being created for all ingested threat articles. See example of automatic IoC collection tied to a given reference. We continue to iterate on the completeness of the dataset from a threat actor profiling perspective and soon you will see greater coverage of threat groups. 

  • New properties in commonality calculations. When performing VT INTELLIGENCE reverse searches, or when looking at collections of IoCs, Retrohunts or other IoC listings, users can quickly understand what do the IoCs have in common in terms of technical static and dynamic features through the “commonalities” functionality. We have added portable executable section properties to commonality calculations.

Monday, July 24, 2023

, , , , ,

July 24th, 2023 - Crowdsourced AI, new VT INTELLIGENCE search modifiers, following IoCs, Livehunt for network indicators and more

What’s new?

  • Crowdsourced AI. Mirroring our efforts to improve the industry’s threat visibility via crowdsourcing of antivirus/nextgen/EDR verdicts, dynamic analysis sandbox analyses, crowdsourced {YARA, SIGMA, IDS} rule detections, etc. we are now also bringing together cutting edge AI/ML models from the security community to detect, explain and contextualize threats. Hispasec has been the very first partner joining this effort, their LLM technology produces verdicts and malware analyst copilot explanations around malicious documents, including dissection and code analysis of macros.

  • New findings about interesting IoCs via out-of-the-box Livehunt rule templates. VirusTotal {domain, IP address, URL, file} analysis reports now include a new entry in the top header action menu labeled “Follow”. By actioning it you can now create out-of-the-box YARA rules to get notifications on new URLs distributing a given malware sample, new files being downloaded from known malicious infrastructure, new IP address resolutions for a known malicious domain, new subdomains for a given domain, etc. This should ease the task of tracking threat campaigns and democratizes the use of YARA within VirusTotal, beyond advanced binary pattern matching.

  • Healthcare industry investigation. We have performed an investigation into the healthcare industry's threat landscape for 2023H1. Most Health Industry targets were victims of ransomware attempts conducted by generic cybercrime gangs. There are few exceptions where Health institutions were targeted as part of cyberespionage actor operations, Yoro Trooper being a notable exception. Check our findings summary.

What’s been fixed?

  • When a Retrohunt job is created using the YARA rule editor, the VirusTotal web UI shows a toast with the message “Retrohunt launched! Go”. When the “Go” link is clicked, a new tab with the list of Retrohunt jobs is opened. The new job was shown with the status “0% Starting” indefinitely because its progress was not tracked in the background unless the user reloaded the tab. We have now fixed this to asynchronously retrieve the progress status.

Wednesday, July 19, 2023

, , , , , ,

July 17th, 2023 - Recap on latest rollouts, from generative AI to integration in 3rd-party technologies

We are picking up our weekly release notes once again. This very first 2023 edition is a recap of noteworthy rollouts from the last months.

What’s new?

  • New security vendor partnerships. VirusTotal is all about aggregating orthogonal threat detection and contextualization technologies in an effort to increase threat visibility and democratize knowledge about threats. We’ve been busy integrating new complementary vendors, including: ArcSight / Micro Focus (IP/domain/URLs), SOCRadar (IP/domain/URLs), DuskRise Cluster25 (IP/domain/URLs), PrecisionSec (IP/domain/URLs), Docguard (CDR/sandboxing), Deep Instinct (files), BKav PRO (files), Google (files), AI Spera / Criminal IP (IP/domain), Crowdsec (IP/domain/URL), AlphaSOC (IP/domain/URLs).

  • Session expiration age and other enterprise readiness security controls. VirusTotal has been continually maturing on the enterprise readiness front, following our work on SSO/SAML or service accounts, we’ve been implementing advanced security controls such as:
        • Custom session age - as an admin, check your group settings page.
        • Custom inactivity timeouts - as an admin, check your group settings page.
        • Latest account connections, to spot anomalous activity - only visible to each user, in their settings page.

  • Easier group and user management. Managing users within a VT group could be an arduous task for some group admins. To ease this task, we have incorporated the possibility to filter users by type (member or admin), username, name or email. Admins could also download a list of all VT users in the group in a CSV or JSON format.

  • New properties in commonality calculations. When performing the aforementioned VT INTELLIGENCE reverse searches, or when looking at collections of IoCs, Retrohunts or other IoC listings, users can quickly understand what do the IoCs have in common in terms of technical static and dynamic features through the “commonalities” functionality. We are now aggregating and ranking new notions such as malware family names, C2s, etc:

  • Extending VT ENTERPRISE with adversary intelligence. Since our last release notes we have rolled out adversary intelligence (attribution, threat actor profiling, campaign & toolkit knowledge cards) into our top VirusTotal packages, this new functionality is shipped under the Threat Landscape module and it allows users to climb the pyramid of pain, moving from IoC matching into more of operational/strategic intelligence through TTPs, behavioral patterns and adversary profiling. Learn more.

  • IoC Stream as a vehicle to generate tailored relevant threat feeds. Building on the aforementioned new Threat Landscape module, we have rolled out the ability to subscribe or follow specific threat actors/campaigns/toolkits/incidents. When following a given threat entity, you get notified about any new IoC related to it. For instance, you would receive live notifications whenever a threat actor you are interested in starts to make use of a new command-and-control domain. These notifications now enter each user’s personal IoC stream, which is the pipe where all VT ENTERPRISE tailored IoC notifications are being centralized. Indeed, Livehunt YARA rule matches now also populate personal IoC streams. This creates an easy vehicle to generate custom feeds based on threats that matter to your organization, providing a centralized hub to receive all your notifications.

  • Improved malware configuration extraction. VirusTotal does not only analyze files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts. One of the dynamic analysis sandboxes in which we detonate uploaded files, Zenbox, has been automatically decoding/decrypting configuration files for known malware families for a while now (see “Malware configuration” section in the file analysis Details tab). We have extended this setup and added Mandiant’s Backscatter as yet one more system understanding common malware families and extracting configuration files, see example. Backscatter will identify malware families, C2s, decoys, dropzones, etc. The entire malware configuration output is pivotable (click on any of its fields) and a new search modifier (malware_config:) powers the search, example - malware_config:amadey. This effort will also soon be leveraged to tag network indicators with the corresponding family and infrastructure categorization.

for any technique in vt.behaviour.mitre_attack_techniques : (


technique.id == "t1012"

)

Last, but not least, we’ve included a shortcut on dynamic analysis reports to open these TTP mappings in MITRE ATT&CK Navigator or to download them as a JSON and import them in similar tools. The shortcut is available in the “Download artifacts” dropdown and on the right of the MITRE ATT&CK section header.

  • HTTP response content preview for URL analyses. VirusTotal is not only about file scanning, it also contextualizes URLs, domains and IPs. Actually, these days VirusTotal’s most prevalent use case is around enriching network indicators. We are now mimicking some of the VT ENTERPRISE capabilities available for file reports and including HTTP response content previews in URL analyses, example. Most importantly, these responses are pivotable, meaning that users can click on any substring contained within the response and pivot to other files in VirusTotal’s threat corpus that contain the very same pattern, leveraging VTGREP. This is useful in tracking malware toolkit, campaigns and compromises at scale.

  • New IP address tags: proxy, vpn and tor. Examples: entity:ip tag:proxy / entity:ip tag:vpn / entity:ip tag:tor. VirusTotal tags IoCs with relevant labels such as file types, packers, significant dynamic behaviors, etc. We are actually working towards an official tags taxonomy that can immediately contextualize IoCs in ways that may be easily consumed by both humans and machines. As part of such effort we have started to tag IP addresses with the proxy (residential proxies), vpn and tor (tor exit nodes) labels. These tags are dynamic and regularly updated. By enriching their security telemetry with VirusTotal lookups, these tags can help security teams in identifying attacker connections to their infrastructure. Indeed, certain threat groups often use residential proxies, VPNs or TOR nodes to connect to their victim’s infrastructure.
  • New YARA rule editor. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Similarly, VT Hunting allows you to run these rules back in time against the historical corpus through a component called Retrohunt. Retrohunt allows you to map out threat campaigns, to find the first instance of an attack or to unearth unknown malware. To ease livehunting and retrohunting, we have rolled out a new YARA rule editor that incorporates rule templates, autocompletion, testing and validation.

  • Crowdsourced YARA hub. Expanding on the above, YARA rules are an essential tool for detecting and classifying malware, and they are one of VirusTotal’s cornerstones. Other than using your own rules for Livehunts and Retrohunts, in VirusTotal we import a number of selected crowdsourced rules provided by contributors to help identify and classify samples (example report). However, finding, tracking and managing VirusTotal’s crowdsourced YARA rules can be challenging, especially as the number of rules and contributors grow. To address this, we’ve introduced VirusTotal’s Crowdsourced YARA Hub, allowing users to easily search and filter existing rules, track new ones and one-click export any of them to Livehunt and Retrohunt. This is also a vehicle to stay on top of new threats being investigated by the industry. Go to Crowdsourced YARA Hub.