February 2022 ~ VirusTotal Release Notes

Monday, February 14, 2022

MISP and VT Collections integration. VT Collections allows users to easily share with each other listings of threat campaign, threat actor or malware tookit IoCs. MISP users can now create a VT Collection based on a MISP event with a single click. Similarly, VirusTotal users can now export VT Collections as STIX to import them into their security stack, including their own MISP instance. Read more.
Ruleset owner in Livehunt. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. In VT Hunting, YARA rules can be shared with other users, which effectively allows them to share feeds of IoC matches. Livehunt ruleset listing summaries now display the owner of the ruleset whenever that owner is not you, this allows you to identify at a glance rulesets shared with you.

Notifications on missing hashes. VirusTotal allows you to search for file analysis reports using the file's MD5, SHA1 or SHA256 hash. When searching for a file that is not yet in the corpus you can now easily create a YARA rule to get automatically notified if VirusTotal ever receives it. A single click of a button is all that is needed.

SSO authentication support for Microsoft. Last November we announced SSO support in VirusTotal. We have now extended the original set of supported identity providers (Google, Twitter and GitHub) with Microsoft. Microsoft customers can now sign in or sign up to VirusTotal with a single click. As a reminder, the SSO feature works with pre-existing VirusTotal Community accounts, in other words, if you already had an account tied to your Microsoft powered identity you may still use SSO as a more convenient and secure way to log in to VirusTotal.

Creation date pivots. VT INTELLIGENCE allows users to pivot on any file, domain, IP address or URL analysis attribute, meaning that they can search over VirusTotal's historical corpus for other IoCs that share the same property. One of the analysis attributes available for pivoting is the file "creation date". This property means different things for different file types. For a Portable Executable file it is the PE compilation timestamp, for a PDF it is the generation date metadata field, same for Office documents. It is a field that can be tampered with, but very often certain malware builder kits will not change it, thus, it may be used for clustering purposes. Similarly, it can be used to try to understand attack timelines. There was a bug whereby the single-click pivot for the field in file reports was adding a trailing "UTC" to the search string, which is not supported and not needed, this has now been fixed. You can create on the "Creation Time" property of this file in order to test it.

Extended editor controls for Livehunt rules. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. In VT Hunting, YARA rules can be shared with other users, which effectively allows them to share feeds of IoC matches. We have improved the editor controls for rule sets, editors share similar powers to that of rule set owners:

Pending VT Enterprise group invitations. VT Enterprise access is group-based. Organizations license the service and access it through a VT Enterprise group which can hold as many corporate users as they want. Group administrators can invite users from their organization in their VT Enterprise group profile page. Users being invited do not need to have a pre-existing VirusTotal account, when they do not hold an account they receive an email to join VirusTotal and once joined they get automatically added to the pertinent corporate group. This process used to lack feedback. Pending invitations are now listed in the group profile users tab and can be revoked if they become stale.

New URL scanning partners. VirusTotal not only analyzes and contextualizes files, but also domains, IP addresses and URLs. We have added 3 new partners providing verdicts on whether a given URL is malicious or not: ViriBack C2, Chong Lua Dao and Acronis.
New URL corpus search tags. VT INTELLIGENCE allows users to search through VirusTotal's historical corpus of files, URLs, domains and IPs. Users can perform reverse searches, i.e. identify IoCs that exhibit certain properties, network communications, contents, submission metadata, etc. For convenience, some of those properties are condensed into tags. The tags ontology for URLs has been extended and now supports two new tags:

multiple-redirects: when visiting the pertinent URL there is a redirect chain with multiple hops.
ns-port: non-standard port. The web server for this URL is listening on a non-standard port (i.e. not 80/443).

New crowdsourced YARA rule sources for detection and contextualization. At VirusTotal we build towards something that we call "multi-angular detection". One of our goals is to aggregate as many orthogonal detection engines/mechanisms as possible so as to implement a multi-layered defense-in-depth approach at the IoC detection level. If a malware is undetected by the antivirus industry, it might still be flagged with our crowdsourced intrusion detection system rules, SIGMA rules, etc. VirusTotal file reports also get enriched with detections coming from YARA rules crowdsourced from the security community. We have added 4 new sources, they do not only provide extended detection capabilities but also very handy context whenever antivirus generic detections, heuristics or machine learning kicks in.

FireEye file scanning engine renamed to Trellix. Following the merger of security firms McAfee Enterprise and FireEye, the FireEye engine has been renamed to Trellix, which is the name given to the new company. You might want to update any VT INTELLIGENCE queries that leveraged the "fireeye" search modifier or VT API scripts that accessed the corresponding detection structure key.