Tuesday, February 1, 2022

, , , , ,

January 31st, 2022 - Enterprise controls, URL tags and new detection and contextualization sources

What's new? 

  • Extended editor controls for Livehunt rules. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. In VT Hunting, YARA rules can be shared with other users, which effectively allows them to share feeds of IoC matches. We have improved the editor controls for rule sets, editors share similar powers to that of rule set owners:
    • Add/remove other editors.
    • Enable/change the rule set notification email.
    • Modify the rule set daily notification limit. 
    • Modify the rule set name.
  • Pending VT Enterprise group invitations. VT Enterprise access is group-based. Organizations license the service and access it through a VT Enterprise group which can hold as many corporate users as they want. Group administrators can invite users from their organization in their VT Enterprise group profile page. Users being invited do not need to have a pre-existing VirusTotal account, when they do not hold an account they receive an email to join VirusTotal and once joined they get automatically added to the pertinent corporate group. This process used to lack feedback. Pending invitations are now listed in the group profile users tab and can be revoked if they become stale.   
  • New URL scanning partners. VirusTotal not only analyzes and contextualizes files, but also domains, IP addresses and URLs. We have added 3 new partners providing verdicts on whether a given URL is malicious or not: ViriBack C2, Chong Lua Dao and Acronis
  • New URL corpus search tags. VT INTELLIGENCE allows users to search through VirusTotal's historical corpus of files, URLs, domains and IPs. Users can perform reverse searches, i.e. identify IoCs that exhibit certain properties, network communications, contents, submission metadata, etc. For convenience, some of those properties are condensed into tags. The tags ontology for URLs has been extended and now supports two new tags:
    • multiple-redirects: when visiting the pertinent URL there is a redirect chain with multiple hops.
    • ns-port: non-standard port. The web server for this URL is listening on a non-standard port (i.e. not 80/443).

What's improved?

  • New crowdsourced YARA rule sources for detection and contextualization. At VirusTotal we build towards something that we call "multi-angular detection". One of our goals is to aggregate as many orthogonal detection engines/mechanisms as possible so as to implement a multi-layered defense-in-depth approach at the IoC detection level. If a malware is undetected by the antivirus industry, it might still be flagged with our crowdsourced intrusion detection system rules, SIGMA rules, etc. VirusTotal file reports also get enriched with detections coming from YARA rules crowdsourced from the security community. We have added 4 new sources, they do not only provide extended detection capabilities but also very handy context whenever antivirus generic detections, heuristics or machine learning kicks in.

What has changed?

  • FireEye file scanning engine renamed to Trellix. Following the merger of security firms McAfee Enterprise and FireEye, the FireEye engine has been renamed to Trellix, which is the name given to the new company. You might want to update any VT INTELLIGENCE queries that leveraged the "fireeye" search modifier or VT API scripts that accessed the corresponding detection structure key.