Tuesday, March 8, 2022

, , , , , , , ,

March 7th, 2022 - YARA dotnet module in VT Hunting, new VT Intelligence search tags and SAML preview

What's new? 

  • YARA dotnet module available for Livehunt and Retrohunt. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Similarly, VT Hunting allows you to run these rules back in time against the historical corpus through a component called Retrohunt. Retrohunt allows you to map out threat campaigns, to find the first instance of an attack or to unearth unknown malware. VT Hunting Livehunt already supports the pe, elf, math, magic, hash, and cuckoo YARA modules. We are rolling out support for the dotnet module, both in Livehunt and Retrohunt. The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. 

  • New "spreader" tag for files in VT INTELLIGENCE. VT Intelligence is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. For example, users can search for documents that launch powershell when opened, for files containing certain binary/text patterns, for domains registered by a same registrant, for URLs containing a given CnC panel path pattern, etc. IoCs are also tagged with certain informative labels such as CVE numbers for vulnerabilities that they exploit, file types, etc. We have added a new tag (spreader) that describes malware families which are polymorphic in nature and once executed may produce new instances of the same variant. You can test it with the following search: tag:spreader.
  • New "first_submitter" VT INTELLIGENCE search modifier. As described above, VT Intelligence allows you to perform reverse searches over VirusTotal's IoC corpus. Those reverse searches can match {behavioural/execution, static, binary, metadata, relationship, etc.} properties. The criteria can even act on upload/submission information. For example, users were already able to leverage the submitter modifier to search for files uploaded from a given country or through a given interface (api, web, email). In the event of multiple submissions, this modifier acted on any of the submission countries/interfaces. We have added a new modifier to narrow down searches based on the first submitter country/interface, example: first_submitter:ES  AND first_submitter:web.

What's in preview?

  • SAML Authentication. Following our recent work on the SSO front, we are starting to test SAML to support federated login from a wider range of identity providers. Among others, this allows organizations to use popular services such as Okta to sign in to VirusTotal. If you are a VT ENTERPRISE customer and you want to upgrade your team's account security testing our preview SAML functionality please don't hesitate to contact us.