July 24th, 2023 - Crowdsourced AI, new VT INTELLIGENCE search modifiers, following IoCs, Livehunt for network indicators and more

What’s new?

• Crowdsourced AI. Mirroring our efforts to improve the industry’s threat visibility via crowdsourcing of antivirus/nextgen/EDR verdicts, dynamic analysis sandbox analyses, crowdsourced {YARA, SIGMA, IDS} rule detections, etc. we are now also bringing together cutting edge AI/ML models from the security community to detect, explain and contextualize threats. Hispasec has been the very first partner joining this effort, their LLM technology produces verdicts and malware analyst copilot explanations around malicious documents, including dissection and code analysis of macros.

• New VT INTELLIGENCE search modifiers. VT INTELLIGENCE is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We have added support for the following new modifiers:
• crowdsourced_ai_verdict. Example: crowdsourced_ai_verdict:malicious. List all IoCs flagged as malicious by at least one crowdsourced AI solution.
• crowdsourced_ai_positives. Example: crowdsourced_ai_positives:1+. List all IoCs flagged as malicious by a given number of crowdsourced AI solutions.
• crowdsourced_ai_analysis. Example: crowdsourced_ai_analysis:"discord bot". Searches inside the human readable output of all crowdsourced AI solutions.
• {crowdsourced_ai_engine_name}_ai_verdict. Example: hispasec_ai_verdict:malicious. List all IoCs flagged as malicious by a given crowdsourced AI solution.
• {crowdsourced_ai_engine_name}_ai_analysis. Example: hispasec_ai_analysis:downloads. Searches inside the human readable output of a given crowdsourced AI solution.
• goresym. Example: goresym:”-s -w”. Searches within the output of the Goresym file analysis tool.

• New findings about interesting IoCs via out-of-the-box Livehunt rule templates. VirusTotal {domain, IP address, URL, file} analysis reports now include a new entry in the top header action menu labeled “Follow”. By actioning it you can now create out-of-the-box YARA rules to get notifications on new URLs distributing a given malware sample, new files being downloaded from known malicious infrastructure, new IP address resolutions for a known malicious domain, new subdomains for a given domain, etc. This should ease the task of tracking threat campaigns and democratizes the use of YARA within VirusTotal, beyond advanced binary pattern matching.

• VT HUNTING Livehunt for network indicators. Read launch announcement blog post. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Livehunt YARA matching in VirusTotal is far richer than standalone, as we allow users to match not only the binary contents of files but also static/dynamic/code analysis properties and other metadata via the “vt” YARA module. We are now extending Livehunt’s matching capabilities to cover domains, IP addresses and URLs. This allows analysts to discover new artifacts and infrastructure tied to a known campaign, unearth new infrastructure being leveraged by popular malware toolkits, perform attack surface management, identify phishing campaigns against their organizations, etc. This is a non-exhaustive list of examples to get you started, we’ve also kicked off a public Github repo to crowdsource rules from the community, Mandiant has been the first contributor, thank you!

• Healthcare industry investigation. We have performed an investigation into the healthcare industry's threat landscape for 2023H1. Most Health Industry targets were victims of ransomware attempts conducted by generic cybercrime gangs. There are few exceptions where Health institutions were targeted as part of cyberespionage actor operations, Yoro Trooper being a notable exception. Check our findings summary.

What’s been fixed?

• When a Retrohunt job is created using the YARA rule editor, the VirusTotal web UI shows a toast with the message “Retrohunt launched! Go”. When the “Go” link is clicked, a new tab with the list of Retrohunt jobs is opened. The new job was shown with the status “0% Starting” indefinitely because its progress was not tracked in the background unless the user reloaded the tab. We have now fixed this to asynchronously retrieve the progress status.