Monday, September 25, 2023

, ,

September 24th, 2023 - Technology integrations hub and assisted YARA rules with the IoC structure explorer

What's new?

  • VirusTotal to third-party technology integrations explorer. VirusTotal is the richest and most actionable crowdsourced threat intelligence suite. More than 3.6M users a month and tens of thousands of organizations world-wide rely on its threat reputation and context to be safer. Its popularity is such that most 3rd-party security technologies have built off-the-shelf turnkey integrations with our API, powering use cases such as automatic alert triage, event enrichment, false positive discarding, 2nd opinion detection and other threat detections and response flows. We recently started to document some of those home-grown and community/vendor-developed third-party integrations in our API reference. In order to make those integrations even more discoverable, we have rolled out an integrations explorer, including search, technology categories and more. It is by no means exhaustive, if you are missing an integration, please let us know.

Monday, September 11, 2023

, , , , , ,

September 11th, 2023 - Follow threat actors and collections via email, personal YARA matches on file reports, on-demand file scanning of downloaded URL content and more

What's new?

  • Personal YARA rule matches now showing up on file/hash reports following the crowdsourced YARA rule matches style. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Up until now, Livehunt YARA rule matches were only displayed in your IoC Stream. As of now, whenever you randomly search in VirusTotal or perform IoC lookups outside of VT Hunting, if the pertinent IoC happens to match one of your YARA rules, it will be called out as a red tag on IoC reports and the pertinent match will be detailed in the “Detection” tab, with pivot controls to jump into other similar files matching the same rule.

  • On-demand file scanning of downloaded URL content whenever the corresponding file has not yet been seen by VirusTotal. VirusTotal is world renown for file/hash reputation and context, however, these days the domain/IP/URL technical/tactical intelligence dataset is equally comprehensive, if not more. Indeed, VirusTotal allows you to submit URLs and get them checked against 85+ security vendors/blocklists. The analyzer does not stop at providing verdicts and reputation for URLs. One of the analysis components actually pulls the content hosted at the pertinent URL and, if deemed interesting, it will scan it with the antivirus/EDR/nextgen file scanners, building the corresponding parent-child relationship and producing contextual notions such as in-the-wild download URLs for files in the corpus. What do we mean by interesting content? It would be certain file types such as executables, documents, compressed bundles, etc. Specifically, we will not massively ingest random HTML content so as to prevent noise in our feeds. This said, we are now displaying the content pulled from all URLs - interesting or not - under the “Content” tab of URLs and we are allowing users to trigger manual file scans of such content within the “Details” and “Relations” tabs whenever such content was not automatically scanned by the platform.

  • VT Enterprise group user auto-add notifications. VirusTotal has been continually maturing on the enterprise readiness front, following our work on SSO/SAML or service accounts, we continue to improve security and enterprise controls. VirusTotal group administrators can define certain email patterns in their group profile settings so that whenever corporate users sign up to VirusTotal, they get automatically added to their enterprise groups. As of now, administrators can also set up their accounts to automatically notify them via email whenever new users get added to their groups via the email auto-add patterns.

  • Follow threat actors and collections via email. VirusTotal’s Threat Landscape module incorporates {attribution, threat actor profiling, campaign & toolkit knowledge cards} into our top VirusTotal packages. Users can subscribe or follow specific threat actors / campaigns / toolkits / incidents. When following a given threat entity, users get notified about any new IoC related to it via their personal IoC Stream. It is a vehicle to create tailored dissections of VirusTotal’s live dataset when focusing on relevant threats. As of now, users can also receive those notifications via email.

Monday, September 4, 2023

, , , ,

September 4th, 2023 - Download strings, malware config extraction in Private Scanning, new search modifiers and more

What's new?

  • Download file content strings. Other than a Threat Intelligence suite allowing its users to research world-wide emerging threat patterns, VT ENTERPRISE is also an automated malware analysis solution performing {reputational, static, dynamic, code, similarity} analysis of suspicious files. One of the static analysis components that run on files is strings extraction, it runs on absolutely all uploaded files and VT ENTERPRISE users can both download files and see the strings for files uploaded by themselves or any other VirusTotal Community user. As of now, users are not only able to see file strings within their browsers, they can also download full strings dumps for offline searching and analysis. Strings downloading is available in the content tab of file reports.

  • Malware config extraction in Private Scanning. VirusTotal Private Scanning allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. We have extended Private Scanning with Mandiant Backscatter. Backscatter understands common malware families and extracts configuration files, see example. Backscatter will identify malware families, C2s, decoys, dropzones, etc. Note that the entire malware configuration output is pivotable (click on any of its fields) and a new search modifier (malware_config:) powers the search, example - malware_config:amadey.

  • Default private scanning settings. VirusTotal Private Scanning allows its users to specify custom file/report retention periods (1 day by default) and file storage regions (US vs EU) to comply with applicable regulations. Having to select non-default retention periods and regions on every upload can be a tedious task, VirusTotal group administrators can now provide default values for these selections in the settings tab of their group profile.

  • New search VT Intelligence search modifiers - ssl_not_before and ssl_not_after. VT INTELLIGENCE is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We have added support for the following new modifiers, they allow users to monitor any newly issued HTTPS certificates as part of potential phishing campaigns: