Monday, September 11, 2023

, , , , , ,

September 11th, 2023 - Follow threat actors and collections via email, personal YARA matches on file reports, on-demand file scanning of downloaded URL content and more

What's new?

  • Personal YARA rule matches now showing up on file/hash reports following the crowdsourced YARA rule matches style. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Up until now, Livehunt YARA rule matches were only displayed in your IoC Stream. As of now, whenever you randomly search in VirusTotal or perform IoC lookups outside of VT Hunting, if the pertinent IoC happens to match one of your YARA rules, it will be called out as a red tag on IoC reports and the pertinent match will be detailed in the “Detection” tab, with pivot controls to jump into other similar files matching the same rule.

  • On-demand file scanning of downloaded URL content whenever the corresponding file has not yet been seen by VirusTotal. VirusTotal is world renown for file/hash reputation and context, however, these days the domain/IP/URL technical/tactical intelligence dataset is equally comprehensive, if not more. Indeed, VirusTotal allows you to submit URLs and get them checked against 85+ security vendors/blocklists. The analyzer does not stop at providing verdicts and reputation for URLs. One of the analysis components actually pulls the content hosted at the pertinent URL and, if deemed interesting, it will scan it with the antivirus/EDR/nextgen file scanners, building the corresponding parent-child relationship and producing contextual notions such as in-the-wild download URLs for files in the corpus. What do we mean by interesting content? It would be certain file types such as executables, documents, compressed bundles, etc. Specifically, we will not massively ingest random HTML content so as to prevent noise in our feeds. This said, we are now displaying the content pulled from all URLs - interesting or not - under the “Content” tab of URLs and we are allowing users to trigger manual file scans of such content within the “Details” and “Relations” tabs whenever such content was not automatically scanned by the platform.

  • VT Enterprise group user auto-add notifications. VirusTotal has been continually maturing on the enterprise readiness front, following our work on SSO/SAML or service accounts, we continue to improve security and enterprise controls. VirusTotal group administrators can define certain email patterns in their group profile settings so that whenever corporate users sign up to VirusTotal, they get automatically added to their enterprise groups. As of now, administrators can also set up their accounts to automatically notify them via email whenever new users get added to their groups via the email auto-add patterns.

  • Follow threat actors and collections via email. VirusTotal’s Threat Landscape module incorporates {attribution, threat actor profiling, campaign & toolkit knowledge cards} into our top VirusTotal packages. Users can subscribe or follow specific threat actors / campaigns / toolkits / incidents. When following a given threat entity, users get notified about any new IoC related to it via their personal IoC Stream. It is a vehicle to create tailored dissections of VirusTotal’s live dataset when focusing on relevant threats. As of now, users can also receive those notifications via email.