What's new?
- YARA dotnet module available for Livehunt and Retrohunt. VT Hunting Livehunt allows VT Enterprise users to write YARA rules
that are matched against the incoming live stream of files uploaded to
VirusTotal. It has become a de-facto standard to monitor threat
campaigns and malware toolkits, as well as to track threat actors going
forward. Similarly, VT Hunting allows you to run these rules back in time against the historical corpus through a component called Retrohunt. Retrohunt allows you to map out threat campaigns, to find the first instance of an attack or to unearth unknown malware. VT Hunting Livehunt already supports the pe, elf, math, magic, hash, and cuckoo YARA modules. We are rolling out support for the dotnet module, both in Livehunt and Retrohunt. The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format.
- New "spreader" tag for files in VT INTELLIGENCE. VT Intelligence is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. For example, users can search for documents that launch powershell when opened, for files containing certain binary/text patterns, for domains registered by a same registrant, for URLs containing a given CnC panel path pattern, etc. IoCs are also tagged with certain informative labels such as CVE numbers for vulnerabilities that they exploit, file types, etc. We have added a new tag (spreader) that describes malware families which are polymorphic in nature and once executed may produce new instances of the same variant. You can test it with the following search: tag:spreader.
- New "first_submitter" VT INTELLIGENCE search modifier. As described above, VT Intelligence allows you to perform reverse searches over VirusTotal's IoC corpus. Those reverse searches can match {behavioural/execution, static, binary, metadata, relationship, etc.} properties. The criteria can even act on upload/submission information. For example, users were already able to leverage the submitter modifier to search for files uploaded from a given country or through a given interface (api, web, email). In the event of multiple submissions, this modifier acted on any of the submission countries/interfaces. We have added a new modifier to narrow down searches based on the first submitter country/interface, example: first_submitter:ES AND first_submitter:web.
What's in preview?
- SAML Authentication. Following our recent work on the SSO front, we are starting to test SAML to support federated login from a wider range of identity providers. Among others, this allows organizations to use popular services such as Okta to sign in to VirusTotal. If you are a VT ENTERPRISE customer and you want to upgrade your team's account security testing our preview SAML functionality please don't hesitate to contact us.
What's new?
- MISP and VT Collections integration. VT Collections
allows users to easily share with each other listings of threat
campaign, threat actor or malware tookit IoCs. MISP users can now create
a VT Collection based on a MISP event with a single click. Similarly,
VirusTotal users can now export VT Collections as STIX to import them
into their security stack, including their own MISP instance. Read more.
- Ruleset owner in Livehunt. VT Hunting Livehunt allows VT Enterprise users to write YARA rules
that are matched against the incoming live stream of files uploaded to
VirusTotal. It has become a de-facto standard to monitor threat
campaigns and malware toolkits, as well as to track threat actors going
forward. In VT Hunting, YARA rules can be shared with other users, which
effectively allows them to share feeds of IoC matches. Livehunt ruleset listing summaries
now display the owner of the ruleset whenever that owner is not you,
this allows you to identify at a glance rulesets shared with you.
- Notifications on missing hashes. VirusTotal allows you to search for file analysis reports using the file's MD5, SHA1 or SHA256 hash.
When searching for a file that is not yet in the corpus you can now
easily create a YARA rule to get automatically notified if VirusTotal
ever receives it. A single click of a button is all that is needed.
