Monday, January 01, 2024

Monitoring malware trends with VT Intelligence

Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
VT Intelligence can be a powerful tool for monitoring malware trends, enhancing your detection capabilities and enabling proactive defense against evolving threats. To leverage it effectively, analysts can refine searches with threat indicators relevant to their business, technologies and to the malware trends occurring at the moment. Analysts can use this intelligence to identify and hunt emerging malicious samples and investigate new trends and capabilities.

To begin with a simple query we will search for new files (“entity:files”) first seen during the last week (“fs:7d+”) and detected by AV vendors as keylogger (“engines:keylogger”) with more than 5 positives (“p:5+”).

In our second query we search for fresh (“fs:7d+”) Windows, Linux or MacOS files (“type:peexe or type:elf or type:macho”). To focus on popular/emerging malware, we will use the submissions modifier with a relatively high number (“submissions:10+”), these thresholds serve as illustrative examples and can be adjusted according to the investigation.

Finally, we will look for Zip files (“type:zip”) that potentially contain ransomware. For discriminating using verdict of AV engines we use the “engines” keyword (“engines:ransom or engines:ransomware”) and use both “ransom” and “ransomware” strings as some engines use different criteria for verdicts. An alternative way of detecting ransomware is through dedicated YARA rules (“crowdsourced_yara_rule:ransomware”).

You can learn more about file search modifiers in the documentation.
As always, we would like to hear from you.
Happy hunting!


Post a Comment