CrowdStrike is pleased to announce the upcoming release of a new tool aimed at assisting researchers in the collection and processing of new malware. The CrowdStrike Feed Management System (CrowdFMS) is a python framework that automates the interaction with VirusTotal’s Private API.
One of the powerful features of the VirusTotal’s Private API is its YARA integration, from which you will get a notification when an uploaded file matches on your YARA rule. For those unfamiliar with YARA, it is a tool used by malware researchers to help classify malware into families based on patterns and unique strings. This collection vector is one of the ways in which security researchers are able to identify new malware Command-and-Control (C2) servers, new campaigns, and even new types of malware.
The CrowdFMS is designed to run as a background service or in a screen session. While running, it will automatically fetch newly identified files from VirusTotal and store them locally, along with other metadata about the file.
At CrowdStrike, we are developing new decoders every day for extracting information about malware samples to provide fast and accurate analysis. In order to best leverage this technology, CrowdFMS is configurable to automatically execute commands on rule name matches. For example, if you have a decoder for the malware commonly used by VICEROY TIGER, you can define it to automatically execute the decoder any time a new sample is received.
CrowdFMS is now available on the CrowdStrike public github, if you have any questions or want to learn more about CrowdStrike’s adversary intelligence subscription please contact: firstname.lastname@example.org.