Malware & Tools

Google Threat Intelligence lets you explore highly contextualized details about Malware families and the Tools used to leverage them.

The Malware & Tools List will show items sorted by Relevance, you can filter them utilizing the Filters pane on the left column.

Filter Malware & Tools

In the Filters pane, select the desired filters based on the following options to view only the Malware or Tools you seek to explore.

• Last Modification date: Date when the malware/toolkit was last updated with new associations, TTPs, IoC submissions, etc.
• Object Types: Choose between listing Malware or Software Toolkits.
• Origin: Select between items that were investigated and curated by Google Threat Intelligence analysts or by our partners.
• Source Regions: Known/Suspected country or region of origin.
• Targeted Regions: Known/Suspected country or region that was attacked with this malware/tool.
• Targeted Industries: Known/Suspected industry that has been affected by this malware/tool.

Follow Malware or Tools

In the Malware & Tools list, select one or multiple cards and click Follow button, for any Malware or Tool to monitor changes to selected entities over time, including new variations, associations, or reporting.

To add a Malware or Tool to a Threat Profile, open the card details and use the Follow button inside, it will give you the option to choose which profile to add it to.

View Malware Details

Click on the name of any Malware or Tool card for a view of the Malware profile and its details, navigate its tabs for specific data:

• Details: This tab displays the same comprehensive summary of the Malware or Tool profile as seen in the quick view. It also includes an Overview block with information such as Role, Operating systems affected, Aliases, lists the industries and regions known to be targeted, capabilities,detection names, dates on malware's activity and relevant tags. A list of news analysis reports related to the Malware is also displayed. The following blocks have summarized information on Associations, Reporting, News & Analysis, and Telemetry.

• Associations: This tab provides a list of the various associations with this Malware family. It includes other associated Malware, Toolkits, Threat Actors and Vulnerabilities. Various filter options let you customize your view.
  

• IOCs: This tab includes a table with all known Indicators attributed to this Malware family, such as specific IP addresses, urls, domains, and hashes.
  

• Rules: This tab shows detection rules for this Malware or Toolkits IoCs, there are Yara, Sigma and IDS rules, and they can be crowdsourced or curated. These rules can be downloaded for use in threat hunt efforts or other workflows involving third-party security tools outside the Google Threat Intelligence platform.

• TTPs: This tab shows the Tactics, Techniques, and Procedures (TTPs) observed to be associated with delivering, deploying, or executing the selected Malware. All TTPs associated with the Malware can be downloaded by clicking Download TTPs from the Actions drop-down.

Actions available for TTPs:

• Hovering over the ID of a Technique or Tactic provides a brief description of it and a link to open details in MITRE site.

• Clicking on the name of a Technique or Tactic will redirect you to a Intelligene search filtering for that specific Technique (example: attack_technique:T1129)

• Clicking on the matches tag on the bottom right corner of a Technique will redirect you to the list of the current Malware's IOCs that match this Technique

• Reporting: This tab displays the latest reports generated by Google Threat Intelligence and crowdsourced articles talking about the Malware or Toolkit you are looking at. The items can be filtered by Modification date, Origin, Report Type, Source region, Targeted Region and Targeted Industry utilizing the Filters pane.

• Community: This tab features a dedicated space for community discussion, it is a section that contains comments posted by the community making observations on the Malware or Toolkit.