USCYBERCOM: Uploading Malware to VirusTotal

U.S. Cyber Command Tweets

This last Monday, 11/04, the cyber security community saw an interesting move from the Cyber National Mission Force (CNMF), a branch unit of U.S. Cyber Command (USCYBERCOM). The CNMF engaged in sharing malware samples they discovered by uploading them to the well-known platform VirusTotal, an online scanning service and malware repository extensively used by the community. 

Following up, the USCYBERCOM also created a Twitter account with the purpose of tweeting VirusTotal links to where the samples uploaded by them could be found.

This decision was praised by the security community, as Costin Raiu, director of Global Research & Analysis Team at Kaspersky Lab said: “This is a great initiative and we believe that if more governments would do the same, the world would be safer. We salute their initiative and are of course paying close attention to what they upload.” 

The first samples shared on VirusTotal belong to the Lojack/LoJax family of malwares, when in May several LoJack agents were found to be connecting to servers that are believed to be controlled by the Russia-linked Fancy Bear Advanced Persistent Threat actor, a very technical and dangerous group behind several attacks. These samples appear to be connected to the UEFI rootkit discovered in September by the malware researchers from ESET. 

It’s believed, by security professionals, that posting a malware sample to the online platform VirusTotal could help speed up the response time of possible emerging threats. Because when a scan fails to detect a known sample a malware, VirusTotal can send a notification to the scanner’s maintainers. With that the security engineers can then analyze the sample and if necessary, make the detection changes/updates to prevent future outbreaks.