Everything to Know about the Intel 471 Malware Intelligence Feed

Intel471 logo

With the recent launch of our Cyber Intelligence Marketplace, we’re excited to kick off our blog series highlighting each of our partners. In this blog, we would like to introduce you to our new partner Intel 471. The Intel 471 Malware Intelligence Feed is now available on our Cyber Intelligence Marketplace. Here some things we knew you would want to know about Intel 471…

Who is Intel 471? Tell Us About Yourself.

Intel 471 provides in-depth coverage and tracking of sophisticated, financially motivated cybercriminals, and other threats from across the globe. These are the threat actors that target organizations across many sectors, along with those organizations’ customers, employees and suppliers.

Intel 471’s Malware Intelligence capability leverages our unparalleled access to top-tier cybercriminals, forums and marketplaces in the cyber underground to obtain early access to cybercrime malware, such as trojans and stealers. This early access enables Intel 471’s analysis and reverse-engineering of the malware to create actionable signatures, malware intelligence reports and criminal infrastructure monitoring. Security teams are equipped with early and near real-time visibility into the latest criminal malware campaigns, along with the latest malware advertised and released by cybercriminals in the underground. These capabilities provide proactive and timely insight to enable detection and mitigation of these threats.

How does Intel 471 Collect Malware Intelligence?

Intel 471 has unique combined insight into what adversaries are discussing, planning, buying/selling, planning and how they are operating (TTPs), along with the technical tooling/malware they are developing, buying/selling and using to launch attacks or support their illicit activities.

Our patent-pending Malware Intelligence offering sets us apart from many others in this field: tracking and monitoring framework that does programmatic malware emulation at scale. Current coverage (70+ families) is focused on top banking trojan, loader, infostealer, ransomware, spam and those used in targeted attacks. This provides ongoing coverage (24/7) of malware activity between the C2 infrastructure and bot emulators providing near real-time insights into adversary activity. This includes c2 updates, new modules and functionality being delivered, secondary payloads, inject triggers, file triggers, deep technical reporting, yara and network signatures and much more. samples into the system for analysis and emulation-based coverage of those campaigns and C2s. Data is delivered within minutes of the adversary executing an action via the C2 infrastructure.The historical dataset provides years of data that allows for historical context and breakdown broadly (C2s and general targeting) to a very granular level (specific botnet ids, affiliate ids, etc). The data is backed by a rich data model that includes mapping to MITRE ATT@CK and Intel 471’s General Intelligence Requirements Framework. It also includes the ability to submit malware samples for processing, analysis and submission into the malware emulation and tracking system for ongoing coverage.

What makes Intel 471’s Threat Intelligence Unique?

The approach was designed to be fully automated and autonomous, meaning it runs at scale, 24×7 without any human intervention. This means it is always watching and analyzing new events and collecting data and we can scale this to any number of malware families or C2 servers.

The team behind Malware Intelligence is made up of highly experienced veterans in the malware analysis field and the large amounts of accurate, complete and up-to-date data being collected by the emulation framework yields many interesting items of unique intelligence and raw material for cutting edge research and insights.

What types of threats will Intel 471 protect customers from?

Cybercriminals are continuously launching new attacks against organizations across the globe. Too often countering the threat of malware is reactive and limited to single point-in-time analysis. These analyses can become irrelevant as the adversary adapts and recalibrates to circumvent protection measures and avoid detection. Internal visibility is no longer enough to stay a step ahead of the adversary. Continuous monitoring and coverage of the adversary, their turf and their tools are a necessity. Without this external visibility, organizations are ill-equipped to deploy a proactive and intelligence led cyber security strategy.

What’s one interesting attack / threat trend you are seeing?

While there is a constant focus on ransomware for good reason, we must not forget that the traditional account takeover is still of interest with up-and-coming threat actors and veteran threat groups. Some examples are listed below:

a) Trickbot is still investing time and development cycles in improving their VNC module and modifying their web injects module.

b) Threat actors were recently seen selling web injects for Android devices, supporting a multitude of banks

c) In Latin America, especially Brazil, banking trojan gangs continue to be very active. On July 14th, 2021, Guardia Civil in Spain arrested people that were laundering money from Brazilian victims

In conclusion; Account Takeover is still a persisting threat actor focus and is continuously improved. While there should certainly still be a focus on ransomware, there are some more historically traditional attacks that continue to persist and should not be forgotten.

Hope you enjoyed learning more about Intel 471! And in case you didn’t get to see it live, you can watch a recording of our joint webinar to hear Threater CRO Todd Weller and Intel 471 Director Lilian Dolgolenko walk through our partnership.

Want to learn more about Threater’s Cyber Intelligence Marketplace? You can read our blog, watch our webinar, or read our FAQ to get all the details. And stay tuned to dig in & learn about another partner next week…