Overview
Potential results are significantly impacted by the speed at which hazards may be identified and addressed. As essential breadcrumbs, indicators of compromise (IOCs) enable cybersecurity teams to spot and stop possible attacks while broadening their search for associated activities. With Backscatter, VirusTotal’s current toolkit for analysing and comprehending malware IOCs and therefore, the Google Threat Intelligence platform is significantly improved.
Sandboxes and other dynamic analysis techniques have long been used by VirusTotal to track malware activity and record IOCs. These approaches, however, can be laborious and could not produce useful information if the virus uses anti-analysis measures. The Mandiant FLARE team’s Backscatter service enhances existing techniques by providing a static analysis feature that directly inspects malware without running it, resulting in high-confidence malware family identification and quicker and more effective IOC collecting. In order to enhance support for packed and obfuscated malware that does successfully run in dynamic contexts, Backscatter can now analyse sandbox artefacts, such as memory dumps.
Backscatter excels in the Google Threat Intelligence platform by locating configuration information, embedded IOCs, and other harmful artefacts concealed in user-uploaded malware. It quickly produces actionable threat intelligence by identifying dropped files, command-and-control (C2 or C&C) servers, and other indications of malware presence. The Google Threat Intelligence platform instantly pivots all of the captured IOCs and configuration information, enabling users to find more malware associated with that threat actor or behaviour.
Enhancing Dynamic Analysis
Security personnel can swiftly comprehend and counter assaults with backscatter. Analysts can identify and eliminate lost files, prevent malicious communication, and neutralise assaults by utilising Backscatter’s retrieved IOCs in combination with static, dynamic, and reputational data to provide a more complete picture of possible threats.
The static analysis method, which is accessible through Google Threat Intelligence, is a useful supplement to the dynamic analytic features already offered by the platform. Users may take use of the advantages of both methodologies for a stronger security posture with this combination, which provides a more thorough threat intelligence strategy.
Backscatter in GTI and VirusTotal
Customers of Google SecOps, such as VirusTotal Enterprise and its successor long-term Google Threat Intelligence platform, may access it. Although identifying a file as harmful might be helpful, defenders receive actionable knowledge when the threat is more clearly defined. Capabilities and behaviours can be estimated from prior reports without the need for human investigation by offering a higher confidence attribution to a malware family.

C2 servers, campaign identities, file locations, and registry keys are examples of embedded data that might provide analysts more background information about a particular event. By offering pivots to relevant IOCs, reports, and threat actor profiles, Google Threat Intelligence assists in connecting that incident to related activities. Defenders are able to search their surroundings and broaden cleanup efforts because to this extra context.


Backscatter can handle files that target many contexts, operating systems, and execution methods since it uses a static approach to data extraction from malware. Since the DOUGHNUT malware sample in the preceding example is x86 shellcode, a sandbox was unable to run it directly.
Backscatter in the Field
Mandiant Managed Defence uses it to identify and analyse rapidly developing malware families more quickly and accurately. They are able to scope threat activities and give clients relevant contextual information more quickly as a result. Backscatter seeks to offer actionable threat intelligence to support security teams and safeguard consumers against anything from ransomware operations to distribution efforts that grant first access to targeted assaults by state-sponsored actors.
UNC2500 is one such threat organisation that mostly uses links to infected websites and email attachments to spread malware. Because Backscatter supports several of the malware families employed by this organisation, including QAKBOT and DARKGATE, Managed Defence clients may proactively block IOCs that Backscatter extracts.
Looking Ahead
Backscatter is evidence of Google SecOps’ dedication to offering state-of-the-art resources to counter cyberthreats. Backscatter gives security teams the ability to keep ahead of attackers by providing a quick and effective method for extracting IOCs through static analysis. Customers of Google Threat Intelligence may improve their cybersecurity defences and protect their precious assets by integrating Backscatter into their workflow.