Information about references
Special privileges required
References are only available to users with the Threat Landscape module.
A reference represents an analysed URL with extracted IoCs, sometimes it is related to a collection, or a set of IOCs.
Object Attributtes
author: <string> author of the reference.autogenerated_summary:<string> Autogenerated summary of the reference by ML.collections_count:<int> Number of collections associated with the reference.creation_date: <integer> creation date of the reference (UTC timestamp).description:<int> Description of the reference.domain_count:<int> Number of domains extracted from the reference.files_count:<int> Number of files extracted from the reference.iocs_count:<int> Number of IoCs extracted from the reference.ip_addresses_count:<int> Number of ip_addresses extracted from the reference.last_modification_date: <integer> date when the reference was last updated (UTC timestamp).recent_activity_relative_change:<float> Ratio of change between the last two "recent activity" periods. Note: "recent activity" periods are comprised of 14 days.recent_activity_summary:<list<int>> List of integers with the aggregated activity of the IoCs of the collection for the last 14 days. Note: the aggregated activity consider #lookups plus #submissions.source_region: <string> Suspected source region of the activity described in the Reference. ISO 3166 Alpha2 - code.sponsor_region: <string> Suspected region sponsoring activity described in the Reference. ISO 3166 Alpha2 - code.tags:<list<string>> List of tags extracted from the Reference. Note: it also includes CVEs.targeted_industries: <list of strings> collection's targeted industries.targeted_regions: <list of strings> collection's targeted regions. ISO 3166 Alpha2 - code.threat_actors_count:<int> Number of threat_actors associated to the IoCs extracted from the reference.threat_categories:<list<string>> List of threat categories derived from the IoCs of the Reference.title: <string> title of the reference.url: <string> URL of the reference.urls_count:<int> Number of urls extracted from the reference.
{
"data": {
"attributes": {
"author": <string>,
"autogenerated_summary": <string>,
"collections_count": <int>,
"creation_date": <int>,
"description": <string>,
"domains_count": <int>,
"extracted_entities": <json>
"files_count": <int>,
"iocs_count": <int>,
"ip_addresses_count": <int>,
"last_modification_date": <int>,
"recent_activity_relative_change": <float>,
"recent_activity_summary": <list<int>>,
"source_region":<string>,
"sponsor_region":<string>,
"tags": <list<string>>,
"targeted_industries": [<string>],
"targeted_regions": [<string>],
"threat_actors_count": <int>,
"threat_categories": <list<string>>,
"title": <string>,
"url": <string>,
"urls_count": <int>,
},
"type": "reference",
"id": <string>,
"links": {
"self": "https://www.virustotal.com/api/v3/references/<id>"
}
}
}
{
"data": {
"attributes": {
"autogenerated_summary": "ESET researchers have discovered a Linux backdoor that is likely linked to the Lazarus Group, a North Korean state-sponsored threat actor. The malware, dubbed SimplexTea, was found in a supply chain attack targeting 3CX VoIP software.\n\nSimplexTea is a modular backdoor that can be used to steal data, download and execute additional payloads, and establish persistence on the victim's system. It is similar to the SIMPLESEA macOS malware that was used in the 3CX attack, and it also uses the same C&C infrastructure.\n\nThe discovery of SimplexTea provides further evidence that Lazarus is using Linux malware in its attacks. This is a worrying development, as it suggests that the group is expanding its capabilities and becoming more sophisticated.\n\nESET researchers have released a YARA rule that can be used to detect SimplexTea. Organizations that use 3CX VoIP software should take steps to protect themselves from this threat.",
"threat_categories": [
"trojan",
"pua"
],
"recent_activity_relative_change": -0.06403162055335965,
"tags": [],
"ip_addresses_count": 4,
"domains_count": 6,
"url": "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/",
"creation_date": 1681948800,
"iocs_count": 24,
"score": 1.0,
"urls_count": 1,
"recent_activity_summary": [
131,
78,
137,
89,
77,
28,
28,
194,
49,
35,
421,
840,
256,
5
],
"collections_count": 1,
"last_modification_date": 1682299863,
"title": "Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack",
"threat_actors_count": 0,
"files_count": 12,
"targeted_industries": ["Finance"],
"targeted_regions": ["US"],
"source_region":"US",
"sponsor_region":"US",
},
"type": "reference",
"id": "89d249dbe7e35d856e285752de8e016486c587f9e7fb4f51cd752c630bfac1de",
"links": {
"self": "https://www.virustotal.com/api/v3/references/89d249dbe7e35d856e285752de8e016486c587f9e7fb4f51cd752c630bfac1de"
}
}
}
Relationships
In addition to the previously described attributes, reference objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.
The following table shows a summary of available relationships.
| Relationship | Return object type |
|---|---|
| collections | List of Collections |
| domains | List of Domains |
| files | List of Files |
| ip_addresses | List of IP addresses |
| threat_actors | List of Threat Actors |
| urls | List of URLs |
| submitter | Submitter of the references Submitter |