VMRay Blog

Stay current on the threat landscape with industry-leading cybersecurity insights!
Earlier this year, in one of our blog posts we covered GuLoader, a downloader outfitted with advanced anti-analysis techniques that has delivered FormBook, NanoCore, LokiBot, and Remcos among others. Recently, we’ve observed GuLoader delivering AZORult. Active for many years, AZORult is an information stealer that has seen many iterations and
10/21/2020: The classification of the malware in this Threat Spotlight has been corrected from “Ave_Maria” to “Warzone RAT”. The source of the distinctive “Ave_Maria” substring can be attributed to the open-source TinyNuke malware, which was reused in some Warzone RAT samples. In TinyNuke the string “AVE_MARIA” is transmitted in the
When users submit a file or URL to VMRay for analysis, they are usually most interested in answering the question “Is this malware? Yes or no.” Previous to our most recent 4.0 release, this question was answered in the VMRay Platform with a severity score (or VTI Score, explained here).
Expanded Alliance Extends Distribution Agreement with Ingram Micro for Fast-Growing Provider of Malware Analysis and Detection Solutions Boston, MA – March 3, 2021 – VMRay, a provider of automated malware analysis and detection solutions, today announced it has expanded its strategic alliance with Ingram Micro Inc., the world’s largest distributor
Kernel-mode malware is among the most difficult to detect and remove. In this post—condensed from a SANS webcast featuring SANS analyst Jake Williams and VMRay Sr. Threat Researcher Tamas Boczan present an introduction into kernel-mode rootkits, explaining why attackers use them, how they bypass mitigations built into Windows and break
A Fresh Look at an Old Problem Formbook is a well-known malware family of data stealers and form grabbers. Sold as “malware-as-a-service” on hacking forums since early 2016, anyone so inclined can purchase a subscription and use the Formbook tool. It is usually distributed using malspam containing malicious attachments and
The Re-Emergence of Qbot After more than a decade in operation, the Qbot Trojan is back in the news. A modified version of the malware which now extracts email threads from Outlook to use in phishing attacks was used in a prominent campaign that ran from March to the end

Bochum, Germany – Sept 15, 2020 – VMRay, a provider of automated malware analysis and detection solutions, today announced that it has signed a strategic partnership with Sababa Security, a cybersecurity vendor based in Milan, Italy. The new agreement will enable Sababa Security to integrate VMRay’s solutions into its security

Bochum, Germany – Sept 9, 2020 – VMRay, a provider of automated malware analysis and detection solutions, today announced that it has signed a strategic reseller partnership with Deepcase, a provider of threat hunting, Digital Forensics and Incident Response (DFIR), and other threat intelligence services headquartered in Ankara, Turkey. The
With the September release of VMRay Platform v4.0.0, we’re pleased to introduce significant improvements to all three of our products ‑ Analyzer, Detector, and Email Threat Defender (ETD), particularly in matters related to handling malicious links. These enhancements include: The launch of a powerful and unique new method of dynamic
Leading Malware Analysis Solution Available Via Anomali ThreatStream Opens the Door for Security Teams to Unlock Unprecedented Threat Intelligence and Visibility Boston, MA – September 2, 2020 – VMRay, a provider of automated malware analysis and detection solutions, today announced a free-of-charge offering to all Anomali ThreatStream customers. The offering
Targeted ransomware is a common occurrence nowadays. Recently Garmin confirmed to have been the target of a ransomware attack on July 23, 2020, which led to the interruption of many of their online services. According to Bleeping Computer, the ransomware has been confirmed to be WastedLocker. The article goes on
Leading Malware Analysis & Detection Provider Signs Agreement with India’s Fastest Growing Value-Added Distributor Bochum, Germany – Aug 26 2020 – VMRay, a provider of automated malware analysis and detection solutions, today announced that it has signed a strategic distribution partnership with RAH Infotech, one of India’s fastest-growing value-added distributors
If you are of a certain age, you might remember Mad Magazine’s satirical Spy v. Spy comic strip in which two agents – one dressed completely in white and the other in black – would try and outwit and annihilate each other on a weekly basis. Malware authors and the
In this Malware Analysis Spotlight, the VMRay Labs Team will examine MassLogger, a Spyware/Stealer that was first publicly observed in-the-wild at the end of April. During our analysis, we monitored a significant amount of behavioral matches for techniques that MassLogger uses to discover the host machine and to steal sensitive
After a long time of being inactive, the infamous malware delivery framework Emotet is back – the three Emotet botnets started pushing malicious spam on Friday, July 17. In this Malware Analysis Spotlight, we will take a look at one of the Microsoft Word documents used in the campaign (Figure
This blog post was originally posted on Dark Reading. To truly understand cybersecurity trends, we must look beyond the headlines and ask more of the data. What you learn might surprise you. For the past 13 years, Verizon’s “Data Breach Investigations Report” (DBIR) has been the industry’s definitive resource for
Editor’s Note: This blog post was updated on August 10, 2020. Over the last couple of months, we observed a new downloader called GuLoader (also known as CloudEyE) that has been actively distributed in 2020. In contrast to prototypical downloaders, GuLoader is known to use popular cloud services such as
A Primer on Spyware-as-a-Service The rise in spyware-as-a-service allows cyber-criminals to choose a specialty, whether improving spyware, infecting users, or maximizing the profit derived from stolen information. The business model for spyware-as-a-service starts with an individual or team to developing the initial spyware and standing up any necessary infrastructure that
In the world of malware analysis, there is sometimes confusion between the terms “artifacts” and “indicators of compromise (IOCs).” This is understandable because many malware analysis engines don’t distinguish between the two. First, let’s define the terms. When a malware sandbox dynamically analyzes a threat, it collects pieces of forensic
In this Malware Analysis Spotlight, the VMRay Labs looks at the behavior of a phishing site distributed through an SMS message. Based on the content of the SMS message, this does not seem to be part of a targeted attack but rather part of a massive phishing campaign that aims
Living off the Land Binaries – aka LOLBins – represent one of the more creative and insidious malware threats today. Attackers use LOLBins to evade detection by manipulating legitimate systems and processes for malicious purposes. In this post—condensed from a SANS webcast featuring SANS Analyst Jake Williams and VMRay Sr.
In April 2020, the systems of Portuguese multinational energy giant Energias de Portugal (EDP) were encrypted by RagnarLocker Ransomware. The operators of RagnarLocker demanded a ransom of 1580 Bitcoin ($10.9M). Based on the ransom notes left on EDP’s systems (Figure 1) which directly mentioned the company, it’s clear that it
In April 2020, the systems of Portuguese multinational energy giant Energias de Portugal (EDP) were encrypted by RagnarLocker Ransomware. The operators of RagnarLocker demanded a ransom of 1580 Bitcoin ($10.9M). Based on the ransom notes left on EDP’s systems (Figure 1) which directly mentioned the company, it’s clear that it
In our previous blog post, we showed how hypervisor-based API monitoring can achieve accurate logging of API calls at high performance, resulting in a more detailed view of the malware’s internal behavior. In this blog post we show three practical examples of how this more detailed view can be used

Below is a short video highlighting the importance of investing in cyber security during a time where more employees are working from home. By keeping company infrastructures from vulnerable attacks, cyber security has become a key component to help malicious attacks from happening.

In this Malware Analysis Spotlight, the VMRay Labs Team examines the behavior of Rhino Ransomware (first identified in April 2020). This sample was found by Twitter user @GrujaRS on May 4th. View the VMRay Analyzer Report The first step before the ransomware encrypts user files, it disables various services: wscsvc
Healthcare facilities around the world are under overwhelming pressure right now as the COVID-19 pandemic is straining every facet of their organizations. Adding to this challenge is the fact that criminal organizations are showing no signs of letting up. INTERPOL warned that cybercriminals are increasingly attempting to ‘lockout hospitals out
Leading Malware Detection Provider Signs First European Distributor Agreement to Expand Global Footprint and Support Double-Digit Sales Growth Bochum, Germany – May 6, 2020 – VMRay, a provider of automated malware analysis and detection solutions, today announced that it has signed a strategic distribution partnership with ectacom GmbH, a leading
It’s true all over the world – large enterprise organizations want flexibility and choice in where their data is stored. This is especially true in regulated industries such as health care, finance, and government that are bound by regulation and compliance to have control over where their data resides. For
With the April rollout of VMRay Platform Version 3.3, we’re introducing major enhancements to our advanced threat detection and analysis solutions: A new naming convention – VMRay Platform – articulates the unified nature of our solutions, core technology, and individual products: VMRay Analyzer, VMRay Detector, and VMRay Email Threat Defender.
In designing systems, engineers often must navigate between two extremes. Resources are finite and compromises must be made between making something operate slowly and thoroughly or fast and recklessly. But what if a system could be both fast and accurate? Because of VMRay’s entirely hypervisor-based technology, it has the ability
Noted Industry Veterans from Kaspersky and Symantec Join Fast Growing Malware Analysis Provider to Support Market Expansion Bochum, Germany and Boston, MA – April 16, 2020 – VMRay, a provider of automated malware analysis and detection solutions, today announced the addition of two cybersecurity veterans to its executive ranks with
This post was updated on October 9, 2020 Please note: VMRay has recently simplified malware identification within our Platform with the Verdict system (read more about it here). This new Verdict system reduces the number of possible malware grading identifiers from eight to four (“Malicious”, “Suspicious”, “Clean”, and “Not Available”)
This post was updated on April 3, 2020 to reflect Zoom’s response. It seems like overnight half the world switched to working from home and depending on Zoom for daily human interaction. Our own team is no exception, so it came as a surprise that the widely-used application installs itself
The global pandemic, and associated economic downturn, has created a new reality where our customers are now supporting a large remote work force, vastly increasing the available attack surface for threat actors. In addition, COVID-19 has opened up a whole new arena of themed scams and malware. In the face
As a senior executive for a malware analysis and detection provider, I get asked one particular question quite often: “can your solution protect against fileless malware?” It’s a confounding question in many respects and one that requires some amount of clarification as to what types of threats they consider to
Taxonomy is the science of naming, defining and classifying groups of biological organisms based on shared characteristics. Fundamentally it’s an organization scheme that has allowed scientists to study organisms without confusion or overlap since the Swedish naturalist Carl Linnaeus introduced his framework for a uniform naming system more than 300
In this short video, we will demonstrate how security teams can leverage the mapping of VMRay’s analysis results to the MITRE ATT&CK framework for more effective incident response. ATT&CK is the industry-standard framework and knowledge base of adversary tactics and techniques, threat groups, and related software and tools. The entire
VMRay Makes its Leading Malware Analysis & Detection Platform Available to VARs and MDRs to Meet Growing Market Demand for Effective Security Against Advanced Threats Bochum, Germany – Feb 18, 2020 – VMRay, a leading provider of automated malware analysis and detection solutions, today announced the launch of the VMRay
The past decade has been one of unprecedented transformation, innovation, and uncertainty in the enterprise cybersecurity market. Five years ago, the Russian hacking group known as Sandworm succeeded in shutting down three power plants in Ukraine for several hours and demonstrated how targeted attacks could potentially disrupt the lives of
“Our analysts are really good at making decisions if they have the data to make that decision.” – Tyler Fornes, Sr. Response & Detection Analyst at Expel In this Risky Business podcast, host Patrick Gray interviews one of VMRay’s most forward-looking customers: Tyler Fornes, Senior Detection and Response Analyst for
View the VMRay Analyzer Report for ZeroCleare “ZeroCleare” is a new strain of malware discovered by IBM X-Force Incident Response and Intelligence Services (IRIS) this past December. In the 28-page report, the IRIS Team revealed that ZeroCleare was used to execute an attack on Middle East organizations in the energy
With the recent release of VMRay Analyzer Version 3.2, we have repackaged and enhanced our already robust REST API. These enhancements add more automation and scalability to malware analysis, detection, and result-sharing across heterogeneous environments. VMRay’s portfolio of out-of-the-box integrations and connectors built with our REST API, enables partners to
In VMRay’s first major product release since completing our Series B funding, we’ve introduced significant enhancements to VMRay Analyzer Version 3.2, our flagship platform for automated malware analysis and detection. Among the key capabilities announced, Version 3.2 expands and automates email analysis while complementing email protections already in place in
“Context is everything” goes the age-old adage. Malware has evolved in a variety of ways over the past few years but threat actors have increasingly focused more of their development efforts on making their malware sensitive to context in order to better identify and evade sandbox and analysis environments. In
A year ago this fall, we introduced the VMRay Analyzer IDA plugin for IDA Pro disassembler and decompiler. With Version 1.0 of the plugin (nicknamed IDARay), malware analysts and DFIR teams could use the output of VMRay Analyzer to enrich IDA Pro static analysis with behavior-based data. The plugin sped
According to Forrester, there will be 2 million job vacancies in the cybersecurity sector by 2022. This reality is the impetus for greater efficiency and achieving a significant improvement in the “signal to noise” ratio that security teams are dealing with. Automating malware analysis and detection on a large scale
This week, VMRay CEO & Co-Founder, Carsten Willems was a guest on the latest episode of the Risky Business Podcast. Carsten spoke with host Patrick Gray about VMRay’s supporting role in Endgame and MRG Effitas’ Static Machine Learning Evasion Contest at DEF CON this year. The contest required participants to
On September 16, VMRay announced it has closed its Series B round of funding in the amount of $10 million (€9 million), led by Digital+ Partners, one of the leading technology growth equity firms in Europe. To mark this milestone, VMRay co-founder Dr. Carsten Willems sat down with Chad Loeven,
Digital+ Partners Leads New Funding Round in Growing Automated Malware Analysis & Detection Provider to Combat Latest Advanced Threats and Support Market Expansion Bochum, Germany – VMRay, a provider of automated malware analysis and detection solutions, today announced that it has closed its Series B round of funding in the
In July, VMRay released version 3.1 of VMRay Analyzer, our flagship platform for automated malware analysis and detection. Among several major enhancements, 3.1 mapped our existing VMRay Threat Indicators (VTIs) to MITRE ATT&CK, the industry-standard framework and knowledge base of adversary tactics and techniques, threat groups, and related software and
It was a busy week for the VMRay Team at this year’s Black Hat Conference. Our CEO and Co-Founder, Carsten Willems sat down for an interview with Paul Asadoorian, host of the Security Weekly podcast. Carsten expanded upon his March interview with Security Weekly where he talked about the core
In order for SOC Teams to be more effective, they need access to rich sources of threat intelligence in order to gain visibility and insight into potential threats. At VMRay, our goal is to make the sharing of threat data from each analysis easy. An update to our connector for
This content covered in the blog is based on my Objective By the Sea talk “Hypervisor-Based Analysis of macOS Malware”. You can access the slides from my presentation here. A Growing Threat and a Dearth of Tools Compared to Windows, macOS accounts for only a small percentage of all malware,
With the latest release of our flagship platform for malware analysis, VMRay Analyzer 3.1, we are enhancing enterprise security in four broad areas: providing greater platform coverage, improved scalability, additional access security, and greater detection efficacy. In Version v3.1 we have: Mapped malicious behavior to the industry-standard MITRE ATT&CK framework,
Intelligent Monitoring captures everything that’s relevant and only what’s relevant, so your Security Team can focus on what’s most critical & essential. In explaining what had motivated his team to switch to VMRay Analyzer, a customer told us, “It’s not about getting our analysts started with malware analysis. It’s getting
In this era of Ransomware attacks and Zero Day attacks, it’s easy to forget about pervasive threats like Banking Trojans which have been around for some time. These same threats have evolved significantly over the past years, constantly presenting new challenges to security teams. In this post—condensed from a SANS

Ursnif is a group of malware families based on the same leaked source code. When fully executed Urnsif has the capability to steal banking and online account credentials. In this blog post, we will analyze the payload of a Ursnif sample and demonstrate how a malware sandbox can expedite the

Indicators of compromise (IOCs) are essential pieces of information security teams use to improve detection and response times. With VMRay’s Intelligent Monitoring technology, IOCs extracted from an analysis are noise-free and provide relevant data for teams to import into their existing security tools. Our out-of-the-box integration with ThreatConnect allows you
Vmray threatfeed

Latest Malware Analysis Reports

Get The Latest Update

Subscribe to our newsletter

Keep up to date with our weekly digest of articles. Get the latest news, invites to events, and threat alerts!