Move Fast and Don’t Break Things (Part 2): Automated Malware De-obfuscation by Accurate API Monitoring

In our previous blog post, we showed how hypervisor-based API monitoring can achieve accurate logging of API calls at high performance, resulting in a more detailed view of the malware’s internal behavior. In this blog post we show three practical examples of how this more detailed view can be used in real-world malware analysis: getting […]

READ MORE

Move Fast and Don’t Break Things (Part 1): Accurate API Monitoring at High Performance

In designing systems, engineers often must navigate between two extremes. Resources are finite and compromises must be made between making something operate slowly and thoroughly or fast and recklessly. But what if a system could be both fast and accurate? Because of VMRay’s entirely hypervisor-based technology, it has the ability to be both. While traditional […]

READ MORE

Analyzing ZeroCleare’s Behavior Using a Malware Sandbox

View the VMRay Analyzer Report for ZeroCleare “ZeroCleare” is a new strain of malware discovered by IBM X-Force Incident Response and Intelligence Services (IRIS) this past December. In the 28-page report, the IRIS Team revealed that ZeroCleare was used to execute an attack on Middle East organizations in the energy and industrial sectors. Based on […]

READ MORE

Analyzing Ursnif’s Behavior Using a Malware Sandbox

Ursnif is a group of malware families based on the same leaked source code. When fully executed Urnsif has the capability to steal banking and online account credentials. In this blog post, we will analyze the payload of a Ursnif sample and demonstrate how a malware sandbox can expedite the investigation process. Access the VMRay […]

READ MORE

Introducing the IDA Plugin for VMRay Analyzer

In this blog post, we’ll walk through the first version of the VMRay Analyzer IDA Plugin, which uses the output of VMRay Analyzer to enrich IDA Pro static analysis with behavior-based data. The plugin adds comments to dynamically-resolved API calls within IDA to show the resolved function, its parameters, return value and timestamp. Logging API […]

READ MORE

Forgotten MS Office Features Used to Deliver Malware

According to Microsoft’s 2016 Threat Intelligence Report, 98% of Office-targeted threats use macros. So, shouldn’t we just focus our efforts on detecting threats that leverage macros? Of course not. Attackers will constantly innovate. Finding ways to bypass existing security solutions and making malware easy to execute are top of mind for an attacker. Exploits are […]

READ MORE

The Evolution of GandCrab Ransomware

[Editor’s Note: This post was updated on July 9th, 2018 with analysis of Gandcrab v4] Like legitimate commercial software, commercial malware also needs a viable business model. For ransomware, the most popular business model is now Ransomware-as-a-Service (RaaS). RaaS focuses on selling ransomware as an easy-to-use service, opening up a broader market of non-technical attackers. […]

READ MORE

Website designed and developed by Raincastle Communications, Inc.