Enterprise Security Takes a Big Leap Forward with VMRay Analyzer 3.1

Jul 23rd 2019

With the latest release of our flagship platform for malware analysis, VMRay Analyzer 3.1, we are enhancing enterprise security in four broad areas: providing greater platform coverage, improved scalability, additional access security, and greater detection efficacy.

In Version v3.1 we have:

  • Mapped malicious behavior to the industry-standard MITRE ATT&CK framework, facilitating broad cross-platform interoperability and automation
  • Added macOS dynamic analysis verdicts and added new filetype support for macOS
  • Delivered unprecedented scalability with the VMRay Detector option to VMRay Analyzer
  • Introduced support for Two-Factor Authentication (2FA) for enhanced login security and regulatory compliance

 

Reinforcing VMRay’s Market Leadership

In this post, we briefly describe these significant new capabilities, which reinforce VMRay’s position as a market leader in enterprise automated malware analysis and detection. Built on a hypervisor-based monitoring approach, VMRay Analyzer delivers unparalleled detection efficacy with full visibility into malware behavior, combined with evasion resistance and noise-free analysis results.

 

 

The platform’s Now, Near, Deep architecture combines our dynamic analysis engine with the strengths of a built-in rapid reputation service and our own static analysis engine. The result: VMRay Analyzer empowers enterprise security teams to handle larger analysis volumes, speed up detection and improve the productivity and efficiency of security personnel and infrastructure.

 

MITRE ATT&CK Framework Mapping

The MITRE ATT&CK framework is a standardized set of malware tactics and techniques based on real-world data. With the mapping of our existing VMRay Threat Indicators (VTI) to this framework, enterprise security teams can now build a common knowledge base to drive Incident Response (IR) and threat hunting, using a consistent model across diverse products in the security ecosystem. The techniques and tactics span Windows and macOS platforms, both of which are supported by VMRay Analyzer.

Figure 1 below shows the detail-rich overview page of a VMRay Analysis Report on a piece of malware found running on a Windows x86-32 machine.  From top to bottom, the overview displays:

1) The malware analysis severity score (100/100) and classification (Spyware)

2) VMRay Threat Indicators, listed from most severe to less severe

3) Key screenshots captured during the analysis

4) A process flow graph showing monitored malware processes

5) An expanded view of the matrix of MITRE ATT&CK techniques. Techniques triggered by this particular sample are highlighted.

 

VMRay Analyzer 3.1 Report Overview

Figure 1: VMRay Analysis Report highlighting the MITRE ATT&CK Techniques triggered by a sample file

 

As Figure 2 shows below, a user can click on a highlighted attack technique in the analysis report (see the red box) to view added details about the technique and the VTI rules/Threat Indicators mapped to it.

 

MITRE ATT&CK Mapping - VMRay Analyzer

Figure 2: Details about a specific MITRE ATT&CK Technique triggered by a sample file

 

We extended our search interface so users can search for malware samples that trigger a specific ATT&CK technique. (See Figure 3.) This enables users to gain insights into the correlation between malware samples and to identify and flag the techniques that are encountered most frequently — thereby strengthening defensive responses.

 

Extended Search - MITRE ATT&CK

Figure 3: Extended Search for malicious executables that use Process Injection

 

macOS Analysis Verdict and Java Support

VMRay can both ‘Analyze’ and ‘Detect’ malware.  In VMRay Analyzer v3.0, we introduced the first half of that combination for macOS: comprehensive analysis of macOS executables and app bundles, enabling security teams to better secure heterogeneous IT operating environments. By adding severity scores for macOS malware and support for JAVA files we now also offer the high-volume ‘Detect” aspect, which goes hand-in-hand with automating protection and response.

VMRay’s expanded capabilities for macOS include:

  • Automated submission of macOS executables, app bundles and Java files for analysis via the UI or a REST API
  • Detailed function logs, with full visibility into the behavior of macOS malware
  • Detection of macOS-specific sandbox evasion techniques and persistence mechanisms
  • Detailed Network Analysis Information
  • Information about Created, Modified and Embedded Files
  • YARA Rule matching
  • Sample Severity Scores (from 0 to 100), based on a sample’s behavior

 

macOS Verdict - VMRay Analyzer

Figure 4: Analysis Results of a Java Archive on macOS; Severity: Malicious, Dynamic Analysis Score: 100/100

 

Working in Tandem with VMRay Detector for High-Precision Threat Detection at Scale

While VMRay Analyzer is designed for comprehensive, in-depth malware analysis and detection, VMRay Detector integrates with high-volume sources, such as web and email gateways to provide rapid, highly accurate malware detection for high-volume, automated use cases. Both VMRay Analyzer and Detector use our underlying ‘Now, Near, Deep’ architecture, shown below in Figure 5.

 

VMRay's Now, Near, Deep Architecture

Figure 5: VMRay’s Now, Near, Deep Architecture

 

Known malicious or suspect files are submitted to a multi-layered analysis process wherein they are scrutinized by a rapid reputation engine and our static analysis engine, which identifies active elements such as embedded macros and URLs.  In the final step, files that cannot be verified as benign are submitted to the malware sandbox for dynamic analysis of their behavior.

Some of the key differences between VMRay Analyzer and Detector are summarized in the table below.

With Version 3.1, security teams can now use VMRay Analyzer and Detector in tandem, with each product having its own separate quota. For any results provided by Detector, security team members have the option to unlock the corresponding in-depth analysis reports by tapping into the Analyzer license quota.

 

VMRay Detector Reports Locked

Figure 6: Detector provides high-level results. When needed, detailed analysis reports can be unlocked using the Analyzer license

 

Two-Factor Authentication (2FA)

Secure access is one of the biggest challenges facing enterprises today. By adding an additional security layer for access, 2FA significantly decreases the possibility of an end user’s account being compromised. In tandem with their account password, Version 3.1 users can enable 2FA and use a Time-based, One-Time Password (TOTP) token–generated from another device–to access their VMRay account. Popular 2FA apps such as Google Authentication or Duo can be used to scan and generate codes required for authentication. Very often, enterprises also require some form of 2FA to achieve regulatory compliance.  Our latest release ensures they can enforce 2FA across the organization.

 

Setting up 2FA in VMRay

Figure 7: Setting up 2FA for the VMRay platform

 

2FA Login Screen

Figure 8: Logging in after setting up 2FA

 

Additional Enhancements

With Version 3.1 we have continued to build on our enhanced
memory dumping process using smart triggers
and have made significant improvements related to process injection. Smart memory dumping provides smaller, more relevant memory dumps that can help, for example, in the analysis of a packed malware executable that unpacks itself at run time.

In addition, detection efficacy has been enhanced through a much broader application of YARA rules and an improved ability to analyze and unpack archive files. We have also made many User Experience improvements to make it easier to peruse and navigate through analysis reports and drill down into the low-level analysis details. There are also several new detections and anti-evasion behavioral rules baked into this release.