VMRay Platform v4.0.0: Link Detonation, Smart Caching, Enhanced IOC Extraction, and more

Sep 08th 2020

With the September release of VMRay Platform v4.0.0, we’re pleased to introduce significant improvements to all three of our products ‑ AnalyzerDetector, and Email Threat Defender (ETD), particularly in matters related to handling malicious links. These enhancements include:

  • The launch of a powerful and unique new method of dynamic analysis of links at the time-of-delivery rather than time-of-click. This analysis includes link detonation of select links based on a set of heuristics for dynamic analysis in addition to VMRay’s existing attachment scanning. This powerful new capability has been added to all three of VMRay’s products but is used to the greatest effect in ETD.
  • Inbox Protection for Office 365: automatically move malicious emails to a quarantine folder
  • Introduction of smart caching to determine how to handle re-submissions to guarantee the best results.
  • An aggregated display of IOCs and enhanced IOC extraction
  • Introduction of a “Dark Mode” web interface

Further, VMRay Platform v4.0.0 offers several improvements to our products’ performance, platform management features, and UX. Several of these improvements are summarized below and the complete list will be available in the 4.0 release notes.

 

Time-of-Delivery Phishing Protection

One of the most interesting features in version 4.0.0 is related to the analysis of malicious links in emails, a major attack vector for malware authors as it is an easy and flexible method to deliver malicious content. URL links can be used to tease a user to click in order to download a malicious file or send a user to a phony form page that resembles a popular page, such as PayPal, in order to fool them into submitting their personal information to a fraudulent site.

VMRay Platform v4.0.0 features automated link detonation in all three of our products – Analyzer, Detector, and Email Threat Defender (ETD). URLs contained in files, emails, and email attachments are now dynamically analyzed without any manual user interaction, allowing a fully-automated workflow to determine if the link is malicious.

Currently, many email security vendors rely on performing a reputation check on incoming emails and rewriting unknown URLs to point to a “safe link.” When users click on this modified safe link URL, they are redirected to a vendor Web proxy while the URL is scanned and shown a temporary message window informing them of the scan. For example, this is the message window shown to users of Office 365:

 

 

After scanning, if the connection is found to be malicious, the connection is blocked. While the time-of-click analysis method allows scanning the link only when the user accesses the web page, it also has several shortcomings, including:

  1. Links are not detonated if they are contained within file attachments, leaving users vulnerable to common phishing techniques.
  2. Links from “safe domains”, such as “Google.com”, are usually only subject to a reputation check and not detonated or analyzed, opening up the possibility of users being redirected to an alternate, malicious link after clicking.
  3. Reduced productivity as clicking on a “safe link” can result in a delay of several minutes while the URL is analyzed.
  4. Late detection, at time-of-click, reduces the ability to detect and possibly block similar attacks.
  5. A false sense of security can settle into place when the security program is actually easily bypassed by various methods.

VMRay’s unique advantage to address these shortcomings is detonating links in emails, as well as email attachments, at the time-of-delivery rather than time-of-click. When emails and documents are received, the VMRay Platform performs static and reputation analysis to all extracted links and, based on over 30 heuristics, determines if detonation is necessary. Links are detonated in this manner to avoid inadvertently triggering adverse side effects, such as unsubscribing a user from a mailing list.

 

 

Enhanced Email Security With VMRay ETD

A new feature in this release is ETD. VMRay Platform v4.0.0 now has built-in integration with Office 365. Just a few clicks and it’s all set. With this seamless integration, when a link is determined to be malicious, the email is marked as such and filtered to the junk folder. This time-of-delivery analysis closes up the gaps in existing email security solutions listed above.

With ETD, links that are contained in the attached documents are analyzed, even if the file is password-protected, as in the screenshot below: 

 

 

Analysis and Detection 

VMRay Platform v4.0.0 also features several enhancements to our analysis workflow. This latest release includes Smart Caching to more effectively handle re-submissions. With this new feature, customers can enable caching mode so when a file is re-submitted, heuristics are run to see if the file should be analyzed again to guarantee the best results. If enabled, users will receive the following message if the file has already been submitted:

 

 

Building on a feature in our previous release which distinguishes IOCs from artifacts, IOCs are now aggregated across the analysis reports of each sample and displayed on one page as shown in the screenshot below:

 

 

The VMRay Platform v4.0.0 also features enhanced IOC extraction, giving users the ability to extract network artifacts from the process cmd line and extract artifacts from obfuscated macros.

In addition, the WHOIS service is now built-in as part of our reputation analysis for all customers, including on-premises.

 

 

UX / UI Enhancements

And here’s some welcome news for SOC teams working long hours. With 4.0, in addition to our standard interface, users can now opt instead to view the interface in  “dark mode” to reduce eye strain and make it easier to stay focused on your work. “Dark mode” can be set by going to “Profile → Preferences” and is displayed as shown below:

 

 

The Platform WebUI has been refreshed with a new glossary and, further, our entire scoring system for submitted samples, as well as IOCs, has also been simplified and improved. No longer does the system use a numerical scoring system to determine potential harm and instead renders a direct “Verdict.” In this new system, samples, submissions, analyses, as well as IOCs, are now determined to either be “Malicious”, “Suspicious”, “Clean”, or “Not available.” The previous numerical system (VTI Score) has been removed from the UI and only available in the API for backward compatibility.

 

 

Users can also now download analysis reports as PDFs and brand them with their company’s own logo as shown in the screenshot below:

 

 

In addition to these features and changes, we’ve introduced the following enhancements:

  • Dynamic analysis of 4.0 Macros used in Excel
  • Support for Hancom Office, a productivity app popular in East Asia.
  • The addition of PE signature support, reducing the risk of triggering a false positive when analyzing applications and installers from trusted vendors.
  • Enabling the sharing of YARA rulesets among users, as well as managing YARA via API.
  • simplified, restructured menu which allows managers to configure default setting for all users

We are excited about these new additions and others to VMRay Platform v4.0.0. VMRay customers can access a complete list of the new v4.0.0 features in the changelog within your VMRay account. Not a VMRay customer, and want to put our Platform to the test? Start your 30-day trial today.

Autonomous Response to critical malware alerts

VMRay + Palo Alto Networks       JOINT WEBINAR