With the release of version 4.0 last year, the VMRay Platform took a huge leap forward and further solidified itself as the preeminent software for SOC and CERT teams that need automated analysis and detection of advanced threats. Version 4.1 further rounded out the offering with incremental yet significant enhancements, and this trend continues with version 4.2, which features a variety of new features and enhancements, the most important of which we highlight below. Our current customers can find the complete information in the Release Notes for v4.2 which is included with the release.
Encrypted C2 traffic can be an opportunity for attackers to circumvent malware detection and analysis. To address this, we have added automatic decryption of network traffic originated in the detonation environment so that the decrypted information is now presented in both the Web Interface (i.e., Analysis Reports, Network tab, IOCs tab) and the Summary JSON. Decryption is accomplished through a mixture of invisible monitoring of relevant API calls with dumping the memory of relevant processes at the right time.
Almost everyone has been duped by sophisticated social engineering at one point or another. It just looked so real – we mutter to ourselves as we disinfect our computers. Shown below is a typical example of a Word document that has been detonated using Dynamic Analysis. It looks so real it could have come from Bill Gates himself, and any user who is not alert might click on that infamous Enable editing button, and thereby open up a world of macro-malware problems:
The trick here is that the text you see is actually in a JPEG image file so it is undetectable by most analysis engines, but not the VMRay Platform. We have added Optical Character Recognition (OCR) as part of our standard Dynamic Analysis, which automatically extracts any suspicious text and shows it to you in the Files tab:
Even more important, a new VTI rule is triggered based on this OCR-extracted text because it is undoubtedly trying to trick the user into running a macro by clicking Enable content:
The score of 4/5 results in a Malicious verdict for this document.
Office documents can include macros that are written in VBA. The compiled version of the VBA code is known as p-code. Malicious actors can deliver malware in p-code that would be executed when a user opens an Office document with the macro, and they can remove the original VBA code or just modify it to appear clean – this is a technique known as VBA Stomping.
Typically, malware analysis engines only look at the VBA Code and not the p-code, however, the VMRay Platform now examines both the p-code and the VBA code to look for mismatches, and presents both in a new VBA Macros section under the Files tab:
When there is a mismatch, which typically indicates VBA Stomping, then you are alerted to this:
As an additional precaution, p-code that is delivered without VBA code is also decompiled so that the original VBA code can be analyzed. More crucially, when there is a p-code mismatch, the file containing the macro will always be detonated during Dynamic Analysis (even if you have Triage turned on), thereby ensuring comprehensive protection from VBA Stomping.
A VTI Rule is also triggered when there is a p-code mismatch and it displays on the Static Analysis Report. This rule is in the Obfuscation category and has a score of 4/5, which indicates a significant threat:
The ability to interact with the detonation of a URL during both Dynamic Analysis and Web Analysis has been a powerful feature of the VMRay Platform for several releases (it was previously known as Interactive Analysis). Live Interaction allows you to enter credentials on a website and see what impact this has during detonation. In previous releases, this feature was invoked on the Jobs page while an analysis was running so users may not have been aware that it was available.
To address this, we’ve moved the Live Interaction setting to the Submissions page, where there is now a checkbox before the Web Analysis and Dynamic Analysis checkboxes:
To further streamline the user experience, users are now constrained to choosing just one type of analysis to perform, because if they choose Live Interaction they should only perform one analysis at a time.
Account Managers on Cloud, and Administrators using the On-Premises version, will be particularly pleased about this enhancement. Role-based access control has been added so that the assignment and management of individual user permissions are now much easier. And six pre-delivered roles (shown below) ensure that you are completely covered, including three roles that are specific to Email Threat Defender (ETD).
For example, Administrators using the On-Premises version just need to assign the Administrator role to themselves so that they can oversee the operation of the Platform and assign roles to other users. If they also want to oversee ETD, they assign the ETD Administrator role to themselves:
If you prefer for a user not to see analyses, samples and other data from other users, you can segment them off with the Isolated User role. In ETD, if you prefer for a user not to see the content of emails due to privacy laws, you can assign them the ETD User role (whereas, the ETD Analyst role can see all content).
Together with our existing support for 2FA and SSO, along with sophisticated Password Policy definition (introduced in v4.1), we now have all the bases covered when it comes to user authentication and role-based permissions.
Reputation Analysis in the VMRay Platform is your first line of defense against malware. We recommend always turning it on because oftentimes a file or URL already has an established reputation and detonation using Dynamic or Web Analysis may not even be necessary. On the other hand, Account Managers and Administrators can turn Reputation off across the entire system, so users may not always be aware that this setting is turned off.
To alert users to this, and to emphasize that it is always the best practice to turn Reputation Analysis on, we’ve added a setting to the Dashboard showing the status of your Reputation setting. In this example, it is turned on by default by the Account Manager so Enabled by Default displays:
But if it is turned off by the Account Manager then the user is alerted to this:
If the Account Manager disables Reputation Analysis completely then this message displays:
The screenshots above are from the Cloud version, but this feature is also available in the On-Premises version. Clicking on the exclamation point displays a tooltip with more information for the user.
Although not so commonly used, Windows Installer Patch malware can be particularly damaging so support for analyzing these Installer Patch files (which have an extension of .msp) has been added to v4.2.
Of course, any Installer Patch file requires that you also have the corresponding Installer MSI file, and that you analyze both the MSI file and the MSP file simultaneously. To handle this in the VMRay Platform, you submit the Installer MSI at the same time as your MSP using the Prescript feature of Dynamic Analysis. First, drop your MSP sample onto the Submissions page and it is recognized automatically as a Windows Installer Patch:
Next, drop the corresponding MSI file into the Prescript box:
Shazam! Your Installer Patch MSP will now be analyzed along with the corresponding Installer MSI.
The VMRay Platform’s REST API has always included a variety of sample code to help you build your own integrations. But to jump start your efforts, we now provide an Integration Kit with pre-defined python code that is ready to use, and features the most commonly used functionality: including submitting samples, retrieving a wide variety of results (such as verdicts, classifications and threat names), as well as retrieving detailed results (such as VTIs and IOCs).
Support for Windows 10, version 1809, known as Redstone 5, has been added to both the Cloud and On-Premises versions. Support for macOS Mojave (v10.14) has been added to the Cloud version.
Software is easier to install with the popular package manager Chocolatey, so we have added Chocolately support for On-Premises customers to expedite the installation of software on VMs.
Our ETD product is all about protecting our customers from email-borne attacks. Sometimes these attacks do not take place right away. For example, targeted phishing campaigns have been known to detonate malicious payloads (delivered via URLs) at the start of the business day.
To address this, we have added two Retrospective features: a second Link Detonation as well as a second Reputation Analysis – both of which take place a short time after the initial detonation. For example, with Retrospective Link Detonation, you can specify the exact time of day to run the second detonation, as well as the Timezone and the Time Window (i.e., how many hours after the initial detonation):
In this example, the Time is set to 8:00 am which is the typical start of a working day and this helps to mitigate against URLs that detonate at the start of the working day. The Time Window is set to 12 hours prior, so any emails that have arrived since 8:00 pm of the previous night would be detonated. And of course, you can change all of these defaults to suit your specific environment.
So now, not only does ETD provide the first line of defense against email-borne attacks, but these Retrospective features provide a second line too!
Malware detection is at the very heart of the VMRay Platform, so to ensure that our On-Premises customers are always up to date with the very latest detection heuristics, trust store signatures, VTIs, Yara Rulesets and other detection functionality, a new Detection Updates feature has been added. You can define the update interval, but it defaults to every hour, so you get the latest and greatest features right after we release them. The new Detection Updates screen is shown below:
The VMRay Platform is incredibly feature-rich and powerful, but for On-Premises customers, this means that the installation process is fairly involved. So a brand new Installation Guide for On-Premises customers has been created with over 100 pages of hands-on and step-by-step information, clearly organized and ordered, with an accompanying checklist that helps you track your progress:
So this is just a taste of what is in store for our v4.2 users, and a small foretaste of the wealth of new functionality and enhancements we plan to deliver in 2021 with versions 4.3 and 4.4. VMRay started out with two founders in a small town not so long ago, but the rapid adoption and endorsement by SOC and CERT teams worldwide has led to rapid growth, and we will reach 200 employees this year and we are opening up offices all over the world. And yet, we’ve never lost that entrepreneurial spirit and we know that it is all about expanding and improving our features to serve our customers best – even during these difficult days of Covid-19. In that spirit, enjoy v4.2 and stay tuned for exciting information about new features and enhancements we are already working on for v4.3.