About a decade ago, in the good old “just SIEM it” days, the SOC was typically measured on quantity – the number of alerts validated, number of investigations escalated, number of infections mitigated, and so on. The challenges were how to make the SIEM work better – aggregation of events, dedup, correlation, alert prioritization, and for the most progressive security teams, even enrichment. How do you do handle all alerts fast and without delays? Security vendors were marketing “focus on what matters,” but what they really did was only get you to the doorsteps of the real hard stuff and leaving you with a bunch of packet captures. The recent technology advancements and discussion around what refers to as “Detection & Response” has disrupted this approach. The direction we’re seeing nowadays is to generate fewer alerts on the control side and instead focus on how to remediate existing infections as early as possible. But how do you stay up-to-date with the ever-evolving threat landscape when you are buried with operational struggle? Can you really raise your head above to see what is coming? Can you be fast enough when it comes?
From in-line protection against advanced phishing to mastering memory dumps of evasive malware, the VMRay Platform version 4.4.0 continues to address organizations’ critical bottlenecks when leveling up security against advanced threats. While the VMRay Platform expands to deliver a wider set of technologies to combat the toughest threats, our mission remains steadfast: We enable organizations to augment and automate security operations by providing the world’s best threat analysis and detection platform.
The ability to generate high-quality memory dumps when analyzing malware is a hard requirement for a threat analysis platform. In this never-ending battle, malware authors obfuscate, encrypt, and compress malicious payload to thwart detection and slow down a response on the other end. Using such techniques, advanced malware bypass static-based analysis approaches and in turn force SOC teams to spend a great deal of time identifying, classifying, and reverse-engineering these incoming threats.
To address these challenges, security teams are supplementing their malware protection architecture with dynamic analysis technologies. When detonating malware in a sandbox environment, the malware source code can be revealed in clear-text by dumping memory regions in run-time. If successfully done, this equips security analysts with every piece of information they need to respond to a threat and make sure the organization is better protected against similar threats in the future. The memory dump may allow an easy way to attribute the threat to its actor, classify the malware family and version, and generate better IOCs.
A couple of years back, with the release of VMRay Analyzer 3.0.0, we introduced Smart Memory Dumping. This capability allows us to generate high-quality memory dumps in an automated fashion. Meaning, our users can submit malware samples for analysis and immediately receive the relevant dumps without any manual intervention. Today, we are proud to introduce several major enhancements for this capability. Moreover (spoiler alert!), it’s time to say that this is just part one of our plan to fully automate the ability to extract malware configs from all common malware families. So stay tuned. For now, we are introducing improvements in three areas.
Oftentimes, the forensics data used to identify a malware sample, as well as its specific configuration, resides within the non-executable memory. Smart Memory Dumps now allows dumping such regions as soon as certain behaviors are identified. For example, apply more aggressive dumping for injected processes, or on the first attempt to create a network request. We will also use these dumps to improve threat detection and classification by matching them against YARA rules and the built-in AV.
When the first network behavior happened, we dumped the process memory. AV and YARA matched on the memory dump.
In this fast-paced landscape, detection rules cannot afford long delays. This is why we have introduced Detection Updates in the 4.2.0 release. This allows us to quickly and continuously release detection updates, distributing them for both VMRay Cloud and On-Premises deployments. With this release, updates to memory dump triggers are now included in our Detection Updates mechanism. VMRay Labs will introduce new triggers to ensure the most relevant dumps are created when new malware families are discovered.
A memory dump rule found strings in memory that frequently appear in Trickbot configurations. The memory dump contains the decrypted Trickbot configuration.
Malware that leverages the .NET framework (C#, Powershell, VB) often uses the System.Reflection.Assembly::Load method to load an assembly directly from memory without saving it to disk. To address this, the VMRay Dynamic Analysis now better monitors such behavior. When analyzing malware that is leveraging the .NET framework, Dynamic Analysis will detect calls to the Reflection API and trigger a memory dump.
Phishing pages often use branding images to impersonate a credential harvesting webpage to the targeted user. VMRay, along with other advanced threat detection solutions, are familiar with this approach and therefore introduce mechanisms to detect such impersonation attempts based on the image hash. A detection rule is set if the hash matches but the brand does not own the page. This works very reliably as a detection method as long as the phishing page uses the original logo images from the brand they intend to target. Luckily, this is often the case. But with email security, it’s not ideal to rely on luck in this cat-and-mouse game. Phishing pages have identified these “hash detection mechanisms,” and so they started applying minor modifications on the used image to thwart detection. This could be a single pixel, or rather some different compression, which is sufficient to alter the hash.
In the VMRay Platform 4.2.0 release, we have introduced Computer Vision, leveraging OCR (Optical Character Recognition) technology to extract text from images embedded in phishing documents. In this release, we have expanded the VMRay Computer Vision feature, so that brand images can be recognized not only by their exact hash but rather by any text they contain, such as the brand name. Powered by Computer Vision, the VMRay Dynamic Web Analysis will correctly identify such a page as a Microsoft phishing page, even though the original image has been manipulated.
As an example, even if a Microsoft credential phishing page uses a slightly modified Microsoft logo, the image will highly likely still contain the readable “Microsoft” brand name since that needs to be present to trick the user.
So far, our customers have been using the VMRay Email Threat Defender (ETD) “out-of-band” or via an API connection to Microsoft 365 (Exchange Online). While this simplifies the setup process, as it applies to either email copies or messages already in the recipient’s mailbox, some of our customers demand a tighter policy. The earlier approach leaves a user exposed, sometimes up to several minutes, while the analysis is in progress.
The VMRay ETD now supports a Prevent operation mode when deployed in a Microsoft Exchange Online environment (aka Microsoft 365). When this operation mode is selected, malicious emails are quarantined before they reach the user’s mailbox, thus, ensuring recipients are never exposed at any time. This new capability relies on Exchange Connectors to route incoming emails to VMRay ETD after they have been accepted, i.e., after the basic security checks have been applied by EOP (Exchange Online Protection). As soon as the analysis is complete, ETD returns each email to EOP using a connector and is either delivered to the user’s inbox or a quarantine mailbox.
As part of the ongoing signature and detection updates, new YARA rules and enhanced malware VTIs for high-profile malware families were added. Additionally, the precision of phishing VTIs has been improved. This includes:
Malware and phishing often try to detect sandboxes on the server-side. One of the most common techniques is refusing c2 callbacks if the network requests are coming from known Cloud provider services, such as AWS, Google Cloud or Azure. VMRay’s network infrastructure now includes servers that are located outside of known cloud and VPN provider IP ranges, bypassing the IP blocklists of malicious servers.
We have added Dynamic File Analysis support for macOS Catalina (version 10.15). The new version is only supported for Analyzer Cloud at the moment.
With VMRay Email Threat Defender for Azure Sentinel, you make the data provided by VMRay ETD available to Azure Sentinel in near real-time. It empowers SOCs to orchestrate response actions as soon as VMRay ETD detects malicious emails. This VMRay Connector is free of charge and can be deployed with just a few clicks from the Azure Marketplace. This is also a great opportunity to mention that we are now officially part of the Microsoft Intelligent Security Association (MISA).
We added a webhook notification feature to our VMRay REST API to streamline data processing. Until now, your scripts using the VMRay REST API had to periodically check whether a submission has been finished and thus, the results are ready for further processing. This polling approach generates unnecessary network traffic and wastes computing resources.
Our new API notification feature allows you to specify a callback at submission time, so you’ll be notified as soon as all the analyses related to your submission are completed. This notification is sent as a webhook containing the most relevant information, such as the Sample Verdict. Triggered by the callback, your script can continue further processing or query additional data from the VMRay REST API. Altogether this new feature saves time and resources when integrating the VMRay Platform with your tools and workflows.
These are exciting days at VMRay. We’ve expanded our product line with ETD and a wide variety of connectors to the most popular cybersecurity software. Regardless of your existing security ecosystem, you can now augment your EDR, SOAR, TIP and other technologies with our best-of-breed malware detection and analysis technology. Stay tuned for more!