VMRay Platform Version 3.3 Highlights

Apr 22nd 2020

With the April rollout of VMRay Platform Version 3.3, we’re introducing major enhancements to our advanced threat detection and analysis solutions:

  • A new naming convention – VMRay Platform – articulates the unified nature of our solutions, core technology, and individual products: VMRay Analyzer, VMRay Detector, and VMRay Email Threat Defender.
  • A new capability – automated scoring and flagging of IOCs – lets security teams easily extract actionable threat intelligence from dynamic malware analysis.
  • The launch of a US data center gives our customers, especially those in regulated industries, a choice of whether their data will reside in the US or the EU.

In addition, v3.3 offers enhanced phishing detection, several improvements to our analysis engine, and expanded enterprise features – all summarized below.

Who’s Zoomin’ who?

But first, let me start with a story that demonstrates VMRay’s relevance in today’s threat landscape. In March, Technical Lead Felix Seele was test-driving one of our new features — dynamic analysis of macOS PKG files — when he discovered a security issue in Zoom’s installation process.

In a tweet and subsequent blog post, Felix described how Zoom “installs itself on Macs by working around Apple’s regular security, demonstrating behavior commonly associated with malware.”  His post was re-tweeted 4,100 times, drew national media attention and prompted an acknowledgment from Zoom CEO Eric Yuan, who signed off saying: “Your point is well taken and we will continue to improve.”

Likewise, with VMRay Platform v3.3, we continue to improve in four broad areas:


Unlocking the True Potential of IOCs

Sandbox-generated IOCs are an underutilized source of threat intelligence, due to the difficulty of extracting actionable, trusted IOCs in an efficient way. Version 3.3 takes a big step toward unlocking this potential by solving three underlying challenges:

  • Misclassified IOCs that create a “fear of false positives”
  • Limited value of threat intelligence due to insufficient context
  • Difficulty integrating across systems in heterogenous environments due to a proliferation of proprietary formats.

Distinguishing artifacts from IOCs

With enhanced capabilities for distinguishing between artifacts and IOCs, Version 3.3 sets a new standard for IOC generation. An Indicator of Compromise (IOC) is a piece of forensics data derived from manual or automatic analysis, which is useful in characterizing the behavior of a given threat and can be used to identify that threat in other contexts.

IOCs are a subset of a larger universe: artifacts that encompass all forensics information related to the threat. This includes files, URLs, IPs, processes, registries and other data that’s observed during runtime in the sandbox or statically extracted from the analyzed file, such as links in an email sample.

Identifying high-quality IOCs among dozens or even many hundreds of sandbox-generated artifacts is a difficult, time-consuming task. Irrelevant artifacts in the results make it more likely some threats will slip through undetected. Misclassifying a trivial or benign artifact as an IOC can lead to many false alerts, causing legitimate applications and activity to be blocked. This latter scenario not only impacts productivity and incurs costs. For these reasons, many organizations still use largely manual methods to extract IOCs that are reliable and actionable.

Let’s look at how VMRay addresses this issue in Version 3.3

Scoring artifacts and flagging IOCs

The key innovation is the use of VMRay Threat Identifier (VTI) rules to flag and score artifacts and determines which qualify as IOCs. In the analysis report shown below, we see there are four categories of artifacts: files, URLs, IPs and processes. The VTIs associated with the highlighted process (gastart.exe) assign a score, causing it to be flagged as an IOC.  In addition to the AV result, we can see that a VTI rule for Anti-Analysis is triggered, providing more context to the already flagged IOC.


Scoring Indicators of Compromise

Figure 1: Of nearly 600 artifacts observed during analysis of one malware sample, filtering allows the display of just the 52 related IOCs.


Complementing VTI scoring, other new features in Version 3.3 include:

  • Easier export of IOCs: Adding CSV and STIX 2.0 data-exchange formats to existing JSON support, v3.3 offers multiple ways to export IOCs to other security systems.
  • Added context: Artifacts and IOCs are now enriched with more attributes including geographic location, user agent, related processes, classifications, threat names, and others.

A better user experience: An interactive IOCs tab provides detailed information on indicators, artifacts, and VTIs and allows team members to easily filter and export IOCs.


Exporting Indicators of Compromise

Figure 2: VMRay Threat Identifier (VTI) rules are used to score artifacts observed during dynamic analysis. We can see the context for each artifact. The IOCs can be easily exported all at once, by category, or individually.


Enhanced Detection of Phishing Attacks

Given that phishing attacks are an ongoing challenge for enterprises, we’ve enhanced detection in a number of ways.

Automated analysis of phishing URLs hosted on legitimate cloud applications

This feature helps detect attacks that are delivered using file-sharing web applications such as SharePoint, Dropbox, and Google Drive as well as other major cloud applications.

The Automatic User Interaction feature was enhanced to click on download links found in these applications. URLs that are hosting malicious content are submitted for analysis. This feature was added in response to the VMRay Labs Team observing in 2019 that threat actors were increasingly using SharePoint and similar tools for hosting malicious content.


Phishing URLs hosted on Legitimate Cloud Applications

Figure 3: Phishing attacks often use file-sharing applications like Microsoft SharePoint.


Phishing detection for HTML samples

The second enhancement helps detect phishing attacks delivered via HTML attachments, which on the victim’s device instead of the public internet, thereby avoiding URL reputation checks. VMRay’s web engine analyzes HTML files to detect credential-harvesting Web forms so they can be blocked. In addition, embedded objects in HTML files are now extracted and analyzed by the static engine.

Submission of Safe Link URLs and formatted URLs:

Version 3.3 introduces more flexibility in how URLs can be submitted for analysis. VMRay now normalizes submitted URLs to support two scenarios:

  • Submission of Safe Link URLs: When extracting URLs embedded in emails, many security tools rewrite the URL, replacing it with a safe version of the same link and alerting the recipient of the potential security risk. In some cases, the underlying malicious link isn’t analyzed unless and until the end-user clicks on the safe link. This creates the possibility a malicious link will go undetected, missing an opportunity to add it to threat intelligence. In addition, the time gap between the creation of the safe link and time-of-click can result in the end user’s system being inadvertently compromised. VMRay addresses both situations by temporarily disarming the safe link long enough to submit the original malicious URL for analysis and then rearming the safe link to maintain protection.


Figure 4: Emojis, which are characters in the UTF-8 alphabet, can be converted to an ASCII equivalent.


  • Submission of specially formatted URLs: The universe of characters a URL may contain is much vaster than the 256 characters extended ASCII can accommodate. So URLs containing non-ASCII characters must be converted to the equivalent ASCII format, as defined by UTF-8 encoding. Version 3.3, for the first time, normalizes several types of specially formatted URLs so they can be automatically submitted to VMRay for threat analysis and detection. These URL types include % encoded URLs, Emoji domains, Punycode-encode domains and Google referrers. The original formatted URL is kept in the analysis report as forensic evidence.


Analysis Engine Improvements

Version 3.3 also features several improvements to our analysis engine.

PKG file support for macOS

We continue to expand macOS support, complementing VMRay’s longstanding coverage of Microsoft environments. The new release supports the analysis of PKG files during setup and installation of Mac applications. As mentioned earlier, this feature was instrumental in one of our researchers discovering a deceptive aspect of Zoom installation.


PKG File Support

Figure 4: While test-driving PKG file support for macOS, VMRay’s Felix Seele discovered a deceptive aspect of Zoom’s installation process for Mac systems.


Detection and analysis of embedded Power Queries

Excel’s Power Query function lets users link spreadsheets with other data sources: external databases, text documents, web pages, etc. Threat actors are exploiting this feature to load malicious content into Excel and launch hard-to-detect attacks that often combine multiple attack surfaces. Power Query Artifacts are now extracted and analyzed by the relevant engines (reputation, static, dynamic), and are flagged as IOCs.

Support for OS reboot as part of a prescript

Prescripts are essential for tailoring the analysis environment, ensuring for example that the target machine is fully localized to reflect the production environment requiring protection. We have added support for performing OS reboot as part of a prescript, meaning the analysis will still run as intended following a reboot.


Enterprise-Ready Enhancements

US Data Center and Compliance Enhancements

With the April opening of a new data center, VMRay now offers customers a choice of where their data resides: in the US or the EU. This is especially significant for enterprises in regulated industries (health care, financial services, government) that are bound by regulation and compliance to have control over where their data is stored.

Both facilities are ISO27001 compliant, meet GDPR standards for data protection and privacy, and meet the Singapore Monetary Authority guidelines for cloud services for the financial sector. Customers choose their preferred data center location at the time their account is created.

Improved login capabilities

Version 3.3 features SAML support for single sign-on (SSO) and multi-factor authentication (MFA), making it easy to integrate our platform with your company’s chosen identity provider.