With the April rollout of VMRay Platform Version 3.3, we’re introducing major enhancements to our advanced threat detection and analysis solutions:
In addition, v3.3 offers enhanced phishing detection, several improvements to our analysis engine, and expanded enterprise features – all summarized below.
Who’s Zoomin’ who?
But first, let me start with a story that demonstrates VMRay’s relevance in today’s threat landscape. In March, Technical Lead Felix Seele was test-driving one of our new features — dynamic analysis of macOS PKG files — when he discovered a security issue in Zoom’s installation process.
In a tweet and subsequent blog post, Felix described how Zoom “installs itself on Macs by working around Apple’s regular security, demonstrating behavior commonly associated with malware.” His post was re-tweeted 4,100 times, drew national media attention and prompted an acknowledgment from Zoom CEO Eric Yuan, who signed off saying: “Your point is well taken and we will continue to improve.”
Likewise, with VMRay Platform v3.3, we continue to improve in four broad areas:
Sandbox-generated IOCs are an underutilized source of threat intelligence, due to the difficulty of extracting actionable, trusted IOCs in an efficient way. Version 3.3 takes a big step toward unlocking this potential by solving three underlying challenges:
Distinguishing artifacts from IOCs
With enhanced capabilities for distinguishing between artifacts and IOCs, Version 3.3 sets a new standard for IOC generation. An Indicator of Compromise (IOC) is a piece of forensics data derived from manual or automatic analysis, which is useful in characterizing the behavior of a given threat and can be used to identify that threat in other contexts.
IOCs are a subset of a larger universe: artifacts that encompass all forensics information related to the threat. This includes files, URLs, IPs, processes, registries and other data that’s observed during runtime in the sandbox or statically extracted from the analyzed file, such as links in an email sample.
Identifying high-quality IOCs among dozens or even many hundreds of sandbox-generated artifacts is a difficult, time-consuming task. Irrelevant artifacts in the results make it more likely some threats will slip through undetected. Misclassifying a trivial or benign artifact as an IOC can lead to many false alerts, causing legitimate applications and activity to be blocked. This latter scenario not only impacts productivity and incurs costs. For these reasons, many organizations still use largely manual methods to extract IOCs that are reliable and actionable.
Let’s look at how VMRay addresses this issue in Version 3.3
Scoring artifacts and flagging IOCs
The key innovation is the use of VMRay Threat Identifier (VTI) rules to flag and score artifacts and determines which qualify as IOCs. In the analysis report shown below, we see there are four categories of artifacts: files, URLs, IPs and processes. The VTIs associated with the highlighted process (gastart.exe) assign a score, causing it to be flagged as an IOC. In addition to the AV result, we can see that a VTI rule for Anti-Analysis is triggered, providing more context to the already flagged IOC.
Figure 1: Of nearly 600 artifacts observed during analysis of one malware sample, filtering allows the display of just the 52 related IOCs.
Complementing VTI scoring, other new features in Version 3.3 include:
A better user experience: An interactive IOCs tab provides detailed information on indicators, artifacts, and VTIs and allows team members to easily filter and export IOCs.
Figure 2: VMRay Threat Identifier (VTI) rules are used to score artifacts observed during dynamic analysis. We can see the context for each artifact. The IOCs can be easily exported all at once, by category, or individually.
Given that phishing attacks are an ongoing challenge for enterprises, we’ve enhanced detection in a number of ways.
Automated analysis of phishing URLs hosted on legitimate cloud applications
This feature helps detect attacks that are delivered using file-sharing web applications such as SharePoint, Dropbox, and Google Drive as well as other major cloud applications.
The Automatic User Interaction feature was enhanced to click on download links found in these applications. URLs that are hosting malicious content are submitted for analysis. This feature was added in response to the VMRay Labs Team observing in 2019 that threat actors were increasingly using SharePoint and similar tools for hosting malicious content.
Figure 3: Phishing attacks often use file-sharing applications like Microsoft SharePoint.
Phishing detection for HTML samples
The second enhancement helps detect phishing attacks delivered via HTML attachments, which on the victim’s device instead of the public internet, thereby avoiding URL reputation checks. VMRay’s web engine analyzes HTML files to detect credential-harvesting Web forms so they can be blocked. In addition, embedded objects in HTML files are now extracted and analyzed by the static engine.
Submission of Safe Link URLs and formatted URLs:
Version 3.3 introduces more flexibility in how URLs can be submitted for analysis. VMRay now normalizes submitted URLs to support two scenarios:
Figure 4: Emojis, which are characters in the UTF-8 alphabet, can be converted to an ASCII equivalent.
Version 3.3 also features several improvements to our analysis engine.
PKG file support for macOS
We continue to expand macOS support, complementing VMRay’s longstanding coverage of Microsoft environments. The new release supports the analysis of PKG files during setup and installation of Mac applications. As mentioned earlier, this feature was instrumental in one of our researchers discovering a deceptive aspect of Zoom installation.
Figure 4: While test-driving PKG file support for macOS, VMRay’s Felix Seele discovered a deceptive aspect of Zoom’s installation process for Mac systems.
Detection and analysis of embedded Power Queries
Excel’s Power Query function lets users link spreadsheets with other data sources: external databases, text documents, web pages, etc. Threat actors are exploiting this feature to load malicious content into Excel and launch hard-to-detect attacks that often combine multiple attack surfaces. Power Query Artifacts are now extracted and analyzed by the relevant engines (reputation, static, dynamic), and are flagged as IOCs.
Support for OS reboot as part of a prescript
Prescripts are essential for tailoring the analysis environment, ensuring for example that the target machine is fully localized to reflect the production environment requiring protection. We have added support for performing OS reboot as part of a prescript, meaning the analysis will still run as intended following a reboot.
US Data Center and Compliance Enhancements
With the April opening of a new data center, VMRay now offers customers a choice of where their data resides: in the US or the EU. This is especially significant for enterprises in regulated industries (health care, financial services, government) that are bound by regulation and compliance to have control over where their data is stored.
Both facilities are ISO27001 compliant, meet GDPR standards for data protection and privacy, and meet the Singapore Monetary Authority guidelines for cloud services for the financial sector. Customers choose their preferred data center location at the time their account is created.
Improved login capabilities
Version 3.3 features SAML support for single sign-on (SSO) and multi-factor authentication (MFA), making it easy to integrate our platform with your company’s chosen identity provider.