Introduction
Writing this introduction for the VMRay 2023.3.0 release has been a thrill, considering bringing a significant game-changer to our products. The summer heat in our Bochum headquarters is at its best.
To relieve the scorch, we are shipping a long-awaited coolness – Static and Dynamic Analysis of Linux executables. Linux analysis will be available for Cloud and On-Prem customers using DeepResponse and TotalInsight products. Let’s talk about it more.
Linux ELF Files Support
Linux servers are widely used to deliver content, applications, and services to their clients in the industry. Given their purpose, they are easily accessible from the outside and are, therefore, a common target for attackers. Lately, there has been a rising trend of threat actors targeting Linux servers or adding cross-platform support for existing malware families. In addition, recent programming languages make it possible to easily create malware in a cross-platform fashion on a higher level. Ransomware families such as BlackCat have switched to Rust. This allows threat actors to develop one ransomware that could be executed on all three major platforms without much effort. As the obstacles become fewer and fewer, we expect to see more malware targeting Linux in the future.
Moreover, in the past months, we received a lot of requests about Linux analysis availability from our customers, and one of the most targeted sample types is Linux ELF binaries.
With that in mind, we added the support for Dynamic and Static Analysis of ELF executable files to our products and became a one-stop shop for analyzing & detecting threats targeting all relevant Operating Systems. Now, with the VMRay offering, you do not have to go to another sandbox solution or use ineffective products to address Linux threats.
Another essential point in the Linux realm is that the detection, prevention, and analysis capabilities of security products lagged to advance in this area; thus making Linux almost a blind spot for enterprises. With Linux frequently used as the basis for cloud services, virtual-machine hosts, and container-based infrastructure, attackers have increasingly targeted Linux environments with sophisticated exploits and malware.
The majority of initial access techniques used by attackers include Ransomware, IoT malware to run DDoS attacks, Backdoors/RATs, and Cryptominers such as Monero, and XMRig.
Our goal in implementing ELF filetype is to allow you to analyze malware targeting Linux-based enterprise server infrastructure in our platform. We also want to decrease MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) to Linux malware attacks for our customers. MTTD benefits from the capabilities of our Dynamic Analysis – even if the malware samples are fresh and there are no AV signatures available for them yet, based on the dynamic behavior, they show in the sandbox and we still catch them based on our VTIs before AVs can.
For MTTR, due to the dynamic monitoring, we gain a lot of insight knowledge on what samples are doing and we also generate high-quality IOCs. You can use the generated IOCs to proactively protect the environment via blacklisting them or hunt for potentially infected devices to lower the possible impact.
Having Linux ELF support in the VMRay products will also:
- reduce the time spent on manual intervention & investigation
- decrease time to incident resolution
- minimize time spent on triage & analysis
- provide accurate results (far beyond those obtained via freeware tools)
- stay ahead of the rising number of Linux threats.
Are you interested in more technical details on the capabilities of Static & Dynamic Analysis of Linux ELF files? There you go!
With our Static Analysis of Linux ELF files, you will get:
- submission of ELF files
- scanning the file Reputation and Anti-Virus Lookup
- static Analysis of ELF files
- parsing the file
- extracting artifacts (such as – strings)
- exposing the obtained information to trigger VMRay Threat Identifiers and YARA rules
With our Dynamic Analysis of Linux ELF files, you will get:
- transition monitoring
- function call monitoring
- function call reporting (f-log)
- creation of Dynamic Analysis report for ELF samples
- detonating ELF files
- track and report file operations (such as file creation and modification)
- extracting files created and/or modified by monitored processes during and after analysis
- creating a PCAP file of all network traffic from/to the VM
- enabling YARA, AV, Reputation, and VMRay Threat Identifiers matches for Dynamic Analysis artifacts
- and many more!
DeepResponse and TotalInsight for On Prem
In the previous release, we presented you new VMRay portfolio offering. In 2023.2.0, the DeepResponse and TotalInsight products were ready to be licensed for On-Prem customers. However, there were still some changes to be implemented to our Platform.
In 2023.3.0, everything is adjusted and fully functional for On-Prem users. You can read more about On-Prem products and features in the On-Premises Onboarding Guide in our Knowledge Center.
Reactions to the Latest Trends in the Threat Landscape
As part of the ongoing signature and detection updates, we expanded the coverage of configuration extractions and the YARA rules for prevalent malware families. Further, we added several new VTIs to detect disabling controlled folder access protection. Finally, we improved AutoUI simulation to support clicking large images camouflaging as OneDrive or Office files.
Additionally, we would like to announce a new series of Signature & Detection blog posts where we’ll share more of our research on the threat landscape. Check the latest one here.
Final Thoughts
Many organizations rely on malware detection concepts that worked well yesterday, hoping they will still work well today. This is rarely the case. Today’s advanced malware is more diverse, sophisticated, and targeted than ever. The threat landscape is constantly evolving, and so should the organization’s security concept.
Recent studies show that phishing attacks continue to be responsible for approximately 90% of data breaches. Advanced malware delivered by phishing emails has also become more seasoned and evasive as it is engineered to avoid detection by perimeter email security and endpoint anti-malware solutions. That is why, in the upcoming releases, we want to regain focus on our phishing efficacy improvements and threat landscape theme.
We know there is no silver bullet against malware, but we can certainly forge a robust toolkit that shines bright against the threats!
To wrap up, we hope the Linux ELF filetype support will help you make the most of VMRay products and boost your productivity and efficacy. Enjoy the holiday season and follow our ongoing journey!
