Introduction
As we wrapped up last year, we released a bonus update featuring the VMRay Platform architecture upgrade to Ubuntu 22.04 LTS and enhanced LNK file analysis. While not bursting with new additions, we believe these updates have made the Platform more stable and easier to maintain.
Now, for our first release of 2025, we’re kicking things off with 6 exciting new features and improvements that are sure to enhance your threat detection. Let’s dive into the details!
Introducing Searchable Threat Names
We’re excited to announce the launch of searchable Threat Names in the VMRay Platform, a feature designed to boost your threat intelligence capabilities and make your threat-hunting efforts more efficient!
What’s in there for security analysts? (and not only)
Security Analysts work tirelessly to track, analyze, and respond to threats. In the past, when trying to find specific malware families or related threats in the VMRay Platform, analysts had to navigate through multiple pages, making comparisons and drawing conclusions much more time-consuming.
Now, with searchable Threat Names, you can easily:
Search and filter by Threat Names directly from the Advanced Search in the VMRay Console.Find and compare samples associated with malware families in just a few clicks, saving time and boosting efficiency.Search via the VMRay API , allowing you to integrate this feature into your custom workflows.
Search by Threat Name in the Advanced Search
Detect Clipboard Access
A few weeks ago, our VMRay Labs team uncovered an emerging technique that’s gaining traction in malware distribution, also by threat actors such as DarkGate and Lumma. Rather than fully automating the infection process, attackers are now tricking users into performing the malicious actions themselves.
In this specific attack method, a user receives an email with an HTML attachment. When opened in a browser, the attachment displays a fake Microsoft Word-like document along with a pop-up message. The user is instructed to click a button to “fix an issue.” At first glance, this seems like a legitimate request. However, when the user clicks the button, two dangerous actions occur:
A malicious script (often a batch command) is automatically copied to the user’s clipboard.
Further instructions appear, directing the user to open the Windows Run dialog, paste the command into it, and press “Enter” to “fix the issue.”
This is a classic case of social engineering, where attackers deceive the user into performing the harmful action themselves. The real danger here is that the attack bypasses traditional security defenses because it relies on the user manually copying and pasting commands. Until now, VMRay’s Web Engine had been unable to detect attacks involving clipboard manipulation. This gap allowed attackers to bypass our defenses by tricking users into executing malicious commands directly from their clipboard.
Our solution – clipboard access detection
In this release, we are introducing the ability to detect clipboard write access (also known as PasteJacking and ClickFix). With this new update, the VMRay Platform can now identify when a web page tricks the user into copying malicious content to the clipboard and take immediate actions.
Here’s how it works:
VMRay Web Engine can now detect when the clipboard content is modified by a web page and then deliver respective IOCs from the clipboard data. This feature works regardless of whether you, as an analyst, use Live Interaction or our Adaptive Browsing Simulation automatically clicks for you.
The clipboard content gets automatically resubmitted and analyzed if it is recognized to be a batch command. The clipboard data shown in the Files tab and remains accessible for manual review or resubmission by security teams, enabling deeper investigation actions.
Clipboard access detection in the Overview tab
Clipboard contents captured in the Files tab
Expanded LNK Analysis Support
conhost.exe: here’s about our latest update
conhost.exe is a legitimate Windows process. It stands for Console Host, and its role is to act as a bridge between the graphical interface of Windows and command-line programs like Command Prompt or PowerShell. Essentially, it helps to make sure that these command-line tools display properly and interact with you in a user-friendly way. Unfortunately, attackers have figured out how to abuse it. In recent updates to the VMRay Platform, we focused on detecting and stopping a growing threat where LNK files are used to trick users into running malicious commands via conhost.exe.
As mentioned before, an LNK file is a shortcut that, when clicked, points to a specific program or file. Normally, these are harmless. However, attackers can craft malicious LNK files that misuse conhost.exe as a proxy to secretly launch harmful commands. In some cases, the malicious LNK file will use conhost.exe to run cmd.exe (Command Prompt), but it could also target other programs like rundll32.exe or even PowerShell.
What makes this method dangerous is that conhost.exe is a legitimate part of Windows, meaning it’s often overlooked by security systems. Attackers can hide their malicious activity within a normal-looking process, making it harder for traditional security tools to spot the threat.
To combat this technique, the VMRay Platform now includes advanced support for detecting LNK files that use conhost.exe to launch other commands or scripts. This is a significant improvement in our ability to detect hidden threats in the wild.
LNK using conhost.exe file analysis in the VMRay Platform
Geofence VPN – Now Even with Residential Traffic
So far, our Platform products have offered a Geofence VPN feature, allowing users to route traffic through specific countries when submitting malware samples. For instance, you could choose to have traffic originate from France, helping to counteract location-based evasion techniques used by advanced malware.
But we didn’t stop there. Previously, Cloud default gateway didn’t support residential egress traffic, which some threat actors use to detect whether their malware is being analyzed in an enterprise environment. With our latest release, we’re happy to introduce a major upgrade that strengthens your ability to counter advanced evasion techniques.
What’s new?
We added residential egress traffic to ou, making it even harder for malware to slip through the cracks.
Key highlights include:
Private rotating IPs – your VPN connections will now use private, rotating IP addresses for an added layer of stealth. This reduces the chances of your traffic getting flagged or blocked by malicious C2 (command-and-control) servers.Improved malware analysis – the inclusion of residential egress traffic means malware samples are less likely to spot you coming. By mimicking typical residential IPs, we help ensure that malware behaves as it would in a real-world scenario, giving you more accurate insights during analysis.Realistic residential traffic – we’re now simulating traffic as if it’s coming from an average home network. This means that malware targeting everyday users will be tricked into thinking it’s running on a normal, residential machine—making it far more likely to reveal its true colors.
This enhancement is available across all of our Cloud platform products, including our legacy Analyzer product. Stay ahead of the threats – without borders!
GeofenceVPN feature in the VMRay Platform
Microsoft Defender for Endpoint Connector
We are pleased to announce the release of a new connector for integration with the VMRay Platform! This connector automatically provides VMRay Verdicts and IoCs to Microsoft Defender. It is deployed and configured in Microsoft Azure, without being built directly into the VMRay Platform.
Key improvements in this new version:
Azure Serverless deployment – eliminates the need for managing a Docker instance, simplifying deployment and reducing maintenance efforts. Easier configuration – setting up and updating configurations is now more intuitive.
Key benefits:
SOC analysts can triage alerts quickly, as they receive VMRay Verdicts directly in the Microsoft Defender console (including Threat Names, Classifications, and VTIs) within minutes of an alert becoming available.
Incident responders can immediately access the analysis of samples detonated during an attack, allowing them to understand the attacker’s intent—even if the command and control (C&C) infrastructure was taken down.
Updating Microsoft Defender indicators with IoCs from active attacks enhances security and accelerates threat hunting.
Give it a try today! (Please note this is a beta version.) Visit the https://github.com/vmray/ms-defender-azure page for detailed integration and installation instructions.
A final touch that makes the difference! Last year, we introduced QR code scanning for malware, designed to detect malicious URLs hidden in QR codes. This release, brings an upgrade to this feature, making it even more powerful.
In this latest release, we enhanced our QR code scanning functionality to automatically extract URLs from QR codes embedded within Office documents. This upgrade ensures that even if a QR code is embedded in an image within a Microsoft Office document (such as Word or Excel), our system will still detect and extract the URL for further analysis. Now, you can submit the document directly to the Platform, and it will be analyzed automatically without the need to attach it to an email first.
With this new enhancement, your security teams can now directly scan Office documents containing QR codes, even if those codes are embedded within images, ensuring that nothing is missed.
Final Thoughts
As we reflect on this eventful year, we express our gratitude to our dedicated teams, clients, and valued partners. While the chapter of 2024 concludes, our New Year’s resolution—to anticipate the unforeseen and respond promptly—stands resolute. Looking ahead, we are excited to share our plans for four releases of the VMRay Platform in 2025. Stay tuned for further updates in the coming year!
Cheers to the achievements of the past and the anticipation of an even more remarkable future! Happy New Year!
