Introduction
This year is slowly coming to its dawn. Fall leaves from the trees are falling, but it’s not the case for our appetite for threat hunting! We’re always on the lookout for dynamic behavior analysis, unusual or suspicious patterns in network traffic, file and memory analysis, new phishing trends, Threat Intelligence integration, and many more.
We also hope that you get the hang of our Linux analysis capabilities. Analyzing Linux-based malware, vulnerabilities, and attack techniques is essential for securing a wide range of systems, from servers and containers to IoT devices and cloud environments.
In this release, we start to focus on complex delivery chains by addressing the detection of malware delivered in big files. By big, we mean more than 200 MB files that have been evading detection by disguising themselves in large containers. Analyzing large malware files can be time-consuming and complex for security researchers. This can delay the development of effective countermeasures and leave systems vulnerable for more extended periods.
It’s not only about the big malware samples, though, so let’s delve into some more achievements of the 2023.4.0 release!
Big Samples, Big Problem? – Not anymore!
Malware authors often use large and complex samples to hide malicious code within the noise. Recently, certain malware (like Emotet and Qbot) was trying to infiltrate users’ systems by hiding in artificially enlarged files. For example, Emotet has changed its delivery method to Macro-based Office documents with huge file sizes. The Office documents have been artificially enlarged to avoid analysis by exceeding upload and analysis size limits. Once the document was unpacked from its ZIP archive, it reached up to several hundreds of MBs. Before, we were not able to analyze the archive or the document itself due to it exceeding our limits during submission. Considering that, we have extended the limit for sample uploads, allowing you to analyze large malware files. From now on, files with a size of several hundreds of MBs can be uploaded to the VMRay Platform and scrutinized by our reliable analysis.
In the next releases, we’ll also start the research on the extended support for ISO files, frequently delivered in large file sizes. Malicious actors can potentially use ISO files to conceal malware by embedding it within the ISO image. In this case, the ISO file may appear benign, but it contains malware that is executed when the user mounts or opens the ISO.
Remember that the size of a malware file is just one factor to consider when assessing the threat level. Effective cybersecurity relies on a combination of techniques, including signature-based detection, behavioral analysis, network monitoring, and user education, to protect against malware threats, regardless of their size.
Sharing Report Capabilities – Screenshots
In the 2023.2.0 release, we announced our New Product Portfolio, introducing DeepResponse, FinalVerdict, and TotalInsight. We do hope you enjoy the features and variety of these products and your usage behaviors are promptly addressed.
We’re excited to announce that we now enrich FinalVerdict users with one of the Report’s capabilities – analysis screenshots. From now on, FinalVerdict users can retrieve and work with screenshots associated with the analysis data using the REST API endpoint. As a FinalVerdict user, you can do it even if the analysis is locked in the Platform.
DeepResponse and TotalInsight users already benefit from the screenshots functionality, as it is a part of the Report. However, it’s worth not to take this feature for granted and recap on its potential. Let’s now focus on screenshots and their additional insights into the analyzed malware.
When files or URLs are submitted and detonated, our platform takes screenshots of the GUI of the virtual environment and includes them in the Analysis Report. But how do the screenshots help in malware analysis and detection? Let’s learn it in a few points.
- Screenshots provide valuable visual records of malware’s user interface or any attempts to deceive the user through fake dialogs or windows.
- To capture screenshots during malware analysis, analysts typically use screen recording software or take manual screenshots at critical points in the analysis process. With VMRay’s automated malware analysis and virtual machines, we capture screenshots as part of our monitoring and analysis procedures.
- Screenshots can be used for training and documentation purposes, helping security professionals and incident responders understand the visual cues associated with different types of malware.
VMRay FinalVerdict provides timely insights into malware and phishing threats. With the availability of reviewing captured screenshots, the investigation around malicious or suspicious activity will gain more insight and your analysts will triage potential incidents even quicker! Moreover, screenshots are handy for detecting visually apparent behaviors that might not be immediately obvious from other types of monitoring, such as network traffic analysis or file system monitoring.
Bringing More Security to API Keys
API keys are like passwords that grant access to your services, data, or resources. If they fall into the wrong hands, unauthorized individuals or applications can misuse your APIs, leading to data breaches, financial losses, or other security issues. Depending on your industry, you may have legal or regulatory obligations to protect sensitive data and access controls.
Considering these important security aspects, we upgraded the user interface for API keys generated in the Platform. With this update, you’ll notice the Key-ID is displayed instead of the API secret key in plain text, providing enhanced security. Additionally, note that once you leave the confirmation page after creating a new API key, the key will no longer be retrievable, so make sure you store it in a secure place. Utilize a secret management system or a dedicated tool like AWS Secrets Manager or Google Cloud Secret Manager to store and manage API keys securely. These tools often provide encryption, versioning, and access control features.
VMRay Platform Autumn Cleaning
It’s not only essential to bring new and exciting features but also to wipe the dust in our Platform to keep it in good shape. There are two noteworthy activities that we’ve just released:
Filenames Sanitization
Filenames and paths can’t contain certain characters because these characters have special meanings or functions within the operating system or file system. Our Platform before did not accept files with certain characters for analysis. For example, submitting a Windows sample with a filename containing some forbidden characters would result in a submission error.
To analyze files as realistically as possible, we improved the analysis capabilities. Now, when the VMRay Platform detects a filename, e.g. of an email, containing forbidden characters during submission, it will automatically sanitize it. The forbidden characters will be replaced with a random string and the file will be analyzed.
Enhanced URL Submission
Long URLs can be used to obfuscate the true destination of the link. Phishing actors often want to trick users into clicking on malicious links that appear legitimate. By making the URL long and complex, they hope to confuse users and hide the fact that the link leads to a phishing site.
With this in view, we’ve expanded our URL submission mechanism to accept links with lengths of up to several thousand characters.
Updates to VMRay Connectors
VMRay connectors refer to integrations or plugins that allow our platform to connect with and exchange information with other security tools or systems. To help ensure that the VMRay Platform products fit seamlessly into your security ecosystem, we have worked with various partners over many years to create connectors, which are pre-built integrations to other popular security products.
We are happy to announce the release of our connector for CrowdStrike Falcon XDR. With the new connector, all Falcon users can get superior enrichment from VMRay on top of their superior Endpoint Security from CrowdStrike.
We made several enhancements to the SentinelOne Singularity XDR connector. From now on:
- the connector will support 100+ sites
- we added a new download method
- an option to choose what types of alerts (Malicious and/or Suspicious) will be enriched
Stay tuned for more as the integrations will be expanding!
Trends in Malware Delivery Methods
Check the latest extract of our recent malware delivery research results.
PDF, ISO and LNK File in Attack
In recent times, we’ve witnessed a resurgence of traditional attack vectors, with PDF files, ISO images, and LNK files once again taking center stage in the malware landscape.
PDF files have been a trusted and widely used format for sharing documents across the digital landscape. However, cybercriminals have not overlooked this opportunity. They have again turned their attention to PDF-based attacks because of its popularity. Attackers can easily craft malicious PDFs that, at first glance, appear legitimate.
ISO images, commonly used for creating backup copies of optical discs, have unexpectedly returned to the malware landscape. Attackers can hide malicious code within ISO images, making it difficult for traditional security measures to detect. Additionally, ISO files are often distributed through malicious websites or compromised legitimate ones, posing a significant threat to unsuspecting users.
LNK files, or Windows shortcut files, have become another favored choice among threat actors. LNK files can exploit Windows features, allowing attackers to execute arbitrary code or launch malicious scripts. They are often used as a delivery mechanism for malware, as users are more likely to trust seemingly harmless shortcuts.
OneNote Getting off the Stage
OneNote is a digital notebook that can be divided into sections and pages, mirroring the physical notebooks we’ve all used at some point. In the first quarter of 2023, malicious OneNote documents have been observed to deliver Emotet, one of the most infamous loaders, acting as an entry point for further attacks.
Today, however, OneNote is no longer such a popular choice for threat actors and we see a significant drop in attack attempts with this malware family.
Final Thoughts
Although days become shorter, and fall is just around the corner, we’re not falling into nostalgic mode. In the upcoming releases, we plan to give attention to complex delivery chains, which are gaining more and more traction in the cybersecurity world. In the context of malware, complex delivery chains refer to sophisticated and multi-stage techniques that cybercriminals use to distribute and infect systems with malicious software. These delivery chains are designed to evade detection, increase the chances of successful infection, and maximize the payload’s impact.
Shifting attention from the gloomy vision of attackers crafting new and more evasive malware, we will also regularly update our external integrations, such as connectors, to always be on the latest features. Additionally, we have a nice surprise! Our quarterly release cycle will be extended to 5 releases in 2024, giving you another set of valuable updates in January next year. Enjoy this cozy season and follow our ongoing journey!
