Introduction
Welcome in 2024! We open up this year with another release of the VMRay Platform, which we’ve been working on in the winter season of 2023. In this blog post, we have some exciting updates to share and a glimpse into the innovations and initiatives that we focused on in the past year.
Let’s dive into our latest achievements of the 2024.1.0 release:
- Support for the QR code phishing attacks
- Support for the analysis of ISO and UDF filetypes
- Web Analyses performance improvements
- Microsoft Defender for Endpoint
- Sharing Signature and Detection updates
To scan, or not to scan? – Quishing
In early November 2023, we responded to a new trend involving phishing links concealed within QR codes, prompting us to integrate QR code analysis into our Platform. We have experienced this new technique on our own backs, as well as many other companies and individuals under attack.
The malware authors started to insert these QR codes into emails, successfully evading security systems designed to detect suspicious links and reach unsuspecting targets. As QR codes need to be scanned first to reach the page, they require extensive user action to be exploited.
We are happy to announce that our Cloud users are already benefitting from the early-enabled QR code analysis feature, and we anticipate our On Premises customers will soon leverage this powerful tool as well. Every URL extracted from a QR code undergoes through our Smart Link Detonation feature. Given the potential attractiveness of QR code attacks for cybercriminals, it is necessary to scan and extract data, such as URLs, to allow Smart Link Detonation to make decisions about whether a URL should be submitted for further analysis.
As an example, you can make an email submission containing QR code images as attachments. After the analysis is performed, you will see the extracted URLs in the Console and in the generated reports.
New sample types support – ISO and UDF files
Email attachments continue to be a popular distribution channel for threat actors to spread malware, constantly adapting their tactics. In early 2023, the focal point was OneNote documents, but as of mid-2023, a shift occurred, with attackers switching towards ISO and UDF file formats for their malicious payloads. ISO and UDF files are generally perceived as having a lower risk profile. This is primarily because of their larger size, presenting a challenge for malware to go undetected. The common notion is that smaller executable files are more prone to malicious activities, fostering a sense of enhanced security with ISO files.
Threat actors have not missed this opportunity, as evidenced by their exploitation of a potential loophole in disk image files—specifically, heavily compressed attachments. Security solutions face difficulties detecting these compressed ISO and UDF files due to their size, with some antivirus programs opting for less thorough scans, especially when constrained by time. This has resulted in a dangerous combination of lower detection rates and the ease of launching without specialized software, fueling the surge in the use of ISO files in malicious attacks.
In response to this evolving threat, the VMRay Platform now allows users to submit ISO (ISO9660) and UDF Disk Images samples for both Static and Dynamic Analysis. Note that ISO and UDF submissions are supported exclusively on Windows 10 Virtual Machines.
Boosting the efficiency of Web Analyses
The Web Analysis feature is a key component of the VMRay Platform, designed to identify both common and sophisticated web-based attacks, including phishing and drive-by downloads. In this release, we have introduced support for multiple virtual CPUs (vCPUs), resulting in a substantial enhancement of the execution performance for Web Analyses.
By leveraging multiple vCPUs, the VM can efficiently manage concurrent tasks, particularly advantageous for workloads that can be divided into parallel threads. Each vCPU is capable of executing a separate thread, leading to accelerated overall processing and significant performance improvements.
Through optimization efforts, the analysis performance of Windows 10 VMs configured with multiple vCPUs is as fast as on single vCPU Windows 7 VMs. This enhancement additionally improves the maintenance operations conducted on the VMs in your installation – such as, for example – initializing a VM and installing a guest Operating System.
Sharing Signature & Detection Highlights
The work of our Labs Team plays a vital role in understanding and reacting to dynamically changing cybersecurity landscape. Thanks to their constant research of public, community-run, and internal malware tracking, we can promptly respond to the latest malware advancements, adjust our product and protect you against new threats.
As you may have noticed, over the past few months, we have been publishing the research of our Threat Analysts to keep you up-to-date on the latest advancements in Signature and Detection. We share this via a monthly release blog edition. Additionally, as our customer, you can access these changes via the Knowledge Center.
Check the latest entries on the VMRay blog by searching for “Signature and Detection Highlights.”
Microsoft Defender for Endpoint
We’re happy to announce a comeback of integration between MS Defender for Endpoint and VMRay, enhancing threat detection and response capabilities. This connector integration is designed for FinalVerdict and TotalInsight products as they both support inbound and outbound integrations.
MS Defender for Endpoint orchestrates the aggregation of alerts and associated evidence, facilitating the query or submission of these samples into the VMRay Platform. Post-submission, the connector extracts Indicators of Compromise (IOCs) from VMRay and incorporates them into Microsoft Defender for Endpoint. Users can configure the connector to perform tasks such as isolation, anti-virus scans, file quarantine, or initiate comprehensive collection investigation packages.
Stay tuned for integrations that will help power your Threat Intelligence Platform (TIP). Regardless of where the submissions to VMRay source from, TIPs will be able to ingest IOCs and reports, so that you have all of the valuable intelligence available from VMRay accessible to your CTI and SOC teams.
The journey of 2023 – A year of achievements!
As we bid farewell to 2023, it’s undeniable that this year has been quite a ride!
Among the notable milestones, we introduced Threat Feed and NewsBox on the VMRay Console Dashboard, accompanied by a series of user interface enhancements early last year. We then followed by introducing Email Sample Clusters in IR Mailbox submissions, which groups emails to different senders with common email bodies including URLs and attachments into one element. Our journey then continued with the unveiling of a New Product Portfolio—a comprehensive suite that provides an extensive range of threat analysis products.
Right after diversifying our portfolio, we successfully incorporated support for the analysis of OneNote and Linux ELF files. Tackling challenges head-on, we delved into the analysis of large malware samples, showcasing our dedication to addressing malware trying to evade analysis by hiding within artificially enlarged files. We then followed up with a fast reaction to Quishing campaigns, and even faster execution performance of Web Analyses thanks to the introduction of multiple vCPUs.
Our Labs team and Threat Researchers have also celebrated numerous successes. These achievements include expansion the scope of configuration extractions, implementing YARA rules to target prominent malware families, and enhancing multiple detection features based on the latest advancements in malware techniques. The addition of several dozen new VTIs (VMRay Threat Identifiers) additionally guarantees that our users are equipped with cutting-edge tools to effectively counter the constantly changing threat landscape.
As we reflect on this eventful year, we express our gratitude to our dedicated teams, clients, and valued partners. While the chapter of 2023 concludes, our New Year’s resolution—to anticipate the unforeseen and respond promptly—stands resolute. Looking ahead, we are excited to share our plans for five releases of the VMRay Platform in 2024. Stay tuned for further updates in the coming year!
Cheers to the achievements of the past and the anticipation of an even more remarkable future! Happy New Year!
