About a decade ago, in the good old “just SIEM it” days, the SOC was typically measured on quantity – the number of alerts validated, number of investigations escalated, number of infections mitigated, and so on. The challenges were how to make the SIEM work better – aggregation of events, dedup, correlation, alert prioritization, and for the most progressive security teams, even enrichment. How do you do handle all alerts fast and without delays? Security vendors were marketing “focus on what matters,” but what they really did was only get you to the doorsteps of the real hard stuff and leaving you with a bunch of packet captures. The recent technology advancements and discussion around what refers to as “Detection & Response” has disrupted this approach. The direction we’re seeing nowadays is to generate fewer alerts on the control side and instead focus on how to remediate existing infections as early as possible. But how do you stay up-to-date with the ever-evolving threat landscape when you are buried with operational struggle? Can you really raise your head above to see what is coming? Can you be fast enough when it comes?
From in-line protection against advanced phishing to mastering memory dumps of evasive malware, the VMRay Platform version 4.4.0 continues to address organizations’ critical bottlenecks when leveling up security against advanced threats. While the VMRay Platform expands to deliver a wider set of technologies to combat the toughest threats, our mission remains steadfast: We enable organizations to augment and automate security operations by providing the world’s best threat analysis and detection platform.
Mastering Memory Dumping Is What We Do for a Living
On the Journey to Fully Automated Dumps
To address these challenges, security teams are supplementing their malware protection architecture with dynamic analysis technologies. When detonating malware in a sandbox environment, the malware source code can be revealed in clear-text by dumping memory regions in run-time. If successfully done, this equips security analysts with every piece of information they need to respond to a threat and make sure the organization is better protected against similar threats in the future. The memory dump may allow an easy way to attribute the threat to its actor, classify the malware family and version, and generate better IOCs.
A couple of years back, with the release of VMRay Analyzer 3.0.0, we introduced Smart Memory Dumping. This capability allows us to generate high-quality memory dumps in an automated fashion. Meaning, our users can submit malware samples for analysis and immediately receive the relevant dumps without any manual intervention. Today, we are proud to introduce several major enhancements for this capability. Moreover (spoiler alert!), it’s time to say that this is just part one of our plan to fully automate the ability to extract malware configs from all common malware families. So stay tuned. For now, we are introducing improvements in three areas.
Dumping Non-executable Memory Regions
Oftentimes, the forensics data used to identify a malware sample, as well as its specific configuration, resides within the non-executable memory. Smart Memory Dumps now allows dumping such regions as soon as certain behaviors are identified. For example, apply more aggressive dumping for injected processes, or on the first attempt to create a network request. We will also use these dumps to improve threat detection and classification by matching them against YARA rules and the built-in AV.
Dump Triggers Are Now Part of the VMRay Detection Updates
In this fast-paced landscape, detection rules cannot afford long delays. This is why we have introduced Detection Updates in the 4.2.0 release. This allows us to quickly and continuously release detection updates, distributing them for both VMRay Cloud and On-Premises deployments. With this release, updates to memory dump triggers are now included in our Detection Updates mechanism. VMRay Labs will introduce new triggers to ensure the most relevant dumps are created when new malware families are discovered.
Memory Dumping of Reflectively Loaded Assemblies
Malware that leverages the .NET framework (C#, Powershell, VB) often uses the System.Reflection.Assembly::Load method to load an assembly directly from memory without saving it to disk. To address this, the VMRay Dynamic Analysis now better monitors such behavior. When analyzing malware that is leveraging the .NET framework, Dynamic Analysis will detect calls to the Reflection API and trigger a memory dump.
Maximizing the Power of Computer Vision for Phishing Detection
Phishing pages often use branding images to impersonate a credential harvesting webpage to the targeted user. VMRay, along with other advanced threat detection solutions, are familiar with this approach and therefore introduce mechanisms to detect such impersonation attempts based on the image hash. A detection rule is set if the hash matches but the brand does not own the page. This works very reliably as a detection method as long as the phishing page uses the original logo images from the brand they intend to target. Luckily, this is often the case. But with email security, it’s not ideal to rely on luck in this cat-and-mouse game. Phishing pages have identified these “hash detection mechanisms,” and so they started applying minor modifications on the used image to thwart detection. This could be a single pixel, or rather some different compression, which is sufficient to alter the hash.
In the VMRay Platform 4.2.0 release, we have introduced Computer Vision, leveraging OCR (Optical Character Recognition) technology to extract text from images embedded in phishing documents. In this release, we have expanded the VMRay Computer Vision feature, so that brand images can be recognized not only by their exact hash but rather by any text they contain, such as the brand name. Powered by Computer Vision, the VMRay Dynamic Web Analysis will correctly identify such a page as a Microsoft phishing page, even though the original image has been manipulated.
VMRay ETD Now Blocks Email Threats before They Reach the Inbox
So far, our customers have been using the VMRay Email Threat Defender (ETD) “out-of-band” or via an API connection to Microsoft 365 (Exchange Online). While this simplifies the setup process, as it applies to either email copies or messages already in the recipient’s mailbox, some of our customers demand a tighter policy. The earlier approach leaves a user exposed, sometimes up to several minutes, while the analysis is in progress.
The VMRay ETD now supports a Prevent operation mode when deployed in a Microsoft Exchange Online environment (aka Microsoft 365). When this operation mode is selected, malicious emails are quarantined before they reach the user’s mailbox, thus, ensuring recipients are never exposed at any time. This new capability relies on Exchange Connectors to route incoming emails to VMRay ETD after they have been accepted, i.e., after the basic security checks have been applied by EOP (Exchange Online Protection). As soon as the analysis is complete, ETD returns each email to EOP using a connector and is either delivered to the user’s inbox or a quarantine mailbox.
Hot Detection Updates!
As part of the ongoing signature and detection updates, new YARA rules and enhanced malware VTIs for high-profile malware families were added. Additionally, the precision of phishing VTIs has been improved. This includes:
Added YARA rules for several high-profile malware families and phishing kits
Expanded phishing VTIs while also significantly improving the precision of our existing detections
Improved robustness of our malware VTIs, most notably for our generic detection of ransomware
Refined our Smart Link Detonation heuristics even better to recognize domains that are likely to host phishing content
Improved Adaptive Browser Simulation on web pages to ensure full visibility for our phishing detections
Residential Network Nodes
Malware and phishing often try to detect sandboxes on the server-side. One of the most common techniques is refusing c2 callbacks if the network requests are coming from known Cloud provider services, such as AWS, Google Cloud or Azure. VMRay’s network infrastructure now includes servers that are located outside of known cloud and VPN provider IP ranges, bypassing the IP blocklists of malicious servers.
MacOS Catalina Support
We have added Dynamic File Analysis support for macOS Catalina (version 10.15). The new version is only supported for Analyzer Cloud at the moment.
ETD and Azure Sentinel Integration
With VMRay Email Threat Defender for Azure Sentinel, you make the data provided by VMRay ETD available to Azure Sentinel in near real-time. It empowers SOCs to orchestrate response actions as soon as VMRay ETD detects malicious emails. This VMRay Connector is free of charge and can be deployed with just a few clicks from the Azure Marketplace. This is also a great opportunity to mention that we are now officially part of the Microsoft Intelligent Security Association (MISA).
Build More Efficient Integrations with Webhooks
We added a webhook notification feature to our VMRay REST API to streamline data processing. Until now, your scripts using the VMRay REST API had to periodically check whether a submission has been finished and thus, the results are ready for further processing. This polling approach generates unnecessary network traffic and wastes computing resources.
Our new API notification feature allows you to specify a callback at submission time, so you’ll be notified as soon as all the analyses related to your submission are completed. This notification is sent as a webhook containing the most relevant information, such as the Sample Verdict. Triggered by the callback, your script can continue further processing or query additional data from the VMRay REST API. Altogether this new feature saves time and resources when integrating the VMRay Platform with your tools and workflows.
Final Thoughts
These are exciting days at VMRay. We’ve expanded our product line with ETD and a wide variety of connectors to the most popular cybersecurity software. Regardless of your existing security ecosystem, you can now augment your EDR, SOAR, TIP and other technologies with our best-of-breed malware detection and analysis technology. Stay tuned for more!
