Cyber is not always sexy and fun, so today, let’s take a look at a term that keeps a lot of security professionals up at night:
Malicious code developers, such as exploit authors, write malware, viruses, worms, trojans, backdoors, spyware, and other damaging code with the specific intent of hiding itself from anti-virus and other detection mechanisms. This is referred to as obfuscation.
Conversely, security researchers spend their time on the other end of the spectrum, writing signatures and other behavioral analytics programs to detect the code that malicious developers write. This is the de-obfuscation part of the equation.
This conundrum is considered an obfuscation-deobfuscation game because it is similar to game of cat and mouse. Developers are constantly adapting their code to hide itself while researchers are constantly playing catch up by writing anti-virus/anti-malware signatures to detect the obfuscated code. It is a never ending battle.
Examples of how malware may try to hide itself on an asset:
Advanced Persistent Threat (APT) via Encryption
Advanced persistent threats can be described as malware that lies dormant and hidden from ordinary detection tools and incident response measures. APT seeks to not only persist, but discover and proliferate, elevate privileges, and remain undetected for as long as possible (Rass, et al., 2017).
One way for the APT to remain undetected is by combining polymorphic actions with encryption. A polymorphic virus replicates itself and changes certain attributes every time it infects another program. One technique is encryption key changes, whereby each infected host has a unique encryption and decryption keys. This combination makes it almost impossible to keep updated signature matches in anti-virus software (Drew, et al., 2017).
Sometimes an APT can persist within an environment for days, months, or years without being detected because it only sends encrypted data to its command and control structure when a certain criteria are met. Most APTs are delivered by social engineering campaigns, such as spear-phishing against certain employees or whaling against executives and other high value targets.
In a Process Running in Memory
Researchers at SentinelOne have discovered malware that remains and executes itself in memory without touching the hard drive. SentinelOne Sr. Security Researcher Joseph Landry describes NanoCore malware as a strain that injects itself into processes created in memory and stores encrypted payloads inside of image files to avoid detection (Barth, 2016). Companies that do not have kernel level analysis tools and/or processes in place may subject themselves to this form of APT.
Unfortunately, APTs have evolved into more malicious types of malware, such as these kinds of RATs (remote access trojans) and other various forms of ransomware. Increased levels of communications encryption for C&C, malware that is environmentally aware (of sandboxes and other containment technologies), and better subversion techniques have made APTs the go to source for threat actors.
Hackers do not stop at designing malware that hides itself. Oh no, that would be too easy. Enter:
Environmentally Aware Malware
Not only can malware hide itself, but it can detect and react differently based on environment. Here are a few examples:
Kasperky Labs reported that 74 strains of Carbanak malware are responsible for stealing as much as $1 billion from banks since 2013. Carbanak used exe files that were obfuscated as system files and modified memory processes when certain OS characteristics, such as specific runtime environments, were detected (Lastline, 2015).
Black POS Malware
The Black POS malware strain uses time based actions in environmental awareness. It reacts based on user actions, including clicking, system reboots, and system times that are hard coded into the malware. If none of these conditions are met, then it does nothing (Velmurugan, 2015).
Microsoft reported a malware Trojan that steals passwords. The Nenim downloader is interesting because it was programmed to delete the parts of the downloaded files that would normally be analyzed, preventing researchers from recovering content and URL data about the malware (San Jose, 2013).
Malwarebytes Labs also released the details of eFast malware, which deletes web browser shortcuts and replaces legitimate Chrome browsers with a new malicious browser by hijacking popular file associations such as html and https (Arntz, 2015).
TrendMicro reports that the CRYPTESLA malware is delivered via driveby downloads to users of infected websites and deletes itself after execution. It has been used as ransomware to demand payment in exchange for removal (TrendMicro, 2016).
Obfuscation-deobfuscation is considered a game because malware writers are constantly adapting their code to hide itself while researchers are constantly looking for ways to detect the obfuscated code.
Malware can remain an advanced persistent threat (APT) by hiding itself via polymorphism, encryption and by running in processes. Polymorphic code changes itself every time it replicates. Encryption hides these activities and remains under the radar by changing encryption/decryption keys on each new device. Finally, APTs can run in memory and hide encrypted payloads in image files and remain undetected unless processes are in place to analyze at the kernel level.
When evaluating considerations on how environmentally aware malware could react to certain labs, it is important to consider that the reactions could include removing all traces of itself after executing. As evidenced by the examples above, malware file deletion could include browsers, URL and content download data that could be relevant to a forensic investigation. To that end, malware analysis should begin with prepping the test environment. If not, these dangerous types of malware could spread to other machines, obfuscate its behavior, make system changes, and delete all traces of itself after stealing data.
Security professionals must understand these evolving threats in order to help their organizations properly mitigate the risk of being impacted. Since 100% prevention is not feasible, detection and proper incident response capabilities for these activities should be formulated to align with the requirements of the business.
Unrelated: teddy bears have IP addresses.
It’s a great time to be in cyber.
Barth, B. (2016, April 21) New technique hides RATs in memory, never touching disk during its execution. SCMagazine. Retrieved from: https://www.scmagazine.com/new-technique-hides-rats-in-memory-never-touching-disk-during-its-execution/article/528510/
Christodorescu, M., & Jha, S. (2012). Static Analysis of Executables to Detect Malicious Patterns.
Carbanak Malware-Ninety Five Percent Exhibits Stealthy or Evasive Behaviors. Lastline. Retrieved from: https://www.lastline.com/labsblog/carbanak-malware-ninety-five-percent-exhibits-stealthy-or-evasive-behaviors/
Drew, J., Hahsler, M., & Moore, T. (2017). Polymorphic malware detection using sequence classification methods and ensembles. EURASIP Journal On Information Security, 2017(1), 1-12. doi:10.1186/s13635-017-0055-6
Rass, S., König, S., & Schauer, S. (2017). Defending Against Advanced Persistent Threats Using Game-Theory. Plos ONE, 12(1), 1-43. doi:10.1371/journal.pone.0168675
Velmurugan, K. (2015, March 24) POS Malware Uses Time-Stamp Check to Evade Detection. Intel Security. Retrieved from: https://securingtomorrow.mcafee.com/mcafee-labs/pos-malware-uses-time-stamp-check-to-evade-detection/