Inside the Mind of Malware: Analysis & Investigations Unraveled

Transcript

1. Inside the Mind of Malware: Analysis & Investigations Unraveled

2. Agenda Introduction to Malware & Its Types Initial Access &

   Infection Techniques Persistence Techniques Used by Malware Packers 101 OS Internals: PE Structure, DLL & Windows API Malware Analysis: Static Analysis Glimpse into Malware Reverse Engineering Memory Forensics 101 Anti-Analysis Techniques

3. Undergrad @VELS 7+ years of Experience in Information Security Security

   Engineer @Azefox Head @DEF CON Chennai DCG9144 CRTP & MCRTA Red Team Operations, Exploit Development, Application Security, Malware Analysis & Threat Research Whoami

4. OFFSET 0X1: MALWARE

5. Malware 101 Malicious Software Purpose: Theft, Espionage, or Financial Gains.

   Can Target Individuals, Organizations, and Government. Spreads via Email Attachments, Removable devices etc. Used By: APT, Nation-State & Other Cyber criminals. MaaS ( Malware As A Service) Success Of Malware - EDR & AV Evasion, Persistence, Lateral Movements, Fileless Execution. Malware

6. #Evolution of Malware 1990s: Emergence of Macro based virus targeting

   Microsoft Docs - Melissa 2000s: Rise of Botnets, Spyware - ILoveYou Worm 2010s: Sophisticated Nation-State Malware - NotPetya, Pegasus

7. # Types of Malware Virus & Worm Spyware & Adware

   Ransomware Downloader/Dropper Botnet Infostealer Keylogger Backdoor RAT Rootkit/Bootkit

8. # ILoveYou Worm

9. # Wannacry Ransomware

10. Ransomware ft. REVil DEMO:

11. OFFSET 0X2: INFECTIONS

12. # Initial Access & Infection Techniques Supply Chain Attacks Drive-By

    Downloads Email Attachments Removable Devices Exploiting Vulnerabilities Malvertising Watering Hole Attack

13. DEMO: Email Attachments

14. # Well Known Malware Stunext (2010) NotPetya (2017) Mirai Botnet

    (2016) Wannacry Ransomware (2017) Zeus (2007) Emotet (2017) Ryuk Ransomware (2018)

15. # NotPetya Wiper

16. OFFSET 0X3: PERSISTENCE

17. Run Registries StartUp Folder Scheduled Tasks WinLogon DLL Hijacking Persistence

    Techniques

18. DEMO: Run Registries

19. # Run Registry in Action

20. OFFSET 0X4: PACKERS

21. # Packers Software that compresses or modifies executables to obfuscate

    their original structure Compression is the core of Packing Produces New Executable which is less is size Unpacker stub to decompress at runtime Provide Obfuscation to the code, making it hard to detect Known Packers - UPX, MPRESS Custom Packers by Adversaries

22. # Working of Packers

23. Packer Sample ft. UPX DEMO:

24. Offset 0x5: OS Internals OFFSET 0X5: OS INTERNALS

25. # Portable Executable (PE) 101 File Format MZ or 5A4D

    Example: .EXE, .DLL, .SYS, .DRV, etc Contains Information required by OS to Load it into memory OS Loader Reads Information from the PE Header, then loads the content from F -> M Portability across Windows OS

26. # PE Structure Overview DOS Header (IMAGE_DOS_HEADER) - e_magic, e_lfanew,

    DOS Stub NT Header (IMAGE_NT_HEADER) - File Header (IMAGE_FILE_HEADER), Optional Header (IMAGE_OPTIONAL_HEADER): AddressofEntryPoint Section Table And Sections - IMAGE_SECTION_HEADER - .text, .rdata, .idata, .edata, .bss, etc DEMO: CFFExplorer

27. High Level View of PE File Structure

28. Code Reusability Loaded into a process memory at runtime Processes

    can access functions within the DLL Common Windows DLLs - kernel32.dll, User32.dll, ntdll.dll DLL Attacks - DLL Hijacking, DLL Search Order Hijacking, DLL Sideloading, etc # Dynamic Link Library (DLL)

29. # Windows API 101 Set of Functions that Allow apps

    to interact with OS Common Windows API - CreateFile(), DeleteFile(), etc Also used by Malware Authors for Code Injection & Hooking Techniques DEMO: Windows API in Action

30. OFFSET 0X5: STATIC MALWARE ANALYSIS

31. # Static Analysis Examining Suspected File without executing it Reveals

    different information about the file Initial Step Advantages - Safe and Quick

32. # Techniques Determining File Type Fingerprinting AntiVirus (AV) Scanning String

    Analysis Detecting Packers Linked Libraries and Functions

33. # Determining File Type Targeted OS and Architecture Can deduce

    our investigation Core Techniques - Manual Method - Hex Editor File Command DEMO: File Type Identification

34. Generating Cryptographic Hashes of the file Commonly used Algorithms -

    MD5, SHA1, SHA256 Indicator of Compromise (IoC) Determine whether the sample has been previously searched DEMO: Hashmyfile # Fingerprinting The Malware

35. # AntiVirus Scanning Multiple AV Scanning Commonly used AV -

    Virustotal Disadvantages - If not detected that doesn’t mean.. Scaned data is publically available DEMO: File Scanning in VT

36. # String Analysis Sequence of Characters Can give clue about

    the program functionality Useful for Artifacts & IoC Generation & Extraction Obfsucated Strings FLOSS - Deobfuscation DEMO: String Analysis, Deobufscation with floss

37. # Detecting Packers Based on Entropy (Randomness) Fewer Import Functions

    Check the Section in PE Header DEMO: PEid, DiE

38. # Linked Libraries & Functions Malware Interacts with files, network,

    registries, etc but how? DLL & WinAPI Functions Imported & Exported Functions Examining PE Resources Examining Compiliation Timestamps DEMO: PEStudio, Resource Hacker

39. Static Analysis: LimeRAT

40. OFFSET 0x6: MALWARE REVERSE ENGINEERING 101

41. # Reverse Engineering Understanding how something works Key Part in

    Low-Level System Security Core: Disassembly Debuggers Decompilers
42. None

43. # Disassembly Converts Machine code into Assembly Language Useful in

    understanding malware logic and func Tools: IDA, Binary Ninja, Cutter Drawbacks: Junk Instructions, Obfuscated Code, etc DEMO: Disassembly 101 in Action

44. # Debuggers Step-by-Step Execution BreakPoints - Software (INT 3), Hardware

    (D0 - D3) Bypassing Anti-Analysis Techniques Tools: IDA, x64dbg, Ollydbg, GDB, Radare2 DEMO: Debuggers 101 in Action

45. # Decompilers Converts compiled machine code into a high-level programming

    language Tries to restore source code logic Tools: Ghidra, Binary Ninja DEMO: Decompilers 101 in Action

46. REVERSE ENGINEERING: Zeus Trojan - A Glimpse

47. OFFSET 0x7: MEMORY FORENSICS

48. # Memory Forensics 101 Analyzing Volatile Memory Extracting Artifacts, Running

    processes, etc Crucial in Incident Response (IR) Detecting Fileless Malware Tools Used: Volatility DEMO: Memory Forensics in Action

49. OFFSET 0x7: ANTI-ANALYSIS TECHNIQUES

50. # Anti-Analysis 101 Hinder Reverse Engineering and bypass security controls

    Targets Debuggers, VM, Disassemblers, etc Might Need Patching to bypass

51. # Anti-Debugging API Based Detection IsDebuggerPresent() CheckRemoteDebuggerPresent() NtQueryInformationProcess() Software Breakpoint

    Detection - INT 3 (0xCC) Hardware Breakpoint Detection - DR0 -> DR7 DEMO: Anti-Debugging in Action

52. # Anti-VM Checking System Processes - VBoxService.exe, VBoxTray.exe Checking VM-Based

    Drivers - VBoxMouse.sys Checking MAC Address - Specific to vendors Timing Based Detection CPUID Instruction Check - ECX 31st bit = 1

53. # CPUID Credits: Cynet

54. # VPCEXT Credits: Shaurabh

55. # Anti-Disassembly Junk Code Insertion API Hashing & Obfuscation Polymorphic

    Metamorphic

56. # API Hashing in Guloader Credits: hackerman008

57. Any Queries?

58. Athis SN VincePanda19 Athis SN REACH OUT AT: AthisSn