Malware Unmasked: From Infection to Extraction

Transcript

1. Malware Unmasked: From Infection to Extraction

2. Agenda Introduction to Malware Malware Types Initial Access Infection Techniques

   Malware Analysis: Static Analysis

3. Undergrad @VELS Security Engineer @Azefox Innovations Head @DEF CON Chennai

   DCG9144 CRTP & MCRTA Red Team Operations, Adversary Emulation/Simulation, Exploit Development, Malware Analysis & Threat Research Whoami

4. OFFSET 0X1: MALWARE

5. Malware 101 Malicious Software Purpose: Theft, Espionage, or Financial Gains.

   Can Target Individuals, Organizations, and Government. Spreads via Email Attachments, Removable devices etc. Used By: APT, Nation-State & Other Cyber criminals. MaaS ( Malware As A Service) Success Of Malware - EDR & AV Evasion, Persistence, Lateral Movements, Fileless Execution. Malware

6. #Evolution of Malware 1990s: Emergence of Macro based virus targeting

   Microsoft Docs - Melissa 2000s: Rise of Botnets, Spyware - ILoveYou Worm 2010s: Sophisticated Nation-State Malware - NotPetya, Pegasus

7. # Types of Malware Virus & Worm Spyware & Adware

   Ransomware Downloader/Dropper Botnet Infostealer Keylogger Backdoor RAT Rootkit/Bootkit

8. # ILoveYou Worm

9. # Wannacry Ransomware

10. Ransomware ft. REVil DEMO:

11. OFFSET 0X2: INFECTIONS

12. # Initial Access & Infection Techniques Supply Chain Attacks Drive-By

    Downloads Email Attachments Removable Devices Exploiting Vulnerabilities Malvertising Watering Hole Attack

13. # Well Known Malware Stunext (2010) NotPetya (2017) Mirai Botnet

    (2016) Wannacry Ransomware (2017) Zeus (2007) Emotet (2017) Ryuk Ransomware (2018)

14. # NotPetya Wiper

15. OFFSET 0X3: STATIC MALWARE ANALYSIS

16. # Static Analysis Examining Suspected File without executing it Reveals

    different information about the file Initial Step Advantages - Safe and Quick

17. # Techniques Determining File Type Fingerprinting AntiVirus (AV) Scanning String

    Analysis Detecting Packers Linked Libraries and Functions

18. # Determining File Type Targeted OS and Architecture Can deduce

    our investigation Core Techniques - Manual Method - Hex Editor File Command DEMO: File Type Identification

19. Generating Cryptographic Hashes of the file Commonly used Algorithms -

    MD5, SHA1, SHA256 Indicator of Compromise (IoC) Determine whether the sample has been previously searched DEMO: Hashmyfile # Fingerprinting The Malware

20. # AntiVirus Scanning Multiple AV Scanning Commonly used AV -

    Virustotal Disadvantages - If not detected that doesn’t mean.. Scaned data is publically available DEMO: File Scanning in VT

21. # String Analysis Sequence of Characters Can give clue about

    the program functionality Useful for Artifacts & IoC Generation & Extraction Obfsucated Strings FLOSS - Deobfuscation DEMO: String Analysis

22. # Detecting Packers Based on Entropy (Randomness) Fewer Import Functions

    Check the Section in PE Header DEMO: PEid, DiE

23. # Linked Libraries & Functions Malware Interacts with files, network,

    registries, etc but how? DLL & WinAPI Functions Imported & Exported Functions Examining PE Resources Examining Compiliation Timestamps DEMO: PEStudio, Resource Hacker

24. Static Analysis: LimeRAT

25. Any Queries?

26. Athis SN VincePanda19 Athis SN REACH OUT AT: AthisSn