The Endless Escalation of Malware Evasion Techniques - HEK.SI Slovenia

Transcript

1. A Look at Most Common Evasion Techniques in Cyberattacks
   The Endless Escalation of Malware Evasion
   Techniques
   Thomas Roccia | Security Researcher | @fr0gger_
   McAfee Advanced Threat Research
   

   View Slide

2. About the Presenter
   Thomas Roccia
   Security Researcher - Advanced Threat Research
   https://securingtomorrow.mcafee.com/author/thomas-roccia/
   @fr0gger_
   

   View Slide

3. Agenda
   ▪ Introduction
   ▪ What are Evasion Techniques?
   ▪ Business around Malware Protection
   ▪ Sandbox Evasion
   ▪ Process Injection
   ▪ Strings Obfuscation
   ▪ Feedback from the Battlefield
   ▪ Malware Evasion Techniques Classification
   ▪ Take Away
   

   View Slide

4. Introduction
   ▪ Evasion techniques are on the rise.
   ▪ More than 90% of malware are using at least one evasion tricks.
   ▪ Even legit software uses evasion to protect intellectual property.
   ▪ Detection rate can be improved by knowing these techniques.
   

   View Slide

5. Evasion Techniques can be defined by:
   (1)All the digital techniques used by a (mal||soft)ware to avoid, static,
   dynamic, automatic, human analysis in order to understand its behavior.
   (2)All the digital techniques used by a malware to avoid (1) and to evade
   security solutions, security configuration as well human detection to
   perform malicious action the longer on the infected machines.
   (3)Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus
   Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-Disassembly,
   Process Injection, Network Evasion, Obfuscation (encoding, encryption…),
   Anti-Forensic, Anti-MachineLearning.
   

   View Slide

6. Cybercriminals make money by selling evasion tools
   

   View Slide

7. Underground Partnership
   Gandcrab “Crypt Competition”.
   Partnership with NTCrypt Service.
   https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rapidly-evolving-
   ransomware-gandcrab-version-5-partners-with-crypter-service-for-obfuscation/
   

   View Slide

8. Sandbox Evasion
   https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
   

   View Slide

9. Process Manipulation
   ▪ Malware abuse of process manipulation to stay undetected. Windows API allows program to manipulate
   memory with some trick. Many techniques are discovered by researchers and then implemented into new
   malware
   The above example shows a technique that modify internally the normal process execution. In some other cases, the malware can replace the full
   memory content with its own malicious payload.
   Several techniques exists, the final purpose is to appear legit.
   

   View Slide

10. The Most Known – Process Hollowing
    ▪ Process hollowing is one of the most used process manipulation techniques by malware.
    The malware will be disguise as a legitimate process.
    ▪ Process hollowing occurs when a process is created in a suspended state then its memory
    is unmapped and replaced with malicious code.
    ▪ For example, a sample can create a notepad.exe process and inject its payload in the
    memory space.
    CreateProcess()
    • Malware create a
    suspended process
    ZWUnmapViewOfSection()
    • Malware destroys the
    process path
    VirtualAllocEx()
    WriteProcessMemory()
    • A memory region is
    allocated and written
    SetThreadContext()
    • Set the EAX register to the
    entry point of injected code
    CreateRemoteThread()
    • Resume thread of
    suspended process
    

    View Slide

11. Process Hollowing in the Memory
    

    View Slide

12. Process DoppelGanging
    ▪ This technique leverages the Transactional NTFS functionality in Windows. This functionality helps maintain
    data integrity during an unexpected error.
    ▪ Process Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting
    in a process injection. The malicious file will be created inside a transaction then committed to the
    legitimate file, then executed.
    

    View Slide

13. Process Reimaging
    ▪ Process Reimaging have been discovered by McAfee’s Researcher Eoin Caroll.
    ▪ It allows an adversary to persist a malicious process by hiding the physical location of an
    exe.
    ▪ Windows OS has inconsistencies in how it determines process image FILE_OBJECT
    locations.
    FileCreate()
    • The file is opened to be
    able to be mapped into
    memory.
    Section Create
    • The file is mapped into
    the memory
    Cleanup
    • The file handle is closed,
    leaving a kernel object
    which is used for
    PAGING_IO.
    ImageLoad
    • The file is loaded
    CloseFile
    • The file is closed
    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
    

    View Slide

14. Multiple Process Manipulation used by Attackers
    Process Manipulation
    Process hollowing/RunPE
    Reflective DLL injection
    Suspend inject and resume
    Hook injection
    Injection via registry modification
    APC injection
    Atom bombing
    Extra window memory injection
    Injection using shims
    IAT Hooking
    PE Injection
    Process Doppelganging
    PROPagate
    Ctrl+Inject
    Fileless
    Process camouflage
    Process Reimaging
    ▪ Threat actors are implementing Process Manipulation techniques
    https://attack.mitre.org/techniques/T1055/
    

    View Slide

15. Strings Obfuscation
    ▪ Malware authors know that analysts are taking a look to the strings.
    ▪ To avoid quick analysis, they use obfuscation to hide data in a binary.
    ▪ Common Strings Obfuscation:
    ▪ Pre-computed checksum value: Compare with dynamically calculated value to avoid
    strings in original binary.
    ▪ Stack Strings: Strings constructed on the stack
    ▪ Encrypted Strings: Use encryption algorithm.
    

    View Slide

16. Pre-computed Checksum Values
    ▪ Find source of potential string values then computes the
    checksum for comparison.
    ▪ Commonly used to build an import table
    ▪ Use the Process Environment Block (PEB) to find DLL
    ▪ Walk export names, calculating and comparing values
    for each export.
    

    View Slide

17. Stack Strings
    ▪ Data for a string is constructed on the stack when needed
    ▪ Data is usually positioned using MOV instructions
    ▪ Once strings is on the stack, the top of the stack is a pointer to the string.
    

    View Slide

18. Funny Strings in Malware
    ▪ Sometimes malware developers are letting some messages for analysts J
    

    View Slide

19. Maze Ransomware
    ▪ Maze ransomware is one of the most active ransomware since a year ago.
    ▪ The business model is well organized.
    ▪ Maze is using several evasion techniques and tricks to avoid detection but also to harden
    analysis.
    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ by Alexandre Mundo Alguacil
    

    View Slide

20. Maze Ransomware
    ▪ Anti-debugging
    ▪ If debugger is detected Maze will continue in an infinite loop.
    

    View Slide

21. Maze Ransomware
    ▪ Detecting process using custom hash
    ▪ If one of the blacklisted process is detected the malware will terminate it using the API
    TerminateProcess called dynamically.
    

    View Slide

22. Evasion Techniques Classification
    Unprotect Project
    

    View Slide

23. Take Away
    ▪ Malware authors are commonly using evasion techniques.
    ▪ They watch for new research to implement it.
    ▪ Knowing the techniques will improve the analysis and the detection.
    ▪ Using that techniques may allow you to track for specific actors.
    

    View Slide

24. Thank You!
    @fr0gger_
    

    View Slide