Upgrade to Pro — share decks privately, control downloads, hide ads and more …

X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?

Thomas Roccia
November 21, 2022
Technology
3
700

X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?

This presentation has been presented at Bsides Sydney (https://bsidessydney.org/)

Malware evasion consists of techniques used by malware to bypass security in place, circumvent automated and static analysis as well as avoiding detection and harden reverse engineering. There is a broad specter of techniques that can be used. In this talk we will review the history of malware evasion techniques, understand the latest trends currently used by threat actors and bolster your security analysis skills by getting more knowledge about evasion mechanisms.

Thomas Roccia

November 21, 2022
Tweet

More Decks by Thomas Roccia

See All by Thomas Roccia
Binary Instrumentation for Malware Analysis
fr0gger
2
1.2k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
720
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
1.5k
Code Graphology
fr0gger
0
440
AISA - Practical Threat Intelligence
fr0gger
0
1.1k
Hermetic Wiper Infographic
fr0gger
1
680
Technical Analysis of Cuba Ransomware
fr0gger
1
230
Sigma Rules Cheat Sheet
fr0gger
0
1.3k
Windows Privileges
fr0gger
5
12k

Other Decks in Technology

See All in Technology
Material 3 やめました / Good-bye M3 design system
yanzm
4
2.6k
自作WASMランタイムをKernelに改造する試み.pdf
riru
2
480
土壌と植物で奏でるアート~農業における新たなパラダイム~
shinrinakamura
0
170
F0推定アルゴリズムHarvestは中で何をしているのか
nagiss
1
160
How to Maximize Effectiveness and Efficiency of Daily Scrum
eiki
0
120
Create the DTO System of your Dreams: stateOptions + entityClass
weaverryan
1
440
クラウドだからできた 地方主導のJAWS DevOps
matsuihidetoshi
2
170
Microsoft Azure Well-Architected Framework でセキュアに
masakamayama
1
180
アジャイル開発と時代の流れに伴うサーバレスアーキテクチャの変化
yoshiitaka
4
2.1k
PHPからはじめるコンピュータア ーキテクチャ / PHP Meets Silicon: A Fun Dive into Computer Structures
tomzoh
4
200
Beyond the Baseline: Horizons for Cloud Security Programs
ramimac
0
160
XRミーティング 20230920
1ftseabass
PRO
0
100

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
90
12k
Statistics for Hackers
jakevdp
787
210k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
41
11k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.9k
What's new in Ruby 2.0
geeforr
336
30k
Visualization
eitanlees
131
13k
The Invisible Side of Design
smashingmag
292
49k
Automating Front-end Workflow
addyosmani
1354
200k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
Why Our Code Smells
bkeepers
PRO
329
56k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M

Transcript

  1. View Slide

  2. View Slide

  3. View Slide

  4. What are Evasion Techniques?
    Practical examples and current trends
    How can you step up on that topic?
    The power of information sharing

    View Slide

  5. All the techniques used by a a software to avoid static,
    dynamic, automatic and human analysis in order to
    understand its behavior
    All the techniques used by malware to avoid and evade
    security solutions, security configuration as well as
    human detection to perform malicious action the longer
    on the infected computer.

    View Slide

  6. In Mitre ATT&CK, the Defense Evasion section
    is the most dominant tactic
    For attackers, the longer the malware remains
    undetected the longer they can perform
    actions
    For defenders, the sooner the malware is
    detected the less damage it will cause

    View Slide

  7. View Slide

  8. Anti Security
    techniques
    Anti Sandboxing
    techniques
    Anti Analyst
    techniques

    View Slide

  9. Infection Vectors Malware Delivery Malware Behavior Actions on Objectives

    View Slide

  10. Malicious Doc
    Obfuscated Macro
    Powershell Base64 encoded
    Dropping Emotet

    View Slide

  11. Binded with legit Software
    Fake Metadata

    View Slide

  12. Fake Operations to harden reverse
    engineering and delay sandbox
    Anti-disassembly with Code Spaghetti

    View Slide

  13. Encrypted data related to host
    sent to multiple C2
    Multiple Network Connections not
    available in the binary

    View Slide

  14. 2015 2016 2017 2019 2020 2021 2022
    Creation of
    Unprotect Project
    First public
    release at
    Botconf
    Creation of the
    Unprotect POC
    BlackHat ASIA


    @DarkCoderSc
    joined the project
    Redesign, includes
    detection rules and
    code snippets
    API Engine,
    statistics

    View Slide

  15. Community centric open project dedicated to cataloguing
    malware evasion techniques
    Includes detection rules (Yara, Sigma, Capa) and code
    snippets
    Extends the Mitre ATTT&CK Defense Evasion Section
    Share and improve knowledge about evasion mechanisms
    Propose a detailed classification

    View Slide

  16. View Slide

  17. View Slide

  18. View Slide

  19. View Slide

  20. Malware Evasion Techniques are used by malware to avoid
    detection and analysis
    These techniques are highly regarded by threat actors.
    The Unprotect Project is a database dedicated to it and
    provide the broadest knowledge about evasion techniques.

    View Slide

  21. View Slide