P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg Dynamic black-box analysis of malware Vít Bukač •PV204 Security Technologies Dynamic black-box malware analysis – Outline •Lecture 1.Motivation & Background 2.Black-box malware analysis principles 3.Black-box analysis tools 4.Automatic sandbox analysis •Hands-on lab •Analysis of provided malware samples 2 Motivation & Background Cyber Incident Response •Cyber Incident Response •“A well-organized effort by which an organization handles a cyberattack, including analysis, containment, remediation and reduction of future risks.” •Good incident response results in: •Lower costs of ongoing cyber incidents •Fewer future incidents •Cyber Attack Incident •Each incident goes through certain phases •Collecting information about each phase and modifying defenses accordingly helps detect/prevent future incidents Malware •“Malware is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, et al.” Robert Moir, Defining Malware: FAQ, 2009. URL: https://technet.microsoft.com/en-us/library/dd632948.aspx Malware analysis •What is malware analysis? •“Malware Analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample and extracting as much information from it.” •Why is it valuable? •“The information that is extracted helps to understand the functionality and scope of malware, how the system was infected and how to defend against similar attacks in future.” • Soni Madhusudan, Introduction To Malware Analysis, 2020. URL: https://www.geeksforgeeks.org/introduction-to-malware-analysis/ Dynamic black-box malware analysis •Black-box •The analyst has no prior knowledge about internal workings of the sample. •Dynamic •“Dynamic malware analysis executes suspected malicious code in a safe environment called a sandbox. This closed system enables security professionals to watch the malware in action without the risk of letting it infect their system or escape into the enterprise network.” Kurt Baker, Malware Analysis, URL: https://www.crowdstrike.com/cybersecurity-101/malware/malware-analysis/ Malware types 8 Malware infection vectors •Email •Link •Attachment •Link + document download •Unpatched/unsecured hosts •Weak credentials – SSH, RDP •OS vulnerabilities (Petya, Not Petya, WannaCry,…) •App vulnerabilities (Log4j, VPN appliances, web servers, WordPress…) •Malicious website hosting •Drive-by download •USB drives •Cracked software Case Study: Emotet Don Ovid Ladores, EMOTET Returns, Starts Spreading via Spam Botnet, 2017. URL: https://www.trendmicro.com/en_us/research/17/i/emotet-returns-starts-spreading-via-spam-botnet.html Emotet: Infection vector – Phishing •Subject •“Account blocked” •“Package to be delivered” •“Expiring subscription” •“Invoice” / “Receipt” / “Parchment” •Signs •Unexpected sender address (1) •Graphic errors (2) •Erroneous info (3) •Links to unexpected URL (4) •Links to same URL •Generic salutation •Use of threats, sense of urgency • Emotet: Macros and Powershell Emotet Macro Malware Security Magic Blog, July 2018, Emotet Encoded Powershell Observed. URL: https://security5magics.blogspot.com/2018/07/july-emotet-encoded-powershell-observed.html Emotet: 2nd stage example Malwareless/Fileless attack 1.Has no identifiable code or signature that allows typical antivirus tools to detect it. 2.Lives in your computer's RAM. Thus, it is also known as memory-based malware. 3.Uses processes that are native to the operating system you are using in order to carry out the attack. 4.May be paired with other types of malware. 5.May be able to circumvent application whitelisting, a process that allows only approved applications to be installed on a machine. Fileless malware takes advantage of approved applications that are already on your system. • Ellen Zhang, What is Fileless Malware (or a Non-Malware Attack)? Definition and Best Practices for Fileless Malware Protection, 2018. URL: https://digitalguardian.com/blog/what-fileless-malware-or-non-malware-attack-definition-and-best-pr actices-fileless-malware MITRE ATT&CK Framework •Globally accessible knowledge base of adversary tactics and techniques based on real-world observations. •Good learning point about advanced attackers •Community-driven •Allows mapping attack steps •Knowing what is possible in each step facilitates incident analysis and allows planning defenses •Provides info about •Attack tools •Threat actor groups •Protection strategies •https://attack.mitre.org/ MITRE ATT&CK Framework MITRE ATT&CK example - Emotet •MITRE ATT&CK mapping of an example ransomware attack: • •Initial Access – Spearphishing Attachment (T1566.001) •Execution – PowerShell (T1059.001), Service Execution (T1569.002), Rundll32 (T1218.011), Regsvr32 (T1218.010), Remote Access Software (T1219), Exploitation of Remote Services (T1210) •Persistence – Process Injection (T1055) •Defense Evasion – File Deletion (T1070.004), Lateral Tool Transfer (T1570), Domain Account (T1087.002), Domain Groups (T1069.002), Data Encrypted for Impact (T1486) •Credential Access – Valid Accounts (T1078) •Discovery – SMB/Windows Admin Shares (T1021.002), Remote System Discovery (T1018), Process Discovery (T1057), System Information Discovery (T1082), Network Share Discovery (T1135) •Exfiltration – Data from Network Shared Drive (T1039), Web Protocols (T1071.001), Exfiltration to Cloud Storage (T1567.002) https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Black box malware analysis principles Analysis – Ask the right questions •What is the scope of compromise? What are 2nd stage callbacks? •Communication between local file server and an unknown IP address in China has been observed. What process is responsible for the communication? •Malware is creating temporary files. Where are these files located? •Malware executable is created again after system reboot. How is it possible and what is causing it? •A new type of malware has been spreading through internal network. How to quickly assess the malware capabilities? What is its purpose? Is it based on any well-known tool? • 19 Dynamic black-box malware analysis •Dynamic analysis – file is executed •Black-box analysis – without internal knowledge •Observable inputs •Observable outputs •Quick, simple •Common monitoring tools •Collected indicators about •Filenames, process names, process parent/child relationships, temporal relationships, domain names, IP addresses, registry keys, persistence methods, cleanup operations etc. •Can be highly automated Black box malware analysis – Principle 1.Prepare analysis environment 2.Create snapshot 3.Run monitoring tools 4.Run malware 5.Collect and observe interactions between malware and VM 6.Restore snapshot 7.Repeat 3-6 as needed 8. Analysis environment •Virtual Machine •Limited/no connectivity •Virtualized services (DNS, HTTP,…) •Several VMs for various host types •Software •Monitoring tools •Often exploited applications •Snapshots(!) •Risks •VM isolation breach •Malware inactivity in VM • • Black-box analysis tools Network analysis •Capturing sent/received packets •Protocol dissection •Promiscuous mode •Tools •Tcpdump, Wireshark, NetworkMiner •Indicators •Domain names, IP addresses, protocols, ports, HTTP parameters •Q&A •Who is this program communicating with? What reputation does the partner have? What data is exchanged? Is it encrypted or obfuscated? • Network analysis – What to look for •New established connections – HTTP 80/8080 •Direct calls for domains without DNS lookup •Random domain names (e.g., rpxiodffd.biz) •Suspicious domain names (e.g., gooogle.org) •Similarly looking domain names (e.g., osinstall.biz, swinstall.biz, swinstall.com) •Outgoing portscans •Ping/DNS request for well known services •Connection availability test •Be aware of background OS/processes activities! • Example – Wireshark File system •Observing file accesses and modifications •Background file manipulation •Tools •Procmon, Handle •Indicators •File names, folder names, order of actions, compromise spread through local system •Q&A •Where is malware copied after the initial infection? What filenames are used? Where is the collected data stored? File system – What to look for •New file names & folders •New created files and folders •Batch files (.cmd, .bat, .vbs, .ps1) •Known favorite malware file names (e.g., 1.exe, test.exe, new.exe) •Known file names in uncommon folders (e.g., C:\Temp\svchost.exe) •Recycler •Modifications of system files •Temporary storage files, encrypted archives Example – Procmon Registry •Regedit •Windows built-in registry editor •RegRipper •Extracts relevant forensic artifacts from registry •Autoruns •Lists all programs set to start after system boot Registry – What to look for •Well-known locations •Autorun locations •Task scheduler •Changes tracking •Keywords fulltext search •Filenames •Processes •Domain names Registry – Regedit Processes •Observing initial system compromise •Processes parent/child relationships •Tools •Process Explorer, Procmon •Indicators •Process names, order of execution, dropper activity •Q&A •What processes are run after malware binary is executed? Are batch files involved? Are there watcher processes? Processes – What to look for •Order of executables •Initial malware •Dropper/downloader •Persistence executable •Final malware •Command line interpreters •cmd.exe •Powershell •Cscript, wscript Example – Process Explorer Executable file analysis •Cryptographic hash •Hash function which is considered practically impossible to invert •Unique identification of file •Counter: Polymorphism •MD5, SHA1 •Fuzzy hash •Context triggered piecewise hash •Families of files •ssdeep •Strings • Example – Strings •server.exe •AppData •4bcce4de98bcdb4d29f66c0fe1ffe002 •hackerhani.no-ip.biz •Software\Microsoft\Windows\CurrentVersion\Run •Software\ •yy-MM-dd •??-??-?? •Microsoft •Windows •SystemDrive •netsh firewall delete allowedprogram " •Software •cmd.exe /c ping 0 -n 2 & del " •SEE_MASK_NOZONECHECKS •netsh firewall add allowedprogram " Commands to be executed Domain name Persistence registry key MD5: 5d347384ea978a96bc842ad9f29e95f2 Timeline •Timeline helps understand the logic of malware sample •Temporal order of steps •Intentional waiting •Beaconing intervals •Advanced sandboxes can build timeline from multiple tools • • Document analysis – Quick insight •EXIF information •File metadata •Document sandboxing •Document interpretation ambiguity •Practical examples •Double extensions, different content in different viewers, code block obfuscation & hiding Automated sandbox analysis Automated sandboxing •Automated 1.Execute malware in sandbox 2.Wait 1-2 minutes 3.Receive summary report 4.Investigate report •Cuckoo, Norman, Anubis etc. • Example: Cuckoo sandbox •Open-source malware analysis system •Can analyze •Windows executables, DLLs, PDF documents, URLs, HTML files, PHP scripts, Visual Basic scripts, ZIP archives, Python files, etc. •Modular, scriptable •Full memory dump (for Volatility Framework) •Django web interface •Mongo (NoSQL) database https://github.com/cuckoosandbox/cuckoo Cuckoo – Architecture Internet sandbox services •Public service •OpSEC issues •Huge comparison database •Exact match by hash •Similarity search by keywords • •Malwr.ee (public Cuckoo sandbox) •Any.run •ThreatExpert.com •Joesandbox.com •Hybrid-Analysis.com •VirusTotal.com Operational security (OpSec) •Advanced attackers monitor victim’s actions •Unique indicators visible on Google? •Attacker host monitoring for incoming traffic •Keywords search in mails, PDFs… •Basics of OpSec •“Think before you act” mentality •Limited information sharing •Trace removal •PassiveTotal.org • OpSec – Basic rules •No ping •No DNS lookup •No accessing to suspicious domains •No premature remediation steps (reboot, antivirus scan, OS reinstall) •No upload of samples •No indicator validation on external sources • •NOT EVEN through 3rd parties Anti-sandbox techniques •Continuous development – sandbox vs. anti-sandbox •Malware inactive in analysis environment •Tools presence detection (Wireshark, etc.) •Virtualization detection •Registry (key existence, key value) •File system (file existence, drivers) •Processes (syscall response) •Human presence detection •Mouse movement •Keyboard activity •File artefacts • • Lab Lab – Overview •Hands-on experience of manual dynamic black-box analysis •Guided analysis of selected malware samples •Tools •Wireshark – Network activity •Process Monitor – File system activity, process creation •Autoruns – Persistence •Regshot – Registry changes •Process explorer – Process map • • Lab – Samples •2-3 samples from different malware families •Commodity malware – Zeus, ZeroAccess, Generic Trojans,… •Students will execute samples in virtual environment •Provided simple analysis virtual machine (Windows) •Indicators collected – network, files, persistence •Discussion about interpretation of facts •Homework •2 samples for analysis independently •Write a cohesive report and present key information to the reader • • •