Malware

Malware Analysis

Malware Families

• https://malpedia.caad.fkie.fraunhofer.de/families

AlphaBlend Campaign

• https://steemit.com/reverse/@utkonos/alphablend-malware
• https://steemit.com/reverseengineering/@utkonos/alphablend-campaign-part-2
• https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-address
• https://docs.microsoft.com/en-us/windows/desktop/sbscs/activation-contexts

azorult

• https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update

MuddyWater

• https://www.sdkhere.com/2019/01/a-new-muddywater-apt-campaign-spreads.html

Other

• https://github.com/3xp0rt/AnubisStealer

Collections

Linux

• https://github.com/tarcisio-marinho/GonnaCry

Malware Collections

• http://iec56w4ibovnb4wc.onion/
• http://iec56w4ibovnb4wc.onion.si
• https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/
• http://185.244.25.217/bins/

Collection Maintenance Tools

• https://github.com/phage-nz/ph0neutria
• https://github.com/robbyFux/Ragpicker

Antivirus Internals

• DEF CON 26 - Alexei Bulazel - Reverse Engineering Windows Defenders Emulator: https://www.youtube.com/watch?v=2NawGCUOYT4
  • https://i.blackhat.com/us-18/Thu-August-9/us-18-Bulazel-Windows-Offender-Reverse-Engineering-Windows-Defenders-Antivirus-Emulator.pdf

Antivirus Bypass

Tools

• shellterproject: https://www.shellterproject.com/exclusive-features/
• Hyperion

  i586-mingw32-msvc-g++ Src/Crypter/*.cpp -o  hyperion.exe
  wine hyperion.exe backdoor.exe out.exe
  

• Python script designed to generate metasploit payloads that bypass common anti-virus solutions: https://github.com/Veil-Framework/Veil
• Python script that takes an automated approach to AV evasion: https://github.com/v-p-b/peCloakCapstone/blob/master/peCloak.py
• Open source software in Python language which lets you generate customized shellcodes and convert scripts to an obfuscated script: https://www.owasp.org/index.php/OWASP%5FZSC%5FTool%5FProject

References

• Art of Anti Detection 1 – Introduction to AV & Detection Techniques: https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/
• Art of Anti Detection 2 – PE Backdoor Manufacturing: https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/
• 5 Common Cyber Security Threats That Bypass Legacy AV: https://www.sentinelone.com/blog/5-common-cyber-security-threats-that-bypass-legacy-av/
• Antivirus Event Analysis Cheat Sheet v1.4: https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
• Bypassing Kaspersky Endpoint Security 11: http://0xc0ffee.io/blog/kes11-bypass
• Hiding Metasploit Shellcode to Evade Windows Defender: https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
• Enumerating Anti-Sandboxing Techniques - TrustedSec: https://www.trustedsec.com/2018/06/enumerating-anti-sandboxing-techniques/?utm_content=73303714&utm_medium=social&utm_source=twitter

Techniques

PDF Based

• BadPDF - Bad-Pdf reads the NTLM hashes using Responder listener: https://github.com/deepzec/Bad-Pdf
• Adobe Reader - PDF callback via XSLT stylesheet in XFA: https://insert-script.blogspot.com/2019/01/adobe-reader-pdf-callback-via-xslt.html

C2 Techniques

• dnscat2 - https://github.com/iagox86/dnscat2
• DropboxC2C - https://github.com/0x09AL/DropboxC2C
• gcat (Gmail) - https://github.com/byt3bl33d3r/gcat
• HTTP/2 Go - https://github.com/Ne0nd0g/merlin

Downloaders

• PLEAD Downloader Used by BlackTech: https://blogs.jpcert.or.jp/en/2018/06/plead-downloader-used-by-blacktech.html

Fileless Attacks

New Reference

• https://www.varonis.com/blog/understanding-malware-free-hacking-part/

Summarized References

• https://blog.minerva-labs.com/deconstructing-fileless-attacks-into-4-underlying-techniques

Malicious Documents

• New Evasive Malware Technique exploits Microsoft Dynamic Exchange (DDE): https://blog.minerva-labs.com/prevented-by-minerva-labs-new-evasive-malware-technique-exploits-microsoft-dynamic-exchange
  • Dynamic Data Exchange (DDE) allows adversaries to deliver stealthy payloads via document files while avoiding the common usage of macro.
  • https://blogs.quickheal.com/emerging-trend-dde-based-office-malware-analysis-quick-heal-security-labs/
  • https://blog.barkly.com/locky-ransomware-using-microsoft-office-dde-exploit

Malicious Scripts

• Targeting powershell.exe, cscript.exe, cmd.exe and mshta.exe
• Windows Subsystem for Linux introduce more script support
• Prevent Powershell detection: https://blog.minerva-labs.com/confronting-snake-oil-sales-tactics-in-endpoint-security
  • If the attacker places a malicious script under the path %USERPROFILE%\profile.ps1 and start PowerShell ISE, the script will be executed without powershell.exe being involved
  • Bypass execution policy: HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell - And set the registry value ExecutionPolicy to Unrestricted.
  • Invoke-NoShell
    • 12 different evasive document permutations
  • Invoke-Obfuscation
  • Invoke-DOSfuscation
    • Emotet’s script obfuscation: https://blog.minerva-labs.com/the-emotet-grinch-is-back

Living off the Land

• regsvr32.exe, rundll32.exe, certutil.exe and schtasks.exe.
• Living Off The Land Binaries and Scripts: https://github.com/LOLBAS-Project/LOLBAS
• Abusing WMI to Build a Persistent, Asynchronous, and Fileless Backdoor: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
• APT29’s use of WMI and PowerShell to plant fileless backdoors: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
• Reference:
  • https://liberty-shell.com/sec/2018/10/20/living-off-the-land/

Malicious Code in Memory

• Memory injection - VirtualAllocEx and WriteProcessMemory, which allow one process to write code into another process. Overview of the AZORult attack: https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers
• Wrap compiled executables into scripts that extract malicious payload into memory during runtime.
  • PowerSploit: https://github.com/PowerShellMafia/PowerSploit
    • GhostMiner analysis: https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless
  • Veil Framework: https://www.veil-framework.com/
• Process Doppelgänging - attacker misuses NTFS transaction capabilities built into Microsoft Windows to temporarily modify a trusted file in memory without committing changes to disk
  • SynAck malware: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
• CoffeeShot tool (inject shellcode from Java): https://blog.minerva-labs.com/coffeeshot-avoid-detection-with-memory-injection

Tools

• Loki - Scanner for Simple Indicators of Compromise https://github.com/Neo23x0/Loki
  • Features
    • File Name IOC
    • Yara Rule Check
    • Hash check
    • C2 Back Connect Check
  • Additional features
    • Regin filesystem check (via --reginfs)
    • Process anomaly check (based on Sysforensics)
    • SWF decompressed scan (new since version v0.8)
    • SAM dump check
    • DoublePulsar check - tries to detect DoublePulsar backdoor on - port 445/tcp and 3389/tcp
    • PE-Sieve process check
  • Signature Base: https://github.com/Neo23x0/signature-base
• Spark Core: https://www.nextron-systems.com/spark-core/
  • Signature Base: https://github.com/Neo23x0/signature-base
• libpeconv - A library to load, manipulate, dump PE files: https://github.com/hasherezade/libpeconv
• PE-Sieve - Based on libpeconv. Scans a given process, searching for potentially malicious implants and patches within the process space https://hshrzd.wordpress.com/pe-sieve/
• PE Studio - Malware Initial Assessment: https://www.winitor.com/features.html https://www.winitor.com/binaries.html
• Collecting & Hunting for IOCs with gusto and style: https://github.com/rastrea2r/rastrea2r

Defense

New References

• Detecting malicious certificates: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_cert_payloads.yar

YARA

• Rule-based approach to create descriptions of malware families based on textual or binary patterns.
  • Rules are composed of two sections:
    • strings definition (optional)
    • condition
  • Example rule:

    rule dummy 
    {
        condition: true 
    }
    

    rule silent_banker : banker
    {
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
    }
    

  • Sections
    • Meta Section
    • Strings Section
      • Specifies the strings that are used to identify.
      • In YarGen, there are three categories of these strings, marked by $s, $x, and $z.
        • $s ("Highly Specific Strings") are very specific strings that will not appear in legitimate software.
          • Server addresses
          • Names of hacking tools and malwar
          • Typos in common strings
        • $x ("Specific Strings") are likely to be indicators of malware files, but might also appear in legitimate files.
        • $z are likely to be ordinary but are not currently included in the goodware string database.
    • Condition Section
      • Boolean expressions that specify the additional conditions of that rule.
      • https://yara.readthedocs.io/en/v3.4.0/writingrules.html#conditions
• GitHub: https://github.com/virustotal/yara
• awesome-yara: https://github.com/InQuest/awesome-yara
• Rule Sets:
  • yara-forensics: https://github.com/Xumeiquer/yara-forensics
    • set of rules that search for magic headers on files and dump files like raw image of dd
  • Rules: https://github.com/Yara-Rules/rules
  • Rules by Neo23x0: https://github.com/Neo23x0/signature-base/tree/master/yara
  • AlienVaultLabs: Malware related to APTs: https://github.com/AlienVault-Labs/AlienVaultLabs
• Analyze: yara <yara-rule> <target-file>
  • -m: print metadata of rules satisfied
  • -c: print number of matches (file path:match result)
  • -s: print matching string (hexadecimal virtual address:$string identifier:string value)
  • -p: prefix the description
• Analyze using multiple rules:

  for file in $(find PATH-TO-DIRECTORY-CONTAINING-RULES -name '*.yar'); do 
      test $(yara -c ${file} PATH-TO-FILE) -gt 0 && echo $file;
  done 2>/dev/null
  

• yaraGen - Creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. yarGen includes a big goodware strings and opcode database: https://github.com/Neo23x0/yarGen

  python yarGen.py --update
  python yarGen.py -m PATH_TO_MALWARE_DIRECTORY
  

  • A YarGen rule can be:
    • simple rule
    • super rule: If multiple sample files are used, YarGen will try to identify the similarities between the samples and combine the identified strings into a "super rule". Metadata section has: super_rule = 1.
      • Simple rules generated for each file is still there.
      • Overlap of rule strings between the simple rules and the super rule.
      • --nosimple to remove simple rules.
      • --nosuper not to create super rules.
  • Options:
    • --excludegood: exclude all of the goodware strings
    • --score flag: output the scores as comments in the rule file
    • -rc (maxstrings): maximum number of strings to include in each rule (20 by default)
    • -z (min-score): minimum score a script should have to be included in rule
    • -a: author
    • -r: reference

References

• Linux - Sandbox - https://github.com/danieluhricek/LiSa

New References

• The Road To Reverse Engineering Malware: https://www.secjuice.com/the-road-to-reverse-engineering-malware/
• Unpacking the packed unpacker: https://www.virusbulletin.com/blog/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-library/
• ELF in-memory execution: https://blog.fbkcs.ru/en/elf-in-memory-execution/
• Botnet Takeover (NSA Docs): https://twitter.com/0xffff0800/status/1077052289175609344
• An example rootkit that gives a userland process root permissions: https://github.com/PinkP4nther/Sutekh
• https://cybersecurity.att.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide
• https://pentestlab.blog/2018/06/06/command-and-control-browser/
• https://github.com/0x09AL/Browser-C2