Malware, Cats and Cryptography

[Music]

hello cyber security Community cyber security enthusiasts ENT level Specialists and also professionals I hope that this conference is will be a blessing and uh for this community for our specialist and many of us will find new knowledge for themselves just begin uh today I will talk about M and the role of cryptography and M development and little bit uh conid about how to try to decrypt Black Cat and hello kitten ROM uh little bit introduce myself I'm working as M analyst and thre Hunter and I'm a author of mmz book about M development and different stages of This research uh was presented blackhe and besides conference uh so agenda uh first of all we are

talking about classic cryptography when we use traditional cryptography for defense security then uh as you know the bad news is that cryptography also used as offensive security and adversary malicious activities uh and of course r where today are RW and cryptography are just like synonyms in cyber security of course traditionally cryptography is uh used to secure information for protecting uh your information for uh defensive security measures and defensive security practical cases uh today the bad news is that cryptographer also used for offensive security what does it mean first of all of course when we create Mel when we create develop model for offensive security cases we protect this small from different Security Solutions like uh

antiviruses ADR xdr Solutions yes more antivirus by bypasses easily today and Antivirus is easily bypass full on detectable M the different uh different this uh sentences you can hear today when you doing research about red team operation and mod [Music] development and I just asked myself hey is it really easily bypassing M bypassing antivirus Solutions today and uh just consider this case and I know that uh every uh antivirus bypassing methods are um concl conclusion uh this time Distortion first of all when we use something like sleep and different time discussion Windows API functions uh the second one is uh when we use function call uh to hide in Windows API calls from M analy of course uh function col function

by HH for example when you created and developed malare the problem is uh when you use uh different functions like for example if you use U an import other table of your mod uh for example vs2 D you know that uh the M capabilities are used uh different web SS when you find uh for example um re open k Windows API you know that M use some tricks and tactics of using registry so when Mal developers use to solve this problem our developers use uh calling ABF just by hash instead of calling by function name of course the ofation and the encryption when you want to hide some malicious strings like Kel 32 D or maybe

antd DL or another ones uh of course payload encryption and last one is CIS calls in API but today I just consider only payload encryption when you what P encryption when you when you create different payloads to run malicious activities or running r shs or another Pilots you can use encryption to hide this from security analysts mod analysts and reverse Engineers but of course uh classic uh trick is using uh something like exor algorithm or lc4 algorithm for encryption payload you know for example uh metas framework used rc4 uh for hiding this p and encrypt the PS via Ms uh of course it's it can be easily reimplemented for example exr or r for easily

implemented but uh since it's used uh in wellknown Mal it's easily detected by antivirus andr Solutions uh another trick is uh one of the most efficient trick is lazaros AP trick when they use uid string from string a function this function also decrypt uh your P from U strings and WR it to memory so uh we can use uh more common functions for for example you can't use Virtual you can use different functions but if you use another trick like uh running payloads running sh cods by call backs something like child windows and on desktop a and another but of course this trick is also well known U and easily detected nowadays is security analysts and thread

hunters and reverse Engineers so I just ask myself uh okay rc4 rc5 XR or a uh B 64 every every time when we use these algorithms um Security Solutions like antivirus and maybe security analysts are easily detected these algorithms uh why we can we can use different uh algorithms different classic algorithms which not so popular like a or not so popular like X algorithm I just found this incredibly this good book U shann from Bruce schne about the cryptography and just in my PS uh first of all remember about Channel entropy of course yes Chanel entropy is measurement for for unpredictability your data for example if your shanon entropy is highight for your Mal it's easily flag

it as malicious and Security Solutions use different actions for uh additional actions for the for investigating this uh file and uh just try to reimplement different algorithms from this book classical algorithms and um show how does this affect in virus total score and how does this affect [Music] in increase increase your chopy and decrease or increase your wirus score and and finally try to simulate uh run someware for encrypting uh file system entire system with these [Music] algorithms first first algorithm is uh the encryption algorithm which was released in 18s and 199s in the 20th century it's uh easily implemented for Hardware because uh as I know nowadays uh some Intel protestors and different another

protestors use this algorithm for uh for the cryptography Solutions in processors but uh you can also easily implement it Inc there so I just uh encrypt my P and just compare how you can use this for reducing virus total score and you can see uh the first of all um Chanel entropy is not so high Not So Sophisticated 6. 285 and virus tottal score is also it bit reduced from 31 to4 of course uh this [Music] Implement I just Implement only one case like Cas size 16 32 rounds because when I try to use more rounds virus total score is reduced by but um unpredictability of data is uh so chopy is higher than six

uh A51 encryption algorithm uh this algorithm released uh us it by JSM standard for encryption communication between your and station in JSM and I just asked myself why we try to use this for p encryption just try it so as result uh first of all I just use this for um the simplest initialization and in this case we are also get a good score wirus total score as you can see we reduce score from 31 to 84 and shenon enthropy is also not so high but you know when you use um the worst scenar for your red team operation a pilot encryption [Music] you can not so effectively use it in practice in real cases in your real real world cases

intice R operation I just try to use additional tactics tricks something like anti tactics for example when you can detect um that your power are uh use you you can use some anti-debugging tricks like checking is the buer present flag and checking anti Global flag uh or checking uh being the B flag and different ones and add anti viral machine tricks like when you use registry and find some uh some flexs like when you use uh with Bo you can find different flx and registry that your Mal is running on sets and in this case as a result uh this algorithm with with additional tricks p kasp and uh at the moment This research of

course because today it's not so luckily the next one is madri algorithm which which was released 884 by cryptographer m cryptographer and also participate in um Advanced encryption stand in USA uh but uh since this algorithm is weakness for traditional cryptography for defensive uh cases but I just Tred to this for uh encrypting and decrypting PS in this case uh it's used um 16 rounds and uh used this Del constant but of course uh if you are more sophisticated mod analyst and more professional measures when you use more professional measures like uh y rules or uh something like uh reverse engineering and try to find different constants you can easily beat this trick bypassing tactic but um

if you measure shenon entropy it's also not so height as you can see and virus total score also reduced and show good results uh what does it mean it mean of course you can also use this um this encryption at starting point for your uh red team operation you can use different additional measures like anti-debugging

anric the next one is Skip ja algorithm this uh when when this algorithm is released it's used by National Security Agency in USA uh but Declassified in 1998 and then also declassify after declassifying this uh algorithm um also retire for defensive security cases and I just use this for uh encrypting PS and try how this how this work for total score GC uh but uh I just use not origin algorithm I re implemented I was implemented algorithm is optimized by power cryptographer and uh of course in this case we also get a good result for Shen and wirus total score and you can also use this this algorithm is also can can be used at starting for encrypting your

payload and using for bypassing other antivirus Solutions and what about RC 6 rc6 is also good results but uh um there are one more Co in this logarithm as you can see we use hardcore constants p and Q this easily detect Something Like rules or maybe uh different reverse engineering tricks and practics for Mal and threat Hunters but uh originally if you re implemented in C without uh one more um one more C for all these algorithms I just used reimplementing this by C without uh without using any wi API calls like crypto cryp or maybe in cryp D because when you use uh welln algorithms and welln V when you call welln apis like the Cry of cry

derive case of course virus total score is highter than usually and uh it's easily detected with security analyst and Security Solutions

yes and of course okay let's say we are encrypt use anti VM tricks anti debugging tricks but uh in some cases it's not so good and so luckily if you use uh ises uh IP address for your uh C2 uh server for your command and control server so I just Tred to use uh different command and control servers uh going use slack API telegram API something like this Discord API I also uh found different uh and different implementations how you can use uh also virus total API for uh malicious activities for your victims uh the main the main propose for using these apis is uh they use um good good results for virus total score good results for anti Solutions

because it's will AP URL like API it's okay for Security Solutions yes you know uh I just encrypt all your URL stre and as I said before epic NOS like uh when you useing uh in this case you also use different different fing algorithms like more more HH maybe chaa 20 on different Al basic4 for example for hide malicious drinks and as you can see also use this as starting point for your R te operations for uh ADV simulation uh uh tactics ADV stimulation research of course and finally [Music] uh okay let's say we use it this Al for encryption for common control encryption for different kinds of uh uh hiding protecting your Mal from malist but uh what about uh using

uh these CL uh unpopular algorithms for um ransomware simulation uh when you use these uh algorithms for encrypting entire file system of course you excluded uh some some like syst 32 different C wall 6 for but uh at this in this at this time I'm working on my new research about encrypting file system with this algorithm and U working is uh decrypting black Hello Kitty ransomware encrytion okay what about Hello Kitty and what about black ransomwares configuration hello Kitt ransomware you encrypt file using U encrypt Library which use it for one of the one of the implementations of AES algorithm also just just uh said before uh authors of this ransomware try to not use uh Windows crypto API because

it's easily detected and flaged as malicious and uh what about black they also try uh you you can find different configurations of this small you can use uh is or if you want you can use CH algorithm for encryption and configuration your and just implemented uh about effectiveness Effectiveness and problems yes to fight the increasing TR po by thisw uh I mean I mean only cats I mean black cat Hello Kitty uh we you can use different um you can use different decryption tools like which will be developed with security companies like asperi or you can use use different decryption methods like use no more ROM F uh resource and course this aim to help

victims in recovering the data but generally by decry them compr files without paying the r but unfortunately this has been minimal search in this in minimal uh studies with different security researchers and as a results it's not so effective what's the methodology to try to degrip the try to simulate ROM with this classic algorithms and not not so welln algorithms just use uh different um uh virtual machines like Windows 7 or Windows 10 uh then populated and filled this file system with entire file system this different files with extensions of dox PPT txt P MP3 and um of course disabled services and uh for research purpose only of course and use legitimate c as he said before something

like something like this [Music] API and um I also compare my results the results of my research no more Rome site no more Rome and what's the results uh decrypt of course uh RW the crypting is little bit challenging for uh effective Al effective good cryptography algorithms yes if you use strong cryptography with run someware it's not so effectively solution for this but what about if you uh instead of trying to decrypt decryption algorithm try instead of trying to beat cryptography uh try to findable vulnerabilities in the design of this assembly in the design of application the design of logic of this application try to deal injection try to deal hijacking different measures of effectiveness of recovery is not suris

because uh as as a result of This research um nearly about 50 50% of case and 50% of files are not recovered effectively and [Music] sometimes challenging for decrypting blackhe and uh what what does it mean uh what does it what's uh what's up in this case uh this shows that uh however when you uh now algorithm when you use source code of this trans um you can't decrypt it uh to days nowadays it just used to looking R design and uh this time what about P This research yes still lot of work work uh and this be done before this Tool uh can be used effectively but uh I will share it up in the future and you can uh you

can you are welcome to request using uh different research different cases of research for this uh for this case thank you very much if you have any questions about this research [Music]