X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure

[Music] in this location um so I will talk about malware obviously and when we talk about a threat actors or malware developers they are using a lot of different techniques to conduct actions into the infected machine but some some techniques are related to evasion techniques and they are highly regarded by attackers because evasion techniques are used to bypass security in place or avoid avoiding detections and Security Solutions so this is the the main topic of my talk where we will learn more about evasion techniques what are the current trends and what can we do about it I'm currently working at Microsoft as a senior security researcher so my work is mainly focused on stretch intelligence

malware analysis and also malware tracking and I've been studying evasion techniques since 20 2015 something like that 2014 maybe um yeah if you want to learn more about my work you can visit my website and you can also follow me on Twitter these days okay before to continue on that presentation just um how many of you already dealt with malware right here it could be for blue team exercise or incident response marijuana analysis but also for penetration testing or red teaming like some of you uh which are working on web teaming are also developing malware so raise your hand again okay almost everyone I was expecting that so that's good because this presentation is exactly for

you in this presentation um so we will discuss about several after most of all uh first of all I would like to um Define what is exactly evasion techniques and why it's really important we will also um dissect some practical example with famous famous malware that are currently using um evasion techniques and we will see how they are using them to bypass the security in place and then I will conclude the presentation by introducing you a project that I'm maintaining since a while which is an open source project which is completely dedicated to Aviation techniques okay so let's talk about the definition of evasion techniques so evasion techniques are interesting because this is not only used by malware this is also

used by legitimate software to protect the code and avoid cracking or also avoiding um the copy of the code and the reproducing of the application itself so evasion techniques can be used by software also to avoid static analysis and also Dynamic analysis and also human analysis like reverse engineering with assembling until the beginning and so on this is also an interesting technique to use in malware to avoid and evade a security solution static analysis as well and and dynamic analysis security configuration in some cases there is some security configuration that will detect a specific malware and also avoiding human detection meaning malware analysis process running the samples reversing it and so on so these techniques are very important

for malware as well because they will use evasion techniques to stay the longer into the machine and conduct malicious action because if you if the malware is detected right before infecting the machine there is no point for for the attackers because the malware will not have the time to run and conduct some stuff okay we know a little bit more about evasion techniques so now I would like to discuss about why malware evasion techniques matters so first of all in most of the samples most of the malware that you can analyze or find during an attack or during your research we'll use evasion techniques in 2017 we connected a research study about some statistics about malware that are

using evasion techniques and we found out that 90 of some parts that we study have at least one evasion techniques so it could be application uh until the beginning until it's unboxing there is plenty of different evasion techniques I will talk more about that later if you're familiar as well with the miter attack techniques um if you have a look to the defense evasion it's actually one of the most um the the longest actually techniques tactics in the miter attack technique in the Mito attack Matrix and this is um this is um this is the case because actually many malware are using evasion technique and the fact is that even the miter Matrix is not complete

because there is so many evasion techniques that it's very difficult to document everything and yeah finally it's very important for attackers because the longest the the malware will be able to run into the machine the longest it will be able to do some exfiltration um ransomware stuff as well or any kind of manifest activities and for Defender this is really important because you need to be aware of it to be able to detect samples quickly but also when you are doing your analysis to understand why some tools such as sandboxing will not detect the sample this is also important because there is actually a business around evasion techniques we discussed before about legitimate software using evasion

techniques and for example we have temida which is a legitimate protector used to protect the code this is also used by malware and there is also some business around it like in some underground marketplace there is some tools that are selling to attackers just to protect their malicious code in fact um I'm not sure if you remember about the gun crab ransomware it was very famous around 2018 something like that the gun club ransomware had a partnership with NT crypto which was a group at that time that was dedicated to creating evasion techniques stuff for attackers and Gun Club and anti-crypter at that time and did a partnership to protect the different uh ransomware that

was running by Guncraft

okay let's talk a little bit more about evasion techniques itself what can we find in the wild and a bit of more practical stuff so there is um when we talk about evasion techniques we can actually split evasion techniques into three main categories the first one will be anti-security technique which will be basically all the techniques used to bypass uh securities solution such as antiviruses um it could be IPS as well firewall any kind of security solution that you are running there is some specific techniques that will be on a malware to bypass this specific tooling the second one is autism boxing technique so sandboxing are used for a quick Dynamic analysis of a samples to

get a report about its capabilities and basically there is also some techniques that will be able to detect the sandbox environment so it could be detecting the virtual machine environment it could be detecting some processes running as well but there is plenty of techniques and if malware are using Auntie sandbox techniques your report from the sandbox will will not be very valuable because you will not get a full understanding about the capabilities of the example and the last one is anti-analysis techniques which are basically uh if you are doing some malware analysis reverse engineering and so on or even running the sample into a virtual machine just to understand what is its capabilities this is the the uh the Auntie analysis

techniques are basically these techniques meaning could be obfuscation so it will be a bit more difficult to analyze the sample it could be packing techniques as well to protect the code itself it could be some anti disassembling technique so when you run the sample into an anti-disassembler you will not get anything because they will have multiple tricks and the code will not make sense and could be also some anti debugging techniques anti debugging is very used as well if you if you're doing marrow analysis and it could have some trick to avoid avoid some part to run into a debugger and it could also be for example environmental wear such as for example detecting the process running if you are

running Wireshark the sample will be able to detect that Wireshark is running and simply not run into the machine or run differently so it's mostly it's mostly used to harden the analysis and avoid the understanding of the sample so that's why also uh evasion techniques are very important if you are doing um malware analysis incident response and mainly if you are working on malware there is actually one sample one malware family which is uh using a lot of evasion techniques and we would see that uh in the shop also evasion techniques are very important because you can found them in every step or in every stage of an attack so most of the attack today are using a

delivery delivery file and then they will have some mechanisms until the final payload that will run into the machine so if we take this typical attack sequences the first one infection vectors could be a malicious document that you receive by email malicious document that will run a macro for example the macro can be obfuscated they can also have some some tricks to detect the environment and not delivering the second stage if it detects the virtual machine or the the analysis environment then uh we have also some evasion techniques in the malware delivery process meaning you will get a sample in in that case an executable for example the executable can compact with some mechanisms such as obfuscation until the

beginning and so on we also have some evasion techniques during the malware execution like the malware will run and it it will try to for example detect some element into the machine before doing uh multiple stuff or unpacking itself into the memory and finally we also have some evasion techniques during the connection with the command and control server for example like for exploitation but it could also be communication with the C2 for retrieving the common uh also for example um getting some information from the command and confirm so that's why it's very important to understand Invasion techniques and to understand at which point of an attack you can find evasion techniques especially if you are doing some

analysis and nothing is is correct or nothing is making sense all right I wanted to talk about immoted imitate is a famous Infamous malware that used to be a bunker and he it moved um over the past years to be a loader meaning it will infect machines and reselling the infection access to different straight actors such as ransomware group for example and immodate is quite interesting when we talk about evasion techniques because it uses a lot of different mechanisms that are very interesting so I believe this is a good use case to present you here today uh these samples and to understand a little bit more how emoted is actually using evasion techniques this one is an example where the first

infection Vector was a malicious document with a message that forced the user to enable the macro to see the contents regular stuff um the macro in that specific example is obfuscating so it's not super easy to analyze it at the first the first view you need to spend some time on it the malicious macro is actually running into the system a power shell and coded basis base 64 strings and the strings and the strings decoded is actually a proverbial script that will run some um requests HTTP request to a C2 server or domain name and this specific requests are directly encoded into the Powershell script and there is some mechanism that will build the domain name so even if you

um the power cell you can be context sometimes to understand exactly what the power shell is doing and finally so the request the HTTP request to uh the the remote domain and to get the sample it is it is exactly the samples needs to run a specific HTTP request to get the sampler so if you don't have the request you can go to The Domain but you cannot download the the samples because you don't have the the specific HTTP request so that's the kind of obfuscation we have with emoted so in that case I retrieve uh the the executable and I want you to learn more about it so the first thing that you do when you

get a malware before to reversing it and getting more information about it it's just getting information about the structure of the PE talked about executable um in that case there is uh this one was interesting because it was bind with a legitimate software meaning when you run for example strings into the sample you will get a lot of different Springs and many of them were alleged to make because it was associated with the legitimate file and that's uh that's a common technique used by malware to for example bypass machine learning classification so in that case uh emoted was using a legitimate software and it also have some fake metadata in the structure of the file uh which are

not really an evasion mechanism but it can trick some users or some some analysts as well getting more knowledge about the structure of the samples which is interesting is to understand more uh about the the capabilities of human dead so what I did I run emoted into my disassembly disassembler and I wanted to stop my reverse engineering engineering session to get more knowledge about it and in that case the samples were using what we called uh code spaghetti meaning it was using a lot of different fake operation uh obfuscating the the control flow which is a bit difficult to analyze when you have a look to this kind of flow graph especially you can spend a lot of time

trying to reverse everything but it's it's just a waste of time so you have to be able to know about it to spot different mechanisms more fake operations that could be used and just focus on what could be interesting

and at the end when the sampers were running it also built some um domain name into the the stack so it was dynamically decoding the domain name when running so when you were doing your static analysis you were not able to see anything because all the domain name was completely obfuscating so in that case it was more easy to run to sample than monitor the traffic to retrieve the domain name and it's also interesting because the communication with the common and control server were encrypted so you you couldn't see the data that was exchanged with the samples easily and that's also another uh obfuscation mechanism to avoid the detection the analysis and so on so as you can see we

[Music] see with like very deeply understand every piece of code it can take a lot of time and when you are dealing with an outbreak or an incident response you you most of the time you don't have time all right um all that uh introduction about evasion techniques and what we can find in the wild to introduce you the unprotect project the unprotect project is an open source database database that catalog evasion techniques so I started this project in 2015 and at that time I was working uh mainly on incident response and I used to to travel a lot for several customers and when when I went to the the customer site most of the time they said we

already have the antivirus in place we already have some uh some security solution but they don't detect anything so I started to um to get more knowledge about evasion techniques just to explain them that malware are using this kind of techniques to evolute detection in some case in some case when you run your tools or when you have all your security in place it's not enough because malware will use that techniques just to bypass your security in place so the project started in 2015 at first it was a Wiki a simple Wiki where I started to document everything and to um to list the different techniques I didn't the first presentation of this project in 2016 at the bottom of

conference which is a famous law enforcement complements in France um then uh in 2017 I created some tooling around the project mainly one of the tool I created was a proof of concept my idea was to create some artifact related to Virtual Machine environment into the machine into a regular machine and that way if a malware is aware about this specific artifact into the machine it will simply not run because it will believe that it's a virtual machine environment so that's the kind of book of concept I've been working on in 2019 I talked about the unprotech project at black at hazia and one of my friend uh dracci which which is a French as well joined the project and we

started to rebuild the website and and the project itself in 2020 so we did a football design of the the project and we we started to document a little bit more I did more feature and so on in 2021 uh we added the API and in 2022 which is uh today we started some new additions and new features so I'm gonna I'm gonna show you that in a short short demonstration

so the unprotect project is available on unprotect.it on the first page you will get information about the letter statistic about the about the database like at this moment we have 205 techniques available into into the website we have uh 120 code Snippets and we are also a latex 115 detection rules and currently we have 17 contributors you can also see the latest techniques that was added into the database and you can also have a look for a specific technique by searching directly into the into the search engine so when you click on it you will have the result which are related to the the steps you you search if we take the first one in process

you will have some information here about the technique you will also have some code snippet when it's available because we are still currently working on the database and and not all the techniques are documented at the moment but in some cases you will have you will have a small cut snippet you can you can also have multiple codes in in some techniques it's not only C plus plus it could be also python or or Delphi or C sharp depends on the contributor and we also have detection rules so we have Yara rules Yara is used mainly in malware analysis to detect specific techniques or for doing some threatening as well we also have some Sigma rules if

you want to um to try a sigma as well for these specific techniques and we also have Kappa Kappa is a bio High open source open source tool from fire High which is used to automatically detect the the miter techniques in the sample some some techniques are not completely documented like this one but basically that's the kind of information we we try to to have in the database you can also look for specific technique by looking to the map meaning the classification and the different techniques are classified by uh this one until the beginning anti-disassembling anti-proensing and so on process manipulating as well process manipulating mainly all the process injection mechanism like if you if you click on one of them you will get

uh the list of the techniques that are referencing into the the project and you can see the ID you can see if uh specific techniques already have a code Snippets are already have rules and detection rules and so on you can also look for the technique list like that and have like all the techniques and directly looking for something specific or the snippet list as well and all the detection rules in the about page you can learn a little bit more about the project itself while we created it why it's important you can also see the the main contributors of the the project and we have here all our contributors that are listed and that

contribute challengically to the project if you want to automate automate something and if you are working on Aviation techniques there is also an API which is available at the moment we are working on a python package that way you can automate the request of the database from the API you can retrieve information about specific techniques but you can also retrieve the Yara rules the sigma rules and the capables which is very interesting if you are working with python for example you can directly automate the the retrieving of the Yara rules and running them onto into your data sets for example and I'm also glad to be here today to announce a new feature which is not yet

available but it's uh you will have a glimpse uh an overview quickly today we are actually building uh an engine where you will be able to upload the sample into the database and get a full report about the aviation techniques uh related to that specific samples so at the moment is very basic it's only uh portable executable password but basically you will get this kind of information mainly the hashes related to the samples you will have details about the Dos header with the different field the description as well and many user information you will have also some additional feature um like the file header as well if it's available in the samples you want to analyze

the sections so you will get more details about the different section in the samples you want to analyze which is also quite interesting because in some cases uh section can be very can be used for obfuscate some data or can we use it the sample is packed we'll get more detail about the mechanism used by the samples in the section you can also see all the different dll and the function used by the sound bars that way you can have an overview about the capabilities of the sample itself and some of the features that are here as well as the strings extraction of the strings and so on so we are still working on it but

basically the goal is to have really something specific dedicated to Aviation techniques like for example if we take the strings you will get in the in that case you only get all the strings of the samples but we are working on a way to classify the most important strings and to recognize strings that could be related to evasion techniques or could be obfuscated as well boom as I said the project is open to the to the community and there is actually some resources if you want to contribute but basically the pro the goal of the project is to document as much as possible the aviation techniques it's a kind of an extension of the the

miter uh the miter Matrix and the goal is really to to get the knowledge to get to provide more knowledge about evasion techniques and I think it's interesting uh I've been discussing with some people uh mainly we that are working in malware analysis but also some people that are working on red teaming and this kind of database is very interesting for them because they can reuse some piece of code for their exercise and that's why we also provide the detection rules when it's possible just to be sure that people can also be aware of it and detect the different techniques that we document into into the database if you want to contribute to the to the

project you can have a look to the website itself there is a small button contribute and and yeah if you have an idea or if you have you see something that is not documented currently or if you see something that you would like to update uh you can contribute directly to the project to conclude on that presentation so here I wanted to give you an overview about malware Innovation techniques and mainly uh what kind of techniques we can find in the wild so that's very interesting I believe to study malware evasion techniques because you can understand a bit more about what kind of techniques malware will use to bypass your security in place if you

spend a lot of time trying to analyze the specific samples and you don't know why for example it's not running into your debugger that could be Innovation techniques I think this is also interesting to study these techniques because this is highly regarded by Straight actors and there is many of different techniques that are going out almost every month uh and yeah finally the unprotect project is basically a way to provide more documentation and more resources to the community about evasion techniques so I hope you you learn something today or at least you you find this talk interesting thank you very much for your attention and if you have any question let me know

thank you