Cyber security 360
Securing Your Business
Evasion Strategies
Environment awarenessWhen malware runs, it’s often essential to identify whether it is running inside a sandbox environment or virtual machine. We use this technique to extract and check the system’s configurations and terminate the malware execution if all the conditions are not in place. In short, the malware can be programmed to detect sandbox usernames such as “virtualbox,” “vmware,” “virtual,” hypervisor calls, sandbox processes, installed devices, breakpoint registers and dynamic link libraries. |
Timing-based methodThe time-based approach is a very effective technique for bypassing sandbox analysis because the malware is analyzed only during a limited period. This method includes several evasion methods, such as:
|
User interaction
User interaction can occur in different ways, such as moving the mouse or clicking on something. The malware can detect if this type of movement happens in the target environment, including the sandbox.
Malware can be developed to execute after some scrolling movements or when the user opens a folder. On the other side, understanding the mouse and keyboard inputs, analyzing the speed of movements, its coordinates, and whether something is being opened and executed during the click is a popular method for human-interaction detection.
With this approach, criminals can efficiently control and assemble all the infection stages by just putting away false positives.
Domain, IP identification and internet connectionMalware developers often use this method to easily identify the target companies and their IP ranges and check if the target machine can connect to the internet.
Maintaining an internet connection when a threat is running is essential because it allows criminals to download additional payloads and the malware configuration from the C2 server. This is a crucial behaviour because the malware will not load its configuration into the memory if it fails the previous steps, and the target machine does not guarantee a valid internet connection in advance. From the point of view of a malware analyst, this can be a pain sometimes because it introduces more complexity and is time-consuming to analyse the threat.
Malware can be developed to execute after some scrolling movements or when the user opens a folder. On the other side, understanding the mouse and keyboard inputs, analyzing the speed of movements, its coordinates, and whether something is being opened and executed during the click is a popular method for human-interaction detection.
With this approach, criminals can efficiently control and assemble all the infection stages by just putting away false positives.
Domain, IP identification and internet connectionMalware developers often use this method to easily identify the target companies and their IP ranges and check if the target machine can connect to the internet.
Maintaining an internet connection when a threat is running is essential because it allows criminals to download additional payloads and the malware configuration from the C2 server. This is a crucial behaviour because the malware will not load its configuration into the memory if it fails the previous steps, and the target machine does not guarantee a valid internet connection in advance. From the point of view of a malware analyst, this can be a pain sometimes because it introduces more complexity and is time-consuming to analyse the threat.
Shape Divider - Style triangle_asymmetrical
StegosploitThis technique is a way of hiding malicious code within images. In short, a new drive-by browser exploit can be created and delivered via a simple image file. These kinds of payloads are efficient because they are stealthy and undetectable. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded. |
Code obfuscation, encryption or compressionThis is one of the most popular techniques in the malware landscape. Parts of the malware in the initial binary can be obfuscated or encrypted to bypass the static analysis and make it hard to understand. The malware developers simply encrypt the malware strings and decrypt them in runtime. With this approach, the malware analyst must understand and identify the block of code responsible for decrypting the content and the used key. Some popular trojan bankers such as Javali, Grandoreiro, Lampion, URSA and Maxtrilha use this technique to hide their content, including the hardcoded strings, the configuration such as the remote C2 server address, bot commands, what kind of information will be exfiltrated and gathered during the execution, the WinAPI loaded in runtime, and so on. |
BITS JobsSystem administrators who work with Windows operating systems, use a number of utilities to perform tasks, such as Background Intelligent Transfer Service (BITS). It transfers files between users and HTTP while running in the background. Attackers take advantage of this feature to load malware, execute it or clean up. For example, Cobalt Strike downloads its agent to the infected machine with the help of BITS Jobs. as such it is recommended to check the activity of this feature in the Events log and BITSAdmin to detect the BITS Jobs technique. |
Shape Divider - Style triangle_asymmetrical
Hide ArtefactsArtefacts reveal malicious activity such as files, directories, file attributes, users, etc. Malware tries to hide or isolate them to bypass detection. The best way to find them is by monitoring for any actions that will point to the artefacts. Check files and process arguments or shell commands. |
Modify RegistryChange of registry allows the malicious software to conceal data about configuration. For example, Nanocore modifies registry keys to conceal payloads used to maintain persistence. If you turn on registry auditing, you may notice malware actions. |
InjectionCode injection is the way to avoid detection. Attackers get access to the target’s systems by injecting into the system’s processes using different techniques. Pay attention to DLL activity, it may load not as usual. If you suspect this tactic, the attentive analysis of process behaviour will show you questionable network connection or file reading. |
Shape Divider - Style triangle_asymmetrical
Signed Binary Proxy ExecutionAdversaries may bypass process and/or signature-based defences by proxying execution of malicious content with signed, or otherwise trusted, binaries (often Microsoft-signed files), indicating that they have been either downloaded from Microsoft or are already native in the operating system.Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Monitor processes and command-line to reveal this technique. |
Trusted Developer Utilities Proxy ExecutionAdversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code. |
Virtualisation/Sandbox EvasionSandboxes are a real challenge for a malicious program. But it knows how to avoid a standard sandbox and recognise the virtual environment from a real one. First, malware checks what software set is there, then focuses on user activity. Some malicious programs have delayed time of execution to help them to avoid detection inside virtual machines. |
Shape Divider - Style triangle_asymmetrical
Dettica ConsultingResilient Cyber Security
for everyone. |
Who We Are |
|