Site icon InfosecVidya

Malware Analysis

crop cyber spy hacking system while typing on laptop

Photo by Sora Shimazaki on

The attackers develop software with malicious intent. Based on their motive, the attacker puts effort and assembles multiple pieces of code to generate a file that can execute sneaky steps and achieve its motive. So malware can be defined as any software that has malicious intent.

Photo by Sora Shimazaki on

Why do people develop malware?

How do attackers infect?

Every attacker has their own approach to plan and execute the attack, but we can refer to the Cyber Kill chain to understand the flow. The Cyber Kill Chain is a framework that outlines the different stages of a cyber attack. It provides a structured approach for understanding and analyzing an attacker’s steps to target and compromise a system. Organizations can better prepare for and defend against potential threats by understanding this framework.

The first stage in the Cyber Kill Chain is reconnaissance, where the attacker gathers information about the target. This can involve researching the target’s infrastructure, identifying potential vulnerabilities, and gathering intelligence on the target’s employees or systems. This information is then used to plan and prepare for the attack.

The next stage is weaponization, where the attacker develops or obtains the tools and resources necessary for the attack. This can involve creating malware, exploiting vulnerabilities, or purchasing exploit kits from the dark web. The attacker often uses social engineering techniques to trick the target into downloading or executing the malicious payload.

Once the attacker has their weapon of choice, they move on to the delivery stage. This is where the malware or exploit is delivered to the target’s system. Email attachments, malicious links, or infected USB drives are common delivery methods. The attacker may also exploit the target’s network infrastructure vulnerabilities to gain access.

Once the payload is delivered, the attacker moves on to the exploitation stage. This is where the attacker takes advantage of vulnerabilities or weaknesses in the target’s system to gain unauthorized access. This can involve exploiting software vulnerabilities, misconfigurations, or weak passwords. Once inside, the attacker can escalate their privileges and gain control over the system.

The next stage in the Cyber Kill Chain is installation. This is where the attacker establishes a persistent presence on the target’s system or network. This can involve creating backdoors, installing remote access tools, or implanting malware that allows the attacker to maintain control even after they have left the system.

Once the attacker establishes a foothold, they can conduct malicious activities. This could include stealing sensitive data, exfiltrating information, or launching additional attacks from the compromised system. The attacker may attempt to move laterally through the network, attempting to gain access to other systems or escalate their privileges.

Finally, the last stage of the Cyber Kill Chain is the command and control phase. This is where the attacker maintains communication with the compromised system. This can involve using command and control servers, creating covert channels, or other techniques to communicate with the malware or compromised system.

How do we identify if infected with Malware?

Recently, it has been very challenging to detect malware as they are designed with a high degree of stealthness. The malware is designed with a complex obfuscation routine, which hides the malicious routine and is only unpacked in multiple iterations/stages in the memory. It could be daunting if the deployed security tools are not properly configured to look for file-less abnormalities. Nevertheless, popular security tools are trying to keep pace with the adversaries’ advancement and should be used to alert the administrators or security team about the detected anomalous behavior. The typical symptoms can be considered:

It is difficult to track the configuration abnormalities with the naked eye, hence, the properly configured security solutions can be utilized to analyze the system and/or network logs to trigger an alert.

How to perform Malware Analysis?

Unfortunately, if the network has been infected, a malware analyst will be expected to analyze and provide a report that could be used to finetune the security controls and the detection logic. The analysis report contains information about the working of the malware and maybe a few more details that can be fed into the system to assist in generating detection rules.

The malware analysis is performed in multiple stages:

Once the analysis has been completed, IOCs and IOAs could be generated and shared with the report to the relevant stakeholders.

Indicators of Compromise (IOCs) are observable events or conditions linked to malicious activity. They can be file hashes, IP addresses, domain names, network traffic patterns, etc. IOCs help detect and respond to security incidents by matching against known malicious behavior patterns.

Indicators of Attack: IOAs link these activities to a particular attack scenario or method. IOAs help understand threat actors’ tactics, techniques, and procedures (TTPs). For example, an IOA might involve detecting a specific exploit, a lateral movement technique, or a data exfiltration method. It provides insights into the attack’s methodology and allows for proactive threat hunting.

Hope this post has clarified some of the doubts. If you want to learn more in this journey, please be tuned as I progress with this series.

Exit mobile version