Malware Analysis

The attackers develop software with malicious intent. Based on their motive, the attacker puts effort and assembles multiple pieces of code to generate a file that can execute sneaky steps and achieve its motive. So malware can be defined as any software that has malicious intent.

Why do people develop malware?

• The majority of the software is developed with the intent to gain money. The attackers use malware to steal personal information like login and banking details. These can be used to compromise an individual’s account further or be sold illegally in exchange for the money.
• With the surge in cryptocurrency, a new group of attackers has emerged who intend to compromise the computer network to mine cryptocurrencies. Since mining involves more processing power, bandwidth, and energy to maintain the systems, the malicious miners exploit the compromised environment.
• Recently, attackers have started extorting money from the victim by encrypting their data, and the victim is asked to pay an amount to recover the data.
• Espionage is another reason why government institutions or corporations develop malware to perform espionage on their competitors to understand their strategies or derail their ability to function normally.
• In some scenarios, activists try to disrupt the victim to further their ideological or political causes. It involves leaking sensitive information, defacing the sites, or impacting the availability of the services to attract attention towards them.
• Kids or people with a kids mentality enjoy the chaos caused by malware. Usually, they find plug-and-play malware to disrupt services or steal information to prank or as mischievous acts. They can be categorized as script kiddies.

How do attackers infect?

Every attacker has their own approach to plan and execute the attack, but we can refer to the Cyber Kill chain to understand the flow. The Cyber Kill Chain is a framework that outlines the different stages of a cyber attack. It provides a structured approach for understanding and analyzing an attacker’s steps to target and compromise a system. Organizations can better prepare for and defend against potential threats by understanding this framework.

The first stage in the Cyber Kill Chain is reconnaissance, where the attacker gathers information about the target. This can involve researching the target’s infrastructure, identifying potential vulnerabilities, and gathering intelligence on the target’s employees or systems. This information is then used to plan and prepare for the attack.

The next stage is weaponization, where the attacker develops or obtains the tools and resources necessary for the attack. This can involve creating malware, exploiting vulnerabilities, or purchasing exploit kits from the dark web. The attacker often uses social engineering techniques to trick the target into downloading or executing the malicious payload.

Once the attacker has their weapon of choice, they move on to the delivery stage. This is where the malware or exploit is delivered to the target’s system. Email attachments, malicious links, or infected USB drives are common delivery methods. The attacker may also exploit the target’s network infrastructure vulnerabilities to gain access.

Once the payload is delivered, the attacker moves on to the exploitation stage. This is where the attacker takes advantage of vulnerabilities or weaknesses in the target’s system to gain unauthorized access. This can involve exploiting software vulnerabilities, misconfigurations, or weak passwords. Once inside, the attacker can escalate their privileges and gain control over the system.

The next stage in the Cyber Kill Chain is installation. This is where the attacker establishes a persistent presence on the target’s system or network. This can involve creating backdoors, installing remote access tools, or implanting malware that allows the attacker to maintain control even after they have left the system.

Once the attacker establishes a foothold, they can conduct malicious activities. This could include stealing sensitive data, exfiltrating information, or launching additional attacks from the compromised system. The attacker may attempt to move laterally through the network, attempting to gain access to other systems or escalate their privileges.

Finally, the last stage of the Cyber Kill Chain is the command and control phase. This is where the attacker maintains communication with the compromised system. This can involve using command and control servers, creating covert channels, or other techniques to communicate with the malware or compromised system.

How do we identify if infected with Malware?

Recently, it has been very challenging to detect malware as they are designed with a high degree of stealthness. The malware is designed with a complex obfuscation routine, which hides the malicious routine and is only unpacked in multiple iterations/stages in the memory. It could be daunting if the deployed security tools are not properly configured to look for file-less abnormalities. Nevertheless, popular security tools are trying to keep pace with the adversaries’ advancement and should be used to alert the administrators or security team about the detected anomalous behavior. The typical symptoms can be considered:

• Unusual System behavior like unexplained systems freeze, unresponsive applications, and increased processor or memory utilization.
• Abnormal Network Activity is like unexplained high bandwidth utilization or activity during typically inactive periods.
• Unwanted Ads or forced directions to search engines when interacting with the browsers.
• Alteration in security solution configurations like disabling Anti-Virus, modifying Firewalls, etc.
• An unusual disk-level activity like files/directories disappearing from the Disk. Unknown processes are showing up in the process manager.
• Unwanted registry modifications.

It is difficult to track the configuration abnormalities with the naked eye, hence, the properly configured security solutions can be utilized to analyze the system and/or network logs to trigger an alert.

How to perform Malware Analysis?

Unfortunately, if the network has been infected, a malware analyst will be expected to analyze and provide a report that could be used to finetune the security controls and the detection logic. The analysis report contains information about the working of the malware and maybe a few more details that can be fed into the system to assist in generating detection rules.

The malware analysis is performed in multiple stages:

• Static Analysis: Anti-virus scanning, File Hash, Finding strings, Packed/Unpacked, etc.
• Dynamic Analysis: Process Monitoring, Registry Key Monitoring, Network Activity Monitoring, etc.
• Automated Analysis: A sandbox-based platform can fully automatically cover the information fetched from Static and Dynamic analysis.
• Advanced Analysis: This involves advanced analysis where the sample is reverse-engineered by loading it into a disassembler and/or debugger. When loaded onto a disassembler like IDA Pro or Ghidra, the assembly code/decompiled is generated, which could be analyzed to understand the flow and inner workings of the malware. Following the code or identifying the packed content in some scenarios becomes tough. Analysts can leverage the debugger, like Ollydbg or x64dbg, etc., to load the sample and execute the code in such or other related cases. The debugger platform can let you visualize the registry and other memory contents and, if required, dump the exploits from memory, which would have been tough with the disassembler.

Once the analysis has been completed, IOCs and IOAs could be generated and shared with the report to the relevant stakeholders.

Indicators of Compromise (IOCs) are observable events or conditions linked to malicious activity. They can be file hashes, IP addresses, domain names, network traffic patterns, etc. IOCs help detect and respond to security incidents by matching against known malicious behavior patterns.

Indicators of Attack: IOAs link these activities to a particular attack scenario or method. IOAs help understand threat actors’ tactics, techniques, and procedures (TTPs). For example, an IOA might involve detecting a specific exploit, a lateral movement technique, or a data exfiltration method. It provides insights into the attack’s methodology and allows for proactive threat hunting.

Hope this post has clarified some of the doubts. If you want to learn more in this journey, please be tuned as I progress with this series.