Latest evasion techniques in fileless malware - fl3uryz & Andrew Hay

and my name is Virginia Robbins so first to introduce myself I'm from France originally I'm currently working at Intel SMG priorly McAfee for 10 plus year has a thin layer of security software engineer in the endpoint security group I'm confounder half-chair icon it's a new Khan and mobile have deceived 503 so I'm interested in marijuana research and cryptography so I recently got two new ketones which I love spending time with disclaimer so this is on Mount I'm so any of you expressed here are solely my own and do not represent those of Mount prior as so goal of this talk so the goal of this talk is to gain understanding of latest file file as malware or such type of

malware can add new evasion technique what are the application in latest attacks and one of the possible ways silence my well the future could hide to a very detection so first of all before we dig into virus malware we have to ask ourself what what's the difference between file as malware regular malware so basically what is a regular regular malware a regular malware is typically stir in the malware binary file in the file system to run malicious code and unlike their predecessor this new type of file as malware will no longer drop small compiled binaries on the compromised system during malicious activities so typically the new the latest technique is primarily to ID in the registry then they let themselves

before running their malicious code so let's let's go through some bass technique to evade detection to get a background so in the past Mangla developer tried to implement different technique to stock ovens detection of their malicious code so we did it through different layer of the system so one of the ways to have it in memory memory memory reason malware we also used the kernel so we create a rootkit we also hide it in telescopes such as boot kids we also try to hide in the firmware a few more wicked and also in the VM base I pairwise there are good kids for VM systems so what what is the memory reason a malware so a memory

reason malware load their code into the memory of legitimate process even OS files they remain there until activated then run the malicious code so it's almost considered fires because I'll be running the memory space of a process but it's not finalized in the sense that it is currently in the latest virus malware so in example of such malware how angry and one exploit kids I saw O'Connor would get malware they clog themself in the kernel and they add a repressed coalesce kernel component and device drivers so we ID by changing the kernel data structure of the I direction or manipulation we hook the system descriptor table or system code table in Linux and to get to make

routine more difficult it's advice to only run sign driver in Windows so the next kind of way to hide is to hide in the firmware and other where yeah root kits my where so we utilize my to generate an infected image in other where typical targeted out where I think they can be what else Network out I'll Drive or bias even and the prime is that was not enough integrity verification in that layer to to be able to detect them easily so it's a it's a great ground for malware to to conceal themself so now we're going to move into the religious evasion technique for finest malware so how are currently typical far as my well evade detection so right now

be getting via a file on linking email of vulnerability in a script bragging for stance after over user click the link of a file they write their payload into the Windows registry and then disappear the script is written in very diverse techniques so we first of all be scared themself from register inspection by removing the user access provider privileges we had a null character in very tricky name so you cannot view them via regulate week only legitimate programs such as current live the real one is PowerShell there are so in the past we did WMI twincest malicious code into memory or standard windows processes so here you can see the flow of infection so basically there's like

spam campaign or malicious website that gets clicked and the drop you know create all the play the resist the resist to entry and add the JavaScript then that javascript through differently labeled and up calling something like powershell or WMI and which is equipped different scripts it data get this decrypted and then run so so like I was saying WM I used to be something that was used a couple years ago so why didn't Emma is Microsoft implementation of wbem which is an initiative to develop a standard technology for accessing management information in a non surprise environment and so you can be used by far as malware to execute malicious JavaScript and more recently PowerShell so what is fire shell it's

it's a task automation and configuration management framework from Microsoft it's consisting of a command-line shell and associated scripting language built on the.net framework that's official definition so base64 including malicious payload is written into the history and then typically executed using the PowerShell script so here's an example of a partial code in the registry so there's a difficulty function coding in version 3 that called the partial executable which run the encrypted panel code so what are other application of Valis morale in later static so we have seen click fraud but so when Morris used the system as the mall our traffic in generates and the more money it makes for the criminals it also been is seen

in ransomware attacks so they include the victim file and request a ransom to get the decryption key ISO seen in banking Trojan so we use online banking system to obtain obtain confidential financial so in that example of finance my where so power leaks and cuff tear the the more common ones so we connect via website and click through had the transformer in said infected system into a creek but offer some very on the download run somewhere payloads also X I said xsw kit which is a variant I've got good kid face but and it actually a clone of power leaks it adds additional functionality by bypassing the USC and starting startup method it has been used

in banking Trojan and malware downloader so it was first focused on stealing info from French bank and then they expanded to European banks and finally the one we're going to be looking at is yeah beast yeah best so this used like audio technique WMI to hijack browser shortcut but it's a new or malware so I thought I was interesting to to talk about it so we're gonna first go through a small that deep dive of dialects so one of the infection step for Parekh specifically so it auto start from the ran registry key with a hidden null character on tree so they cannot be viewed via registry details the room of user label permission on the

associated keys to ID both from security products and user accessibility berry working aqua permissions they had also on a narcotic script in the D foreign country and they are Eden run Kiko JavaScript to decode and run the oculi script so here's anyone that would try to run ragged edge will not be able to even see anything so it to them would look like everything is great so the record is once the script is decoded it first check check to see if PowerShell and dotnet framework are installed on the system and then it executes more costo in base64 to change the permissions of section of memory so could return to it can be executed it could get proc address of some

exported Canal sorry to DLL and usual 32 the DLL to be able to interact with the system a script a variable is used to stop a shellcode and an embedded DLL and once the dealer runs it causes malicious payload so now we're going to go into covered in more detail deep dive which is kinda similar to to the first one but this one is has been we have done more research on it so what are the infections type of cocktail so first of all started to move into file as malware in later versions so it was not always a finest malware so what it first do is check to see if PowerShell is already present and then

if not as you ever won it check if the user the system has online access and download PowerShell download PowerShell it adds value to one or more registry ranky to run a JavaScript via a message to program and similar to parabolic it hide their registry entries by starting value name with neuro zero bad character followed by a serie of X characters so here if you if you look if you look at verges trivia different tool and running it that can not do not I know by character reach two and three you will see the key which is Xcode and the code to a message to JavaScript and if you see that then that's that's most likely of my wire all

right and so that JavaScript we call a different JavaScript from another really resist reentry so basically us it it write different resistor on tree to hoop into different layers so before ravine is the value of a registry that points to another which is tricky on the other vista HT current user software on tree a message that about javascript and call some ActiveX object and with some different arguments so with certain javascript they could and exactly the malicious powershell script embedded in its cryptic code the powershell script run a shell code that reads another registry entry which contained the Fallas malicious code it accepts it and loaded into memory once the file s infection is loaded then

it deletes the fallon factor from disk so by the time branch that the infection happen there's no tress in the filesystem so here is a different registry key in the HK current user software on coded an obfuscated so it looks like gibberish and that's a good education in samara if you see any key that was strange like that not good so question JavaScript code details the following is JavaScript code is put over firstly while the obfuscation and as you can see it's a base64 encoded shellcode so it tries really hard to hide itself so once you decode the best 54 shocker then you can clearly see then now the powershell script - exactly the washtub script so

the partial exactly the execution well it does it exactly the method code in the memory of legitimate system file to stay in memory undetected so typically the three major one day.you issues it's a reg as we are sorry to the react see as we see us exe dro stack see and once the parasha code executes it establishes a connection with control server and then you're toast it collects lots of information from the O's machine and perform a serious action so first of all we will collect system info like OS version service park architecture it tested dotnet is present Adobe Flash Player and latest browser version it analyzed the system resources it dynamically receive information from the

control server allowing them to manipulate the attacks without impacting the user and without detection so the more resources or power the machine has the more traffic you will is seen on the network after that so the evasion technique used by crafter so one of them is a check if the machine is running as a VM and whether it has on time a lot products and any monitored monitoring tools so someone with information collected from was like include antivirus product like mica fever virus cannot surprise antivirus shark until VMware is also check for the presence of specific application dotnet framework I don't be like I said let us let us Internet Explorer browser so why does it

check for that because these application are required so that website with flash based advertisement can be accessed and click cover correctly with that detection so quota as a click but so it's actually aimed to actually try the victim system and transform it into a click but the click fraud makes money for hijacker so that's the attraction it takes advantage of the paper clip advertising model advertiser paid by web site publisher one and is clicked some also called a variant I've downloaded additional payloads that belong to a crypto world family once the system has been evaluated then crafter prepare her browser to crawl through all the pages of the website and click all advertisements the control server

dynamically pushes site hosting had and they are clicked randomly so at this point the infected system has been transformed into a click but continuously performing fraudulent clicks on advertisement further contain are coded string also used to populate web pages hosting related advertisements which are well randomly click by the man we're using not encode okay so the third malware we're going to deep dive to his career B's it's pretty new but it's with some old techniques so it adds like browser shortcut by adding as a browser executable argument HTTP slash yeah best that's it CC so as a result yabbies the CC and Autopia site as it's called automatically open whenever the browser gets started so what's the infection goal to still

use your data to generate lots of traffic yeah Patrick meta to make money so it's yeah best is consider a pilot because it only remains in the WMI it deletes themself when ran and do not create file on the hard drive so the so ee am i hiding typically the register himself in the root subscription namespace as an instance of active script even consumer class and here's you can clearly see here ever stance is called a sec and contains the vbscript which run every 10 seconds and vbscript heels sum of a content of a vbscript it's checked for existence of 14 different browsers to inject to a jack we are so interestingly it calls SCRC ons the y XE instead of w script

alexa to evade detection further and then here's what it does to be browser shortcut it it adds the yeah base brother brother or startup and then when you start browser then that's what you will see so be persistent in fattest malware so we versus a consideration that we might need to trade-off persistence for staff because there's no dress in the file system but it's less of an issue now than it was in the past because it takes less effort to achieve persistence in others day as devices remain online for a longer time I'm going to sleep with fewer reboots in-between so as a result machine managers code can run for days without interruptions and most ideal for heart

attack when implementation of a long term persistence is not really required for success for instance in one somewhere attack family fight as malware need to only remain alive long enough to encrypt and remove original file and ask for ransom and now we're going to move to the question so here's some rigid works those reference links and so one question I have is one of the possible ways could virus malware I to evade detection in future ok yeah how will fireless malware possibly change when Microsoft has a more secure version of PowerShell power Shelton was going to put a lot of this stuff to the end what would you see is the next sector of attack yeah that's that's a

good question because really powershell has some definitely win our ability to it and is to open and to powerful so if Microsoft fixed that I don't know I don't know what they're going to use and WMI was one powershell so we have to constantly be on the garden anything that Microsoft releases that is to help from more than mystery their control remotely you never machine stay on your guard because that could be a place where my way I would we'll do my shows activities okay yeah

and I would like to look it up just don't say that I don't have all the pretty telling that lie I know we make a lot of money okay so in in many of the examples that you gave the initial infection was still by a file something that was clicked or downloaded are there any examples and then it was cleaned up afterwards are there examples that you have of purely vilest or even the initial infection isn't by an executable file yeah I mean like if you click an email if you click Holika in an email it will run in the context of email in the context of a browser so it's not really a file in the in the an additional file

an initial executive order sorry in the file system it's part of a browser which has access to to write average 3 yeah and even even if fails of like a payload or file that is drop it gets click quickly removed before the infection even start so any traditional anti soft anti-malware product which only focused on looking at the file system will not detect until it's too late so obviously company many company are guarding against that now by by behavioral detection and things like that so I think you might have answered my question just now but I was going to ask why do you think malware families are evolving to use the sort of file as

persistence or using the registry as a persistence mechanism yeah because typically like I was saying typically on tomorrow project were highly focusing on detection like signature detection action of a file in the file system and this this kind of infection you cannot detect those those engines that just detect files so that that's why we're moving to all that but on time where compañía catching up and that's why we're here for thank you everybody and especially thank you to Vernon Virginia