The Journey of Evasion Enters Behavioural Phase

Ankit Anubhav

FireEye, India

Copyright © 2016 Virus Bulletin


 

Introduction

No malware author wants their piece of code to be easy to detect. The journey of detection evasion started nearly as long ago as that of malware itself, when security solutions were in a nascent state, providing static hash-based detection. Over time, several different approaches have been put into action to detect malware, and in response, malware authors have put into action different methods of evading them. In this paper we will discuss a few such evasion techniques that have been observed recently.

Cerber ransomware abuses PowerShell Bits Transfer module to evade behavioural detection

With an increasing number of malware families using a PowerShell script to download their payload, PowerShell has become an important process for security software to monitor, and a close eye is kept on any file downloaded or created by PowerShell.exe. As a result, the macros delivering the Cerber ransomware have been adapted to use PowerShell's Background Intelligent Transfer Service [1] module.

Two behavioural approaches, same end result

Conventional approach

PowerShell.exe (New-Object System.Net.Webclinet).DownloadFile('http://google.com', 'C:\\PAYL0AD.EXE')

The initial download technique uses 'System.Net.WebclientClass.DownloadFile', and we can observe the payload being created by PowerShell (Figure 1). This can easily be spotted by a behavioural security solution that monitors file creation. 

Figure1-Anubhav.jpgFigure 1: We can observe the payload being created by PowerShell.

Alternative BitsAdmin approach

Powershell.exe Import-Module BitsTransfer;Start-BitsTransfer http://www.google.com C:\\payl0adnew.exe

The second technique is similar to the first, but we use PowerShell's Background Intelligence Transfer Service module. The result is that, this time, the payload is created by svchost.exe (Figure 2), which is one of the most common methods of file creation, and it is likely that behavioural engines will ignore such a benign-looking event. 

Figure2-Anubhav.jpgFigure 2: The payload is created by svchost.exe.

After simple decryption and de-obfuscation, we can see that the Cerber ransomware macro code works along very similar lines, as shown in Figure 3.

Figure3-Anubhav.jpg

Figure 3: Cerber macro code.

Evading macro code extraction – I

One popular approach used by security software during the advent of macro malware was to extract the macro code section, leaving aside the forms user interface and decoy document. However, this was based on the assumption that malicious code was stored inside the code section, and malware authors quickly worked out that they could bypass detection by forcing suspicious code into the GUI forms attributes, with the macro code simply calling the code section from forms. This meant that the macro code wouldn't contain anything suspicious when extracted and analysed in isolation by a malware researcher or a scan engine.

Figure4-Anubhav.jpg

Figure 4: Locky hiding malicious code in a form attribute, ControlTipText. Malicious content can be stored in any of the Form attributes and can be called from the macro code.

Evading macro code extraction – II

After a number of malicious documents started using this trick, researchers/scan engines started parsing the macro form content as well. In response, malware authors once again upped their game, this time removing the suspicious code completely from the macro and hiding it instead in the document's metadata details.

Figure5-Anubhav.jpg

Figure 5: Suspicious code is hidden in the document's metadata details.

The encrypted PowerShell code is broken into various parts and added to metadata of the .doc file. The macro's purpose is simply to call these metadata, concatenate and run them.

Figure6-Anubhav.jpg

Figure 6: The macro calls the metadata, concatenates and runs them.

Evading payload magic signature check & Certutil abuse

When it comes to checking the authenticity of a file type, the file extension lost its reputation a long time ago thanks to innumerable malicious attempts at fake file extensions. For this reason, most static and behavioural approaches now include parsing the file and checking for the magic header – for example an MZ check for a binary.

One simple way to keep check of macro malware is to check whether WinWord.exe or any MS Office process downloads a file known to be an executable.

Figure 7 shows Dridex using a combination of two tricks. First, the code is hidden in the forms text box user interface. Secondly, the macro downloads a file with a .pfx extension which doesn't contain the MZ magic number. The payload is a pfx file, and has an unknown format. 

Figure7-Anubhav.jpgFigure 7: Certutil abuse.

Figure8-Anubhav.jpg

Figure 8: Dridex payload.

The TVqQAA is the Dridex payload completely encrypted in base64. [TVqQAAA....] is the MZ header in base64. Following this download, the Windows inbuilt Certutil tool is used to base64 decrypt this pfx file to reveal the actual payload.

certutil  -decode C:\Users\ADMINI~1\AppData\Local\Temp\\rGhjsdf.pfx C:\Users\ADMINI~1\AppData\Local\Temp\\rGhjsdf.exe

Why hide PowerShell when you can push it out of the screen

Most malicious PowerShell scripts don't want to run in view of their victims, and prefer to run in hidden mode (for obvious reasons). Running a PowerShell script in hidden mode is very easy, we just need to add the '-hidden' switch. Unfortunately for malware authors, cybersecurity researchers picked up on this too. As a countermeasure, malware authors came up with a way to hide PowerShell without actually 'hiding' it: they assign the visual coordinates of the PowerShell window such high values that it will always be beyond visibility in a normal‑sized monitor.

Here we see the malware changing the X and Y coordinates of the console to very high values, X= 0xc000 and Y= 0xc000, which will lead the PowerShell window to open outside the screen – or in other words, in hidden mode:

\REGISTRY\USER\<snipped>\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe\
"WindowPosition" = 0x0c000c00

Attempted Bypass of Behavioural Signatures – I

Nearly all malware attempts to be persistent in order to be more effective. One common way to do this is to add the payload to the Windows StartUp folder. However, this event is closely monitored by security software (see Figure 9). 

Figure9-Anubhav.jpgFigure 9: A common way to achieve persistence is to add the payload to the Windows StartUp folder.

To bypass detection, the malware authors try a simple trick: they break the event into a series of steps:

  • Step 1: Rename StartUp folder to XXXXX
  • Step 2: Add exe to XXXXX folder [security software might not take it seriously as this new location is not a standard location for persistence]
  • Step 3: Rename XXXXX back to StartUp

Rename Operation 1

OLD C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

NEW C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx

File created C:\Users\admin\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startupx\system.pif

Rename Operation 2

OLD C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx

NEW C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Attempted Bypass of Behavioural Signatures – II: SysInternals Abuse

The SysInternals package is one of the all-time favourite toolkits among malware analysts. The kit also includes the junction.exe file to create path aliases:

  • Step 1: Download the legitimate SysInternals junction.exe tool from the Internet. This is a known clean file so will not arouse suspicion.
  • Step 2: Create a manual path alias, for example:
  • C:\Windows\junction.exe "C:\Windows\junction" 
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  • Step 3: Add the file to this alias junction folder, which is nothing but a symbolic link to the startup folder.

This way, persistence can be achieved without triggering detection based on the addition of the payload to a well known persistence location.

Conclusion

Evasion is no longer limited to fuzzing. With the security industry evolving towards behavioural and other new methods of detection, the bad guys will try to find a way to evade any sort of detection logic.

This journey of evasion, which started with hash fuzzing, packers and anti-debugging, has evolved to bypass behavioural detection attempts.

On the positive side, these evasion methods themselves can sometimes be good detection logic for security vendors.

References

[1] Microsoft BITS Used to Download Payloads. https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027.
[2] Malicious macro using a sneaky new trick. https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a-sneaky-new-trick/.

Appendix: Hashes

Evasion trick SHA-256 hash
Cerber ransomware abuses PowerShell-BitsTransfer module to evade behavioural detection  69550d07a2c627ebe614ab302a5279e083ab195ac657257a1014862a7b397df1
Evading macro code extraction – I 7888b523f6b8a42c8bfad0a2fd02ba6e7837299fbc3d6a2da6bea20f302691f7
Evading macro code extraction – II e812350f2f84d1b7f211a1778073e14ae52bc3bded8aeac536170361a608f8fa
Evading payload magic signature check & Certutil abuse 562994fcbece64bd617e200485eeaa6d43e5300780205e72d931ff3e8ccb17aa
Why hide PowerShell when you can push it out of the screen  65635a017bda450e91f64ecdd275e989f3943bc045b81ecd287ecf3743e891b2
Attempted bypass of behavioural signatures – I 40698743fa87b4b6d23e555543dd1aabbf5901cca896ab9c20c853ab7acb0e9b
Attempted bypass of behavioural signatures – II: SysInternals abuse cd0fc93a93e9435087b98723999fd82d93fc3c439364176a0c922cecf9769a03

Download PDF

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest articles:

VB2017 paper: Nine circles of Cerber

The Cerber ransomware was mentioned for the first time in March 2016 on some Russian underground forums, on which it was offered for rent in an affiliate program. Since then, it has been spread massively via exploit kits, infecting more and more…

VB2017 paper: Modern reconnaissance phase by APT – protection layer

During recent research, Talos researchers observed the ways in which APT actors are evolving and how a reconnaissance phase is included in the infection vector in order to protect valuable zero-day exploits or malware frameworks. Indeed, the…

VB2017 paper: Peering into spam botnets

Despite spam botnets being so important in the lifecycle of malware, recent publications describing massive spam operations (which can be counted on the fingers of one hand) have either skipped over the technical details or else concentrated too much…

VB2016 paper: Anti-malware testing undercover

Anti-malware testing is highly complex, and it becomes more and more challenging as new technologies are adopted by the industry to protect users. Rather than focusing on the technical challenges that testers face nowadays, this VB2016 paper focuses…

VB2017 paper: Beyond lexical and PDNS: using signals on graphs to uncover online threats at scale

We propose a novel method unifying the interactions between client machines, hostnames and hosting IPs by building a tripartite graph consisting of tens of millions of vertices and edges. We then represent a sequence of tripartite graphs as signals…


Bulletin Archive