MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t...
Transcript of MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t...
![Page 1: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/1.jpg)
MalDoc EvolutionFrom ShellExecute to ^LL^ehs^reWO^p
TC TLV Feb 2019
![Page 2: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/2.jpg)
WHOAREWE
Asaf Aprozper
Github: 3pun0x
Twitter: @3pun0x
Gal Bitensky
Github: G4lB1t
Twitter: @Gal_B1t
Security researchers@Ex-
![Page 3: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/3.jpg)
History Class
![Page 4: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/4.jpg)
![Page 5: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/5.jpg)
![Page 6: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/6.jpg)
Gabor Szappanos, Sophos, July 2014
![Page 7: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/7.jpg)
![Page 8: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/8.jpg)
Document open
Download an executable to
%TEMP%ShellExecute
![Page 9: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/9.jpg)
![Page 10: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/10.jpg)
![Page 11: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/11.jpg)
The Research
![Page 12: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/12.jpg)
The Research
• Motivation
• Selecting 50 campaigns
• Limiting the research scope –anything following the VBA/exploit
• Stepping through the infection stages
![Page 13: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/13.jpg)
Why Fileless?
• Ol’ ShellExecute:• Download/decode an executable payload
• Directly start it from the VBA/exploit
• No longer good enough:• AVs getting better at executable analysis
• Logging and monitoring anomalies
![Page 14: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/14.jpg)
Why Fileless? (cont’d)
• AV 101:• Static vs. dynamic inspection
• Impact on performance
• The limitations of “NG”/ML products
• Chasing blind spots – it works!
![Page 15: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/15.jpg)
How Much Fileless?
• Fileless is the norm
• 88% of the inspected samples contained fileless stages!• Excluding using a document as an infection vector
• APTs and commodity malware alike
![Page 16: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/16.jpg)
![Page 17: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/17.jpg)
Why Obfuscation?
• When plain fileless is insufficient
• Easy, open-source projects
•Obfuscation != encryption
![Page 18: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/18.jpg)
Obfuscation 101
![Page 19: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/19.jpg)
Reverse – CMD
• Batch file can read a string backwards
• FOR loop and CALL command combo
![Page 20: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/20.jpg)
set "ret=" & set "str=%~2"
for /L %%I in (0,1,100) do (
if "!str!"=="" for %%a in ("!ret!") do (
endlocal & set "%~1=%%~a" & exit /b
)
set "ret=!str:~0,1!!ret!"
set "str=!str:~1!"
)
![Page 21: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/21.jpg)
FORcoding - CMD
• FOR loop iterating over an “ABC array”
![Page 22: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/22.jpg)
cmd /V:ON /C "setunique=stirf&&FOR %A IN (4 2 3 0 1 1337) do setfinal=!final!!unique:~%A,1!&& IF%A==1337 CALL %final:~-5%"
![Page 23: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/23.jpg)
![Page 24: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/24.jpg)
Rename
• Let’s copy paste everything!
![Page 25: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/25.jpg)
![Page 26: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/26.jpg)
String Concatenation
• String Concatenation
•Story time! ☺
![Page 27: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/27.jpg)
PS:\> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
PS:\> [Ref].Assembly.GetType('System.Management.Automation.Am'+'siUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
![Page 28: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/28.jpg)
Environment Variables
• What is an environment variable?
• Potential x86 sandbox bypass?• Program files vs. program files (x86)
• Funny incompatibility with Windows XP• Documents and Settings vs. Users
![Page 29: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/29.jpg)
![Page 30: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/30.jpg)
Obfuscation Layers per Sample
![Page 31: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/31.jpg)
How Much Obfuscation?
![Page 32: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/32.jpg)
Zooming In – Emotet
![Page 33: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/33.jpg)
Fortune Telling: More of the Same
C:\jOuwbsbAQ\PhUHYKKrs\mnlnuaRmUvt\..\..\..\windows\system32\cmd.exe
• Only limited by imagination and esoteric “features”
• Medium-long range:• Solutions will get better
• New genres will emerge
![Page 34: MalDoc Evolution · 2019-03-05 · Twitter: @3pun0x Gal Bitensky Github: G4lB1t Twitter: @Gal_B1t Ex- Security researchers@ History Class. Gabor Szappanos, Sophos, July 2014. Document](https://reader034.fdocuments.in/reader034/viewer/2022050219/5f64a27b577ec557b52b47bb/html5/thumbnails/34.jpg)
Questions?