Stealthy Malware Flies Under AV Radar with Advanced Obfuscation

guest · Nov 15, 2019

Stealthy Malware Flies Under AV Radar with Advanced Obfuscation
November 15, 2019
https://threatpost.com/malware-steals-info-with-advanced-obfuscation/150280/

Researchers warn hackers are putting a new spin on old injection techniques and successfully end-running endpoint protection.
The objective is to hide in the background of infected systems in order to steal user passwords, track online habits and hijack personal information, according to a Cisco Talos report.

“The adversaries use custom droppers, which inject the final malware into common processes on the victim machine,” wrote Holger Unterbrink, a researcher with Cisco Talos, a blog post about the new research.
Unterbrink said the adversaries use injection techniques that have been employed for many years, but with new, custom capabilities that are making them difficult for anti-virus (AV) protections to detect, Unterbrink wrote.
Operation Obfuscation
If the file is opened, it goes through several more processes to elude detection, including decryption just before runtime, and never on the harddrive, Unterbrink wrote.
“We think it is close to the customized Agent Tesla version that’s been circulating online since several months,” he wrote in the post.
Click to expand...

“The adversaries use complex droppers that leverage several different obfuscation techniques to make it as hard as possible for antivirus programs to detect the malware,” he wrote in the post. “By using these droppers, they can quickly and easily change the final malware for their campaigns.”
Click to expand...

Cisco Talos: Custom dropper hide and seek

guest · Jan 31, 2020

Advanced Obfuscation Marks Widespread Info-Stealing Campaign
January 31, 2020
https://threatpost.com/advanced-obfuscation-info-stealing-campaign/152468/

A large-scale spam campaign bent on spreading info-stealing malware is applying advanced obfuscation techniques to get around security scanning and maximize infection rates.

According to Lastline researchers, a large botnet is distributing malicious rich text format (RTF) documents that act as downloaders for well-known info-stealers, such as Agent Tesla or LokiBot. These malware variants steal a variety of credentials [...] The effort is linked to another recent spam campaign identified by Cisco Talos, Lastline said.
The firm found that many of the targeted entities are within the education sector in the Asia-Pacific region; however, the campaign also seems to be using a second, “spray-and-pray” approach on other potential victims.

The researchers found that the campaign uses common attack techniques, such as data obfuscation and VBA scripting, but that it also goes to great lengths to hide its infection processes.
Click to expand...

Incidentally, the botnet’s usage of this specific AMSI-bypass technique is what links it to the spam campaign recently uncovered by Cisco Talos, according to Lastline. That campaign was being operated by the SWEED threat actor.

Once established on the victim machine, the code will fetch a dropper payload from a remote host, which in turn downloads the last-stage info-stealing malware. These end stages are heavily obscured as well, researchers said.

“There is a dedicated effort to hide the final payload URL by adding several obfuscation layers, a technique known to impair automated tools and parsers.”
Click to expand...

Lastline: Threat Research Report: Infostealers and self-compiling droppers set loose by an unusual spam campaign

itman · Feb 2, 2020

mood said: ↑

Advanced Obfuscation Marks Widespread Info-Stealing Campaign
Click to expand...

Surprised there are no comments on this bugger. One very nasty piece of malware. Also I couldn't think of a better example for keeping macros permanently disabled on all Office apps.

guest · Feb 3, 2020

AZORult Campaign Adopts Novel Triple-Encryption Technique
...malspam campaign that uses three levels of encryption to sneak past cyber defenses
February 3, 2020
https://threatpost.com/azorult-campaign-encryption-technique/152508/

A recent wave of AZORult-laced spam caught the attention of researchers who warn that malicious attachments associated with the campaign are using a novel obfuscation technique, in an attempt to slip past spam gateways and avoid client-side antivirus detection.

Should macros be enabled in any of the Excel documents, a payload is decrypted, decoded and executed using a Visual Basic for Applications “shell” command.
The next stage of the decryption happens as the first payload is executed and converts into a second decryption envelope, this time a PowerShell.

The payload this time is considerably obfuscated C# code, designed, said the researcher, to “download a file from a remote server [and] save it as c2ef3.exe in the AppData folder and execute it.”
The third level of encryption manifests itself in the link used by the dropper to download the final AZORult infostealer malware.

“The link to the remote file was protected with a third layer of encryption using the same algorithm we have seen in the PowerShell envelope,” he wrote.
Click to expand...

Kopriva also notes that the C# code tries to bypass the Microsoft Anti-Malware Scanning Interface using a memory patching technique first identified by CyberArk researchers in 2018 and used frequently including last week in a similar attack.

“With the use of Word, Excel, PowerShell and three layers of home-grown encryption, this downloader really turned out to be much more interesting than a usual malspam attachment,” the researcher wrote.
Click to expand...

Rasheed187 · Feb 8, 2020

itman said: ↑

Surprised there are no comments on this bugger. One very nasty piece of malware. Also I couldn't think of a better example for keeping macros permanently disabled on all Office apps.
Click to expand...

Why? Seems like the same old stuff to me, with a locked down powershell.exe, you could stop this. Or are you talking about certain malware techniques?

guest · Mar 19, 2020

Evolution of malware obfuscation poses security concerns
March 19, 2020
https://www.scmagazineuk.com/evolution-malware-obfuscation-poses-security-concerns/article/1677639

But is the broader problem of evolving malware obfuscation techniques one that enterprise security teams need to come to terms with. SC Media UK reached out to information security professionals for answers.

Daniel Goldberg, senior cyber-security and computer crime researcher at Guardicore Labs, doesn't think so.

"Enterprise security teams should totally avoid thinking about malware obfuscation and detecting specific strains, and focus 100 percent of their efforts on detecting abnormal behaviour. Malware changes, but the vast majority use the network to communicate with hackers. Catch them there and stop playing whack a mole," he told SC Media UK.
Oliver Pinson-Roxburgh, co-founder at Bulletproof, agrees that dealing with obfuscation is challenging for people that are not experienced at both spotting the techniques, but also investigating and tearing them apart without experience.

Even checking for obvious signs of obfuscation comes with the risk of increasing the false-positive count and, once de-obfuscated, we still need to understand code, which is also something most businesses don’t have the experience in doing, he added.
The key to automatically detecting them is "in utilising tools that understand and can describe behaviours vs simple signatures", he said.
Click to expand...

Tomislav Pericin, chief software architect at ReversingLabs, admits that how enterprise security teams can best deal with evolving malware obfuscation is a difficult question to answer.
However, when it comes to analysis, Pericin points to a combination of static and dynamic analysis to peer into the protected code. Reverse-engineering tooling is key, and staff should understand how it all works.

"[...] Unfortunately, this calculation is often done post fact, when the incident already occurs, and needs to be repeated for every file that needs analysis," Pericin said.
Click to expand...

guest · Nov 25, 2020

Blackrota Golang Backdoor Packs Heavy Obfuscation Punch
Blackrota is targeting a security bug in Docker, but is nearly impossible to reverse-analyze
November 24, 2020
https://threatpost.com/blackrota-golang-backdoor-obfuscation/161544/

Researchers have discovered a new backdoor written in the Go programming language (Golang), which turned their heads due to its heavy level of obfuscation.

The backdoor, called Blackrota, was first discovered in a honeypot owned by researchers, attempting to exploit an unauthorized-access vulnerability in the Docker Remote API. What sets the backdoor apart is its use of extensive anti-detection techniques, which makes the malware extremely difficult to analyze – something that researchers said is not commonly seen with Golang-based malware.

“Historically, we have seen malware written in Go that was at best stripped at compiling time, and at worst slightly obfuscated, without much difficulty in reverse-analysis,” said researchers with 360 Netlab, in a Tuesday posting. “Blackrota brings a new approach to obfuscation, and is the most obfuscated Go-written malware in ELF format that we have found to date.”
Click to expand...

Researchers said that obfuscated malware written in Go is rare, but has been seen before.

“The obfuscation method of Blackrota and EKANS creates new challenges for reverse analysis,” said researchers. “As the Go language becomes more popular, more and more malware will be written in Go in the future…we will keep an eye on what is going to happen.”
Click to expand...

Qihoo 360 Netlab: Blackrota, a heavily obfuscated backdoor written in Go

The most obfuscated Go-developed ELF-formatted malware we've found
to date.
Click to expand...

Log in or Sign up

Stealthy Malware Flies Under AV Radar with Advanced Obfuscation

guest Guest

guest Guest

itman Registered Member

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

Log in or Sign up

Stealthy Malware Flies Under AV Radar with Advanced Obfuscation

guest Guest

guest Guest

itman Registered Member

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

Useful Searches