Tutorial 3: Malware Hunt-Demystifying the Invisible Threats

by Saurabh Sharma
Senior Security Researcher
GReAT, Kaspersky
https://www.linkedin.com/in/saurabh-sharma-813a6154

Date: 16 December 2024; Time: 9:30 AM; Venue: LNMIIT, CP3 (beside Library)


Prerequisites

C/C++ familiarity, Assembly basics

VirtualBox with Windows 10 VM installed

Disable windows defender: https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10

Download Sysinternals suite: https://learn.microsoft.com/en-us/sysinternals/

IDA Free Version: https://hex-rays.com/ida-free

Netcat: https://eternallybored.org/misc/netcat/

Outline

Module 1: Dynamic Analysis: Demystifying the Behaviour of Malware
Understanding how malware operates and how to detect it is crucial in today’s cybersecurity landscape. In this module, we will be covering an end-to-end attack chain, which is a common method used by cybercriminals to infect systems. Here’s a breakdown of the different steps involved in this module:

Phishing Email: The attack begins with a phishing email, where an attacker sends a fraudulent email to a user, typically pretending to be a trusted entity. The email may contain malicious attachments, links, or instructions to trick the user into taking specific actions, such as clicking on a link.

Silent Malware Deployment: When the user falls for the phishing email and clicks on the provided link or opens the malicious attachment, the malware is silently deployed in the background without the user’s knowledge. This step is crucial for the attacker, as they gain access to the user’s system without raising suspicion.

Identifying Suspicious Network Connections: After the malware is deployed, it may attempt to communicate with the attacker’s command-and-control (C2) server or other malicious entities over the network. Detecting these suspicious network connections can be a vital clue for identifying a potential malware infection.

Suspicious Processes: Next, you’ll be exploring the system’s processes to find any suspicious ones that might be associated with the malware. Malware often runs as a hidden process, evading the user’s attention.

Host-Based Indicators: You’ll then search for host-based indicators of the malware’s presence. These indicators include persistence mechanisms, which are techniques used by malware to survive system reboots and maintain their foothold on the infected system. Additionally, you’ll analyze disk activity performed by the malware to better understand its behavior.

Malware’s Motive: Lastly, you’ll try to identify the motive behind the malware. This involves understanding the malware’s purpose, whether it’s ransomware seeking financial gain, spyware collecting sensitive information, or any other malicious intent.

By following these steps, users can gain a better understanding of how to detect and respond to potential malware infections on their systems. It’s essential to stay vigilant and continuously update cybersecurity practices to protect against evolving threats. Remember, prevention is always better than remediation when it comes to cybersecurity.

Module 2: Static Analysis: Demystifying the Code of Malware
Limitations of Dynamic Analysis:
Some malware can detect that it’s being analysed and may behave differently or not execute at all. The analysis environment might not perfectly replicate a real user’s system, leading to potential differences in behaviour.

Static Analysis (Code Analysis):
Static analysis involves examining the malware’s code and characteristics without executing it. This typically involves reverse engineering the code, disassembling it, and studying its structure to understand its functionality and inner workings. Static (code) Analysis helps us to uncover the below details:

Hidden behaviour discovery: Static analysis can reveal hidden or encrypted parts of the malware that might not be evident during dynamic analysis.

In-depth understanding: By examining the code, we can gain a deeper understanding of the malware’s inner workings, for example;
– Process Injection: Techniques used to run malware inside a process
– Network Protocol Analysis: Understanding and decoding Command and Control packets format.

Module 3: Exploring Signature-Based Intrusion Detection: YARA and Snort
Once we learn how to demystify the behaviour of the malware in the first two modules of this tutorial, you will learn to write signatures to hunt similar malware on other hosts or want to detect/block malware command-and-control traffic at the firewall level. This module will cover popular tools used for signature-based intrusion detection, but they have slightly different purposes and approaches:

Yara – Allows you to create and define custom rules (signatures) to identify patterns within files or processes. These signatures are written in a human-readable and straightforward syntax. Yara is particularly effective for detecting specific characteristics, behaviour, or patterns of known malware or other targeted files.
Identifying known malware: Yara is effective in detecting the presence of known malware families by matching their unique patterns.
Hunting for specific behaviour: You can create Yara rules to identify specific behaviour, such as suspicious file names or registry keys.
Indicator of Compromise (IOC) scanning: Yara can be used to scan systems for known IOCs related to recent security breaches or threat intelligence.

Snort – It is an open-source network intrusion detection and prevention system. Unlike Yara, which primarily focuses on file-based analysis, Snort is designed to monitor network traffic and detect malicious activity in real-time. It uses a combination of predefined rules (known as Snort rules) and customizable rules to identify specific patterns or characteristics of known network-based attacks.
Network intrusion detection: Snort can be deployed on network devices, such as firewalls or routers, to monitor traffic and detect attempts at unauthorized access or attacks.
Network traffic analysis: It helps in identifying unusual patterns in network traffic, which may indicate malicious behavior like port scans or brute-force attacks.
Prevention and response: Snort can be integrated with other security systems to block malicious traffic and facilitate incident response.