Anatomy of Attack # 3 – Malware – Delivery & Exploitation

Malicious software – malware – is undoubtedly the most common tool for “work” of cybercriminals. Thanks to it, the attacker can remotely encrypt our data, open a communication channel to our laptop/server, copy our passwords or disrupt the operations of a crucial service. In this series, we’ll cover the key steps of an attack, without going into the details of the types of malware. We would like to present the process that adversaries follow more than the so-called payload they want to harm us with. Today – the delivery of malware to the target.

Malware attacks have different goals. However, they have one thing in common – malware must be delivered to the target for it to work. Referring to cyber-killchain, the more effective the reconnaissance, the greater the chance of a successful attack. Therefore, email messages that can be precisely personalized are still the most popular distribution channel for malware.

The process of delivering malware to the victim has two main elements:

• Delivery channel: delivery method for the attack (how malicious code reaches the end user) – the measure of success is the number of openings (email reads, link clicks)

• Configuration: methods the adversaries use to appear legitimate. This includes the way they bypass checkpoints to identify malicious code and personalize the message (social engineering) so that the victim does not find it suspicious.

And two side ones (more important for the next stages of the attack):

• Attack triggers: the way malware is launched – clicking a link, downloading and opening an attachment, entering data on a website…

• Payload – the way the attack is carried out (opening a C2C link, data encryption, tracking key combinations, etc.) – strongly related to the configuration.

Let’s take a look at the basic channels through which malware is sent:

1. Phishing emails
   – undoubtedly the most common method of spreading malware. Phishing messages come in all shapes, sizes, colors, levels of personalization, and one thing in common: a sense of urgency.

2. Spam in social networks
   spam on social networks is due to the average level of security awareness of the users of these websites – a heavily exploited vector. It consists in sending a link leading to a spoofed page or immediately starting the download of the file. Examples include photos or videos shared on a social network which, when clicked, take the user to a fake YouTube page that then requests the user to download and install a video player plugin. Still can’t watch video after installing “Video Player”. But the criminal can watch you on your computer with full access to your camera.

3. Remote Desktop Protocol
   RDP is a connection protocol that allows a user to connect to another computer over a network connection. Cybercriminals now use automation to scan the Internet for computers open to RDP. They then try to guess the username and password to gain access to the remote computer. Another option is to buy user data on the darknet.

4. Drive-by Downloads from a hacked website
   an average website is attacked 58 times a day to become infected with malware. Once the site is infected, it will start scanning the computer of each site visitor for security vulnerabilities. These vulnerabilities could be due to outdated applications, missing operating system patches, or browser plug-ins. If a weakness is found, it will be used to infect the computer with malware.

However, simply sending a malicious file or a download link does not guarantee even a percent of success. Currently, even the least aware Internet user can count on protection by a built-in antivirus system or security provided by the company at the network level (Secure Web Gateway or in more demanding organizations, Remote Browser Isolation) or devices (XDR or EDR). Therefore, the real trick is to configure – to prepare the program in such a way that it is not detected by checkpoints. The creativity of the attackers knows no bounds…

1. Packers – Programs that compress an executable to make it smaller. “Wraps” a compressed executable in code necessary to uncompress itself at runtime. Compression changes the appearance of the executable. Signature-based detection searches for a malware or pattern in a known malware file, such as a hash or a number of binary patterns, to create a unique identifier for that malware. Packaging changes this identifier, so AV may not detect the packed file.

2. Crypters – programs similar to packer. Adds obfuscation or encryption to malicious code. Like the packer, its purpose is to change the binary fingerprint of a file to avoid detection. In short, the encryption program encrypts the original executable using an encryption algorithm – often something as simple as an XOR cipher with a unique key. The encryptor then creates a stub, which is the initial program that has everything it needs to decrypt and run the actual built-in payload.

Crypters – programs similar to packer. Adds obfuscation or encryption to malicious code. Like the packer, its purpose is to change the binary fingerprint of a file to avoid detection. In short, the encryption program encrypts the original executable using an encryption algorithm – often something as simple as an XOR cipher with a unique key. The encryptor then creates a stub, which is the initial program that has everything it needs to decrypt and run the actual built-in payload.

Dynamic analysis means the detection techniques used when a file is executed. Dynamic analysis lets you see the malware code in memory or pay attention to other things it’s doing. A packaged or encrypted program must eventually unpack or decrypt itself in order to run. As a result, products that use dynamic analysis can often recognize cloaked malware when it is launched.

3. Polymorphic malware
   is malware that repeatedly uses packaging and encryption methods to change its appearance. However, rather than using static keys as most encryptors do, polymorphic malware uses more complex encryption algorithms with random keys, variables, and decoders. Malware itself can mutate every time it copies itself to a new location, or criminals can set up servers that automatically modify a malware variant every time it is sent to a new victim. Server-side polymorphic malware is very popular and probably accounts for the majority of everyday malware variants.

4. Downloaders, Droppers, and Staged Loading
   many types of malware use temporary programs called droppers or downloaders to find out about your system before installing real malware. Some of the droppers check the system first to avoid triggering security alerts while downloading and installing the actual payload. They can search and kill security processes or see if they are running in a virtual system. They can also download their extra payloads using encrypted return channels to avoid network detection or inject malware directly into known Windows processes to avoid detection.

… on the other hand, AV providers design signatures to recognize droppers and downloaders, and modern AV programs will recognize most of them without any problem.

Conclusions?

When planning a security procedure in the field of protection against malware infection, specialists refer, among others, to to the tactics and techniques described in MITER ATT & CK and developed by Lockheed Martin, Cyber-Kill Chain. In our work, we meet the following methods of protection against attacks in the delivery & exploitation phase:

DELIVERY – CHANNELS – remember “the hacker wants you to download something or click something”. Therefore, the dynamic categorization of websites combined with a reliable email security solution will allow you to control the two most common malware delivery channels. We are talking about the first stage of prevention – the user will not enter the infected page or start the download, and the e-mail will not be delivered. A new technology in the field of protection against attacks from the Internet (e.g. Drive-by downloads) is Remote Browser Isolation – streaming an interactive session to the user’s browser from a secure virtual machine in the provider’s cloud.

EXPLOITATION – CONFIGURATION – however, if the source looks reliable (e.g. a well-known internet portal that was very recently infected) and the file download starts – you need to recognize it. The mentioned technology Secure Web Gateway or Email Security Gateway – allows you to briefly take the following steps:

• Scan files at specific points

• Match signatures to patterns with data found in scanned files

• Use heuristic techniques to recognize new viruses

• Remove malicious code from legitimate files

The techniques that allow you to gain much more certainty about the files are sandboxing and content disarm & reconstruction. Sandboxing allows you to run a file in an emulated environment – faithfully reproducing the user’s system. Malware is identified after observing its behavior. On the other hand, content disarm & reconstruction is not based on detection techniques. Each file it scans – recognizes known, legal code – and transfers it to the newly created file, bypassing any unknown or active code. 100% sure. It is worth remembering that both technologies have specific use-cases.

As on every possible occasion, it is worth emphasizing that a parallel and perhaps the most important line of safety is a well-educated user. On the other hand, if education was so simple, there would be no market for the above technologies 🙂 It is worth analyzing the trends published by players specializing in Threat Intelligence to know what malware campaigns entities in your industry are exposed to. Or… talk to us!