In Part 1 of this blog series, we covered a (somewhat) brief introduction to malware analysis. We learned how malware analysis is performed in general and the various types of analysis–triage, dynamic, and static analysis.
It’s all well and good that there are so many niches and disciplines that tie in to malware analysis, but what is the overall goal?
Offense Informs Defense
Have you ever heard of the phrase offense informs defense? The idea is that interactions with real cyber attackers–be they vulnerability scans and vulnerability management, penetration tests, adversary emulations, red/blue team joint operations, or actual security incidents–all result in lessons being learned. By looking at what weakness attackers leveraged to gain access, we can learn how they were able to perform these actions. Malware analysis is another tiny piece of this puzzle.
We perform analysis actions and answer questions about the malware in order to inform our defense against the threat a particular family of malware represents.
But what are some ways in which malware analysis informs defense?
Advanced Persistent Threats (APTs) gain their name by utilizing advanced tactics and by being persistent towards achieving an objective of some sort.
The advanced tactics they might use include:
- targeted exploits,
- spear phishing,
- social engineering, and
- zero day exploits.
And their persistence manifests when they:
- attempt multiple methods of entry,
- exploit multiple targets within the same vertical,
- pivot from targets of opportunity,
- utilize multiple persistence methods, or
- use a “low and slow” methodology.
The reports on these threat groups are the result of months–and sometimes years–of patient counterintelligence operations by security researchers observing their tools, exploits, malware, and targeted verticals. This results in reports that inform the defense of organizations all over the world–researchers provide indicators of compromise (IoCs) in the form of file hashes, network artifacts (e.g. IP addresses, domains, user-agents, and URLs requested), files dropped to disk, configuration files modified, commands executed, and so on.
Organizations consume the information in these reports and use them to retroactively search for these indicators in their network and endpoint security logs for the length of time that particular campaign was active. This allows them to confirm that they either:
- were not targeted, or
- if they were targeted, that they were not compromised, or
- if they were compromised, the scope by which they were.
Want an example? Let’s jump back to December of 2020, when the SolarWinds backdoor SUNBURST was publicly announced.
SUNBURST was a backdoor associated with a Russian threat group “APT 29” (Dark Halo, UNC 2452, etc.) FireEye released a report describing the actions the threat group used. They also released a repository of indicators. Between the report, the timeframe by which the campaign was active (according to the report, “This campaign may have begun as early as Spring 2020 and is currently ongoing.”), and the indicators, organizations who utilized SolarWinds during that period could sweep through their logs to see if they were possibly affected.
Threat Intelligence usually comes in the form of blocklists for a wide variety of threats–IoT botnets, Ransomware, Remote Access Trojans (RATs), and so on. These blocklists are mostly the result of analyzing malware–running payloads in a sandbox, deobfuscating and extracting the configuration information for downloaders, reverse engineering RATs, decoding various scripts to see what the malware communicates with for command and control (C2), and so on.
Just like APT reports, these blocklists typically come in the form of indicators of compromise–such as file hashes, IP addresses, domains, exploits and/or delivery methods used to deliver malware, etc. And also like APT reports, most threat intelligence feed information is meant to be used retroactively to look for threats in a fairly limited timeframe.
Time for another example: Let’s pick on LokiBot. LokiBot is classified as an information stealing Trojan, but it also has the ability to backdoor targets and deliver additional payloads.
For this exercise, I’m going to pick on a sample observed on abuse.ch’s malware bazaar. Malware bazaar is a massive database of malware samples with scores of analysis done on each submitted sample–file hashes, sandbox runs, Yara rules, the works. Here is the LokiBot report we’re going to focus on: