During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.
This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.
The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.
|Brief Description||Document Dropper exploiting cve-2017-0199|
Table 1. Sample information
The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.
Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.
This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.
Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken.
After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.
Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.
This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.
However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.
This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).
Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.
Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.
Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.
However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).
Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.
|Brief Description||Emotet payload|
Table 2. Sample information
|Brief Description||Emotet payload signed using Symantec cert|
Table 3. Sample information
As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.
However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!
For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.
The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.
The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.
We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.
Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:
|[adrotate banner=”9″]||[adrotate banner=”12″]|