Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Derek Manky
Derek Manky
Connect Directly
E-Mail vvv

Upping the Ante on Anti-Analysis

Attackers are becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection.

As cybercriminals continue to hone their attack approaches, they are also tuning their post-intrusion models. Many modern malware tools already incorporate features for evading antivirus and other threat detection measures, but research shows that attackers are also becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection if an infiltration attempt is successful.

Based on analysis of data from Fortinet's "Q2 2019 Threat Landscape Report," this article examines a recent spam campaign that used novel anti-analysis and evasion techniques.

Anatomy of a Spam Attack
Many modern malware tools include features for evading antivirus and other threat-detection measures. Examples include routines that enable the malware to detect when it is running within a sandbox environment, functions for disabling security tools on an infected system, and the use of junk data to make disassembly harder. 

A good example of how adversaries are tweaking these anti-analysis techniques can be found in a macro that was used in a major spam campaign in Japan last quarter. This campaign involved a phishing email with a weaponized Excel document attached that contained a malicious macro. Our analysis showed the macro had attributes for disabling security tools, executing commands arbitrarily, and causing memory problems — and also ensuring that it would run only on Japanese systems. 

The macro used in the Japanese spam campaign, like much other malicious software, was designed to look for certain Excel-specific variables at multiple points during execution to ensure it was running within an Office Excel environment and not in an emulator. One Excel property that it looked for in particular — the xlDate variable — was something that we haven't observed before in other malware. Interestingly, the variable appears to be undocumented in Microsoft's documentation —at least, we were unable to find it.

The use of such anti-analysis techniques, though nothing new, appears to be growing. In June, for example, security researchers found a new variant of the Dridex banking Trojan that evaded several traditional antivirus tools by using 64-bit DLLs with file names of legitimate Windows executables. The file names and associated hashes changed each time the victim logged in, making it hard for signature-based antivirus tools to spot the malware on infected host systems. This Dridex variant also took advantage of a known weakness in the Windows Management Instrumentation Command-line (WMIC) utility to bypass application whitelisting measures and execute malicious VBS code embedded within an XSL file.

Multiple reports of downloaders with sophisticated, built-in defense-evasion techniques also appeared in the second quarter. One example is AndroMut, a downloader that the Russian-speaking TA505 group used in a campaign targeting individuals working at financial companies. AndroMut's anti-analysis features include sandboxing and emulator verification and checks for mouse movement and debuggers. At least two other downloaders — Brushaloader and a new version of JasperLoader — were reported in the second quarter as having similarly advanced evasion mechanisms.

Best Practices
Here are five best practices you can implement to build or expand on a multilayered defense strategy.

  1. Add this anti-analysis trend into your current risk analysis strategy. Your IT team needs to know about this risk and consider options, such as storing system backups off-site, putting redundant systems in place, and being able to lock down segments of the network when an attack is detected.
  2. Inventory all critical assets and services across your network. Expand your efforts to identify and patch vulnerable systems, replace older systems that are no longer supported, or enhance compensating security tools. This will likely involve implementing some sort of asset-tracking and management solution.
  3. Segment your networks. Segmentation can be used for a variety of security purposes. For example, you can keep Internet of Things (IoT) and similar devices automatically separated from your production network until they can be properly secured. This should also be tied to device authentication and network access control at access points. This enables you to identify and authenticate devices, manage access, inspect traffic, and then assign it to secure network segments — all at wire speed. You also need to set up checkpoints to monitor traffic that passes between network segments looking for anomalous behaviors, malware, and other sophisticated attacks.
  4. Inspect encrypted traffic. It takes 50 to 100 times more processing power than conventional traffic to perform deep inspection of encrypted traffic and unstructured data, such as the raw data produced by many IoT devices. Unfortunately, most security devices and may need to be upgraded to do this.
  5. Automate event correlation. In today's high-performance environments, you can't afford to hand-correlate threat data to detect threats or respond at anything less than machine speeds. To address this issue, you must be able to automatically collect and correlate real-time threat intelligence to identify and stop an attack before it can deliver its payload or extract the data it's looking for.

Future-Forward Security
Malicious actors aren't only creating new ways to access your network but are also developing new ways to remain undetected once in and do as they please for as long as they like. By understanding the risks and putting the right defenses in place, your organization can defend itself against not only these latest attack trends but also those that have yet to be devised.

Toward that end, FortiGuard creates adversary playbooks based on its role in the Cyber Threat Alliance. These playbooks describe the tools, techniques, and steps that adversaries use to achieve their goal. The goal is to enable IT security teams to disrupt malicious actors more systematically. The most recent playbook dissects Zegost, an info-stealer used recently against a Chinese government agency, and is available here.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/3/2019 | 7:25:53 PM
System Security
I have read the post and finally want to say some word regarding security and safety is, everyone need to be safe and secure from unwanted elements.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).
PUBLISHED: 2020-07-10
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
PUBLISHED: 2020-07-10
Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.