Protect Your Network and Lower Your Cyber Risks with Malware Analysis
Earlier this year, zvelo introduced our portfolio of Cybersecurity Professional Services. Those services include Brand Vulnerability Assessments (“Do you know who is using your brand besides you?”), External Threat Hunting (“What does your organization look like to an attacker?”), and, the focus of this post, Malware Analysis. Malware Analysis serves to help discover hidden attackers actively working to exploit your network, identify latent infections, and analyze the captured payload to help organizations protect their networks from malicious threats. Let’s explore malware analysis.
zvelo’s Approach to Malware Analysis
Analyzing malware is no easy task. It starts with understanding where malware originates (script kiddies, cyber criminals, and state actors/APTs), the types of malware (droppers, trojans, macro enabled documents, scareware, adware, ransomware, and more), and the variety of delivery mechanisms (phishing/spear phishing, pharming, co-opted sites, malicious ads, and so on). It also helps to have a background in coding. Just like any software developer, malware authors are excellent at code reuse, with the really scary ones crafting unique code that is truly unique. Typically, the zvelo Cybersecurity Team finds that malware today is about 90% code reuse with approximately 10% new and unique code. Despite only seeing about 10% new and unique code, we know that Malicious Cyber Actors (MCA) are always actively working on code for new ways to exploit the latest/greatest vulnerabilities. And while there may be more than 10% new and unique code that exists offline, defenders lack the visibility to analyze it until after it has been released into the wild.
Static Malware Analysis
zvelo malware analysis starts “statically.” Static analysis (sometimes called code analysis) is an in-depth review of the malware binary without executing it. The zvelo Cybersecurity Team always starts with static analysis to safeguard against accidentally opening Pandora’s box. Depending on the sophistication of the malware, static analysis may be all that an analyst needs to determine the functionality of a particular sample. It is important to note that static analysis is not just reviewing the code. If the malware author has packed, encoded, or otherwise obfuscated their code, the analyst must solve the puzzle with static analysis. The good news is that hundreds of thousands “new” malware hits the internet everyday, and they are analyzed or sent to one of the numerous crowd-sourced platforms for assessment. This means the malware analyst (hopefully) has more than a few clues as to where to start.
Dynamic Malware Analysis
If the zvelo Cybersecurity Team is unable to get what they need from static analysis to help our clients, the next logical step is dynamic analysis. We start with basic dynamic analysis via controlled detonation on a comparable victim system. Depending on information gleaned from static analysis, this could be a virtual machine (VM) or physical hardware, as some malware is plumbed to check for VMs. Basic dynamic analysis is nothing more than assessing how malware interacts with the victim system. Consider a Windows specific sample, for example: Is anything written to disk? Does the malware establish persistence (registry, services, scheduled tasks)? What libraries does the malware import, and more)?. Similar to static analysis, the answers to the malware riddle may come from basic dynamic analysis, if not the malware analyst must go deeper.
Advanced Dynamic Malware Analysis
The final step in the zvelo Cybersecurity Team’s malware investigation is advanced dynamic analysis. Perhaps, the malware sample is well written and evades basic dynamic analysis techniques. Maybe, the malware checks to see if there is an “active” internet connection with Domain Name Services (DNS) and it self-deletes if the sample cannot reach 18.104.22.168 (Google DNS). Malware authors do this to frustrate the malware analyst. In dynamic malware analysis, the analyst sets up simulation infrastructure to “fool” the sample into thinking it is actually on the internet and give up its secrets. This technique is valuable when the analyst is looking to understand behavioral aspects/heuristics of the malware as whole, not just on the victim system but in the network as well. While dynamic analysis may seem easy, it is definitely not. It takes a specialized skill set to prevent a live malware sample from getting out of hand.
Incident Support from zvelo’s Cybersecurity Experts
So, what happens if you suspect you have a malware-related incident? First off – if possible – isolate the victim(s) systems. Do not turn the victim system(s) off. Turning off the victim system(s) will result in the potential loss of evidence that malware analysts can use to reduce the impact of an incident. Second, contact zvelo for help and let the zvelo Cybersecurity Team assess your problem.
The first thing zvelo’s Cybersecurity Team will do when they receive word of an incident is triage and scoping. In triage, zvelo provides recommendations to the victim organization on collecting information to support scoping. This typically consists of providing information about the victim(s) operating system (e.g. Windows, Linux, OSX), number and types of systems affected, relevant network logs (if available), and if possible, capturing a sample of the malware. After initial triage, the zvelo Cybersecurity Team will scope out the support required to assist the victim organization. Note, if the scope is beyond the capabilities of zvelo, we will let you know and recommend additional resources.
If you can capture a malware sample, zvelo’s Cybersecurity Team will conduct static analysis, basic dynamic analysis, and if needed, advanced dynamic analysis. Using these techniques, the team will extract the pertinent indicators of compromise (IOC). Malware IOCs can include items such as (not an exhaustive list):
- File hashes – MD5, SHA256
- Import hash (IMPHASH)
- PE number
- Library imports
- Code reuse
- Network connectivity
Next, the zvelo Cybersecurity Team will take the identified IOCs and provide recommendations on containment and remediation. With containment, the goal is to prevent the threat from escalating further. Any recommendations here will be dependent on the client’s environment. For example, if multiple systems are infected, one possible recommendation could be to shut down internet access for the organization to stop command and control. With remediation, the zvelo Cybersecurity Team determines the best course of action to end the malware infection. This could be re-imaging systems, patching systems, restoring from backups, even rearchitecting the organization’s network (going from flat to segmented). Similar to containment, remediation recommendations will be made in the context of the organization. The end goal of incident support is to help an organization address the incident they are immediately facing.
Consulting to Address Ongoing Malware Issues
Some organizations seem to regularly fall victim to malware. Maybe it is ransomware, or an information stealer that pops up on a somewhat frequent basis. The zvelo Cybersecurity Team is available to provide consulting support to any organization whether or not they are a victim of malware. To begin, let zvelo review your organization’s incident response plan. Our experts can make recommendations to improve any incident response plan as it pertains to malware. Plans are great, but if your organization has not recently reviewed your network and related infrastructure (e.g. cloud), zvelo can help there with an adversary targeting focus perspective.
Once you have a handle on your network, it is time to be proactive. The next logical step is to go threat hunting within the construct of the Cyber Kill Chain and leveraging the tactics, techniques, and procedures (TTP) in the MITRE ATT&CK matrix. The zvelo Cybersecurity Team can recommend where to hunt based on your network, systems, applications, and data. In addition to threat hunt recommendations, organizations can directly benefit from increasing visibility into their Cybersecurity Operating Environment (COE). This visibility can be gained from procuring and integrating cyber threat intelligence (CTI). zvelo stands ready to assist clients with determining the best CTI to understand their COE. When it comes to malware, proactive organizations are more likely to prevent an incident from occurring, ultimately saving time, money, and negative impacts on an organization’s reputation and customer relationships.
Malware Analysis Use Cases
zvelo’s Cybersecurity Team has been at the forefront of analyzing recent malware in the news. Please check out these use cases to see how zvelo might support your organization in the event of a malware incident:
- SolarWinds Orion brief summary of zvelo’s response.
- Emotet brief summary of zvelo’s assessment of the latest variant.