[SANS Webcast Recap] Evade Me If You Can: Unmasking Context Aware Malware
“Context is everything” goes the age-old adage. Malware has evolved in a variety of ways over the past few years but threat actors have increasingly focused more of their development efforts on making their malware sensitive to context in order to better identify and evade sandbox and analysis environments. In this post—condensed from a SANS webcast led by VMRay Sr. Research Analyst Tamas Boczan, SANS analyst Brandon McCrillis and myself , we explore some of the primary methods threat actors have adopted to better understand the context of the environment, demonstrates how context-aware malware circumvents detection via real-world examples, and offers up some practical steps security teams can take to mitigate these threats.
Context-Aware Malware Goes Modular
The battle between threat actors and the security teams who defend corporate networks is often described as a constantly escalating game of cat and mouse. With its ability to recognize sandbox and analysis environments, the emergence of ‘context-aware’ malware represents the latest challenge to time and resource-strapped security professionals and is the focus of our latest webinar series produced in conjunction with the SANS Institute.
SANS Institute analyst Brandon McCrillis kicks off the discussion by providing an overview of the delivery methods threat actors are using to distribute these context-aware payloads and how they are increasingly being deployed in a modular fashion to better evade detection and gain persistence. As he explains, phishing remains the most prominent entry point for context-aware malware, “Attackers use large-scale phishing campaigns to cast as wide a net as possible, employing first-stage survey scripts on commodity targets to identify which ones are prime targets for follow-on attacks.”
McCrillis points out the Emotet trojan as a primary example of context-aware malware that is exceptionally modular and highly successful in avoiding detection: “Emotet is virtual machine aware and can generate false indicators if run in a virtual environment. Once the first stage of Emotet is delivered — based on what was identified in that network and target value of that network — attackers can then add different modular pieces to craft a more targeted and refined campaign.”
The Art of Deception
As malware gets smarter and becomes increasingly aware of its surrounding environment, security analysts must take special care to create and maintain a realistic analysis environment. “An analysis environment, in general, should be loaded with software and files that mimic production assets as closely as possible,” counsels McCrillis. “For instance, in the case of Ukraine’s KillDisk attack, the malware refused to fully execute unless certain Industrial Control System processes were present.”
In this sense, security analysts should adapt their analysis environment to the specific behavioral requirements of the malware itself: “If you are looking at malware that propagates or uses some sort of Office functionality then you would obviously want to have that software installed so the malware can interact and you can observe the behavioral interaction between that process and that malware that you are analyzing.”
In general, McCrillis advises that for any type of in-depth analysis, it’s best to install all the instrumentation tools on a virtual machine or whatever kind of isolated system being used for real-time threat analysis. “Start with vanilla and have a way to snapshot that VM or revert to a last known good state so you can do a diff on what kind of registry changes were made, which processes were launched or any behavioral indicators of that malware.”
Cautionary Tales: Detonate with Care
While it should be fairly obvious to any season security pro, McCrillis felt obliged to declare the following warning: “Be careful where you detonate! I’ve seen in-house malware detonations go wrong more than they’ve gone right. It’s essential that the malware is fully contained and that you have proper lab and analysis environment set up to do the analysis – you don’t want to be chasing false indicators or compromising other systems on your production network.”
Context-aware malware can create an additional dimension of analysis complexity because the analysis system must be continually modified to ensure that context-aware malware thinks it’s being deployed in a real production environment.
Of course, this can get tricky depending on the malware being analyzed. Says McCrillis, “maybe you need to let that malware communicate to the Internet to replicate or trick the malware to think that it’s communicating on the Internet and not some isolated environment. You might want to consider routing your analysis traffic through a Linux machine or some other isolated or virtual network to ensure you don’t inadvertently contaminate your production environment.”
In the second half of the webinar, we take a closer look at how context-aware malware circumvents detection and then Tamas Bozcan, VMRay’s Sr. Threat Researcher provides examples from some of his research to demonstrate how specific strains of malware are applying these techniques in the wild.
Evasion Techniques of Context-Aware Malware
When a sandbox is properly integrated within the security ecosystem (i.e., endpoint protection platforms, threat intelligence platforms, SOAR, etc), it provides a critical mechanism for passing suspect files back and forth, giving incident response and threat hunting teams the valuable intelligence they need to detect dangerous new strains. Naturally, malware authors are increasingly including their own sandbox evasion checks before delivering their payloads.
As discussed in our last SANS webinar, malware evasion techniques can be broken down into three broad categories: Detect the Sandbox, Defeat the Sandbox, and Context Awareness, in which the malware is not trying to detect or defeat the sandbox itself but rather trying to execute its payload according to a specific context and has become especially prevalent in certain targeted attacks.
One prominent way that malware checks for context awareness is via User Interaction. Captcha is probably the best-known example of an automated system requiring user interaction to prove that they are not a machine. But now threat actors are using similar interaction checks against us and it’s becoming more common to see context-aware strains able to check user interaction behaviors, such as mouse movements on a system or installers that need to be clicked through to run properly.
Context-Aware Malware in the Wild
VMRay’s Sr. Threat Researcher, Tamas Boczan applies his own experience from the labs to demonstrate how two particular strains malware leverage context to avoid detection. OopsIE malware, carried out by the OilRig APT Group which targeted government organizations in Middle Eastern countries about a year ago and Operation Shadowhammer, a supply chain attack attributed to the Winnti APT Group.
OopsIE utilized numerous context-aware sandbox evasion techniques that make incident response even more challenging, including in this instance, a time zone check. “So for this check to pass, the host or VM needs to be in one of five Middle Eastern time zones,” explains Tamas. “To mitigate this in VMRay we use something called Prescripts which are batch files that the user can define and are running before the sample is started.” Another user interaction trick OopsIE employs is launching a fake error window in which the user or the sandbox needs to click OK before the malware can proceed.
With Operation Shadowhammer, hackers were able to take over the legitimate software update process of ASUS, enabling them to deliver signed software updates that contained the malicious payload. The malware queried the MAC address of the host, and compared it to an internal whitelist of of MAC address hashes — if it found a match, the attack proceeds by contacting the command server to download the next stage of the malware. “What’s interesting is that the attackers already needed a list of the MAC addresses for the targets which were likely acquired from previous attacks because these MAC addresses never leave the hosts,” says Tamas.
Defeating Context-Aware Malware
While context-aware malware represents some of the most sophisticated attack types, it doesn’t mean that security teams are helpless in defending themselves. Here are a few proactive steps you can take to better identify and mitigate these types of threats:
- Adopt a Zero Trust Culture: By eliminating the concept of trust from your network architecture, the Zero Trust model advocates the principle of ‘never trust, always verify’. Accordingly, it’s critical to ensure that anything suspicious entering your network, that there is a mechanism for submitting it for analysis.
- Separate the Signal from the Noise: With so many network and event monitoring tools throwing off alerts, the ability to focus limited resources on exactly what needs to be analyzed is more important than ever.
- Don’t Rely on a Single Form of Detection: While there many tools that can perform various hash checks or signature-based detections, it’s important to ensure that in addition to those checks that you can also pass threat intelligence on to behavior-based detection tools for further analysis.
- Create Realistic Analysis Environments: As much as possible, the environment you are doing your analysis should mimic your production environment. If something isn’t running in your sandbox then it shouldn’t run in your production environment.
To learn more about these context-aware evasion techniques, view the full webcast: Evade Me If You Can: Unmasking Context-Aware Malware.