Lastline Labs

Arunpreet Singh

Arunpreet Singh is a Malware Reverse Engineer at Lastline. Prior to joining Lastline, he worked as a Security Researcher for McAfee. His research interests are malware reversing and window internals.
Find me on:

Recent Posts

Building Static and Dynamic Analyses Using Lastline's Process Snapshotting

Posted by Arunpreet Singh on 9/16/16 12:57 PM

Learn how Lastline’s process snapshotting supports malware analysis by capturing snapshots at various points throughout a malware program’s execution, allowing for deeper manual malware analysis by security researchers.

Read More

Topics: Lastline Enterprise, Email Security, Process Snapshotting, Advanced Persistent Threats, Data Breach, malware, lastline, anti malware, deep manual analysis, static analysis, web security, dynamic analysis, malware protection

A Peek Behind the Cryptowall

Posted by Arunpreet Singh on 1/28/16 8:00 AM

Bridging static and dynamic analysis using Lastline process snapshotting

Read More

Topics: Sandboxing, FUSE, APT, Just-In-Time Decryption, Cryptowall, Ransomware

Defeating Darkhotel Just-In-Time Decryption

Posted by Arunpreet Singh on 11/5/15 10:00 AM

Authored by: Arunpreet Singh and Clemens Kolbitsch

Read More

Topics: Evasive Malware, Full-system Emulation, APT, Just-In-Time Decryption, Darkhotel

Turla: APT Group Gives Their Kernel Exploit a Makeover

Posted by Arunpreet Singh on 7/30/15 9:00 AM

Authored by: Arunpreet SinghClemens Kolbitsch

Read More

Topics: Evasive Malware, Turla, Kernel exploits, APT

Catching the Hacking Team’s System Access Token Thief Red-Handed

Posted by Arunpreet Singh on 7/13/15 9:00 AM

Authored by: Arunpreet SinghRoman Vasilenko

Read More

Topics: Full-system Emulation, Kernel exploits, HackingTeam, Breach

Dissecting Turla Rootkit Malware Using Dynamic Analysis

Posted by Arunpreet Singh on 4/8/15 7:00 AM

Many of today’s advanced persistent threats have been climbing up the ladder - quite literally: Instead of only using user-mode components, APTs more and more frequently include components that are running as part of the operating system kernel.

These kernel components run with the same, or even higher, privileges than most security solutions, and are thus outside the reach of traditional layers of protection. At the same time, running in the context of the kernel also evades scrutiny from security analysts as well as traditional analysis sandboxes, as we described in a previous blog post.

In this post, we want to dive deeper into one specific family containing a kernel component: Turla APT. We summarize some of the tricks the malware authors use to bypass security mechanisms present in the Windows operating system kernel. These tricks have been studied by security experts previously [1, 2], and we show how Lastline’s high-resolution sandbox is able to track this activity fully automatically to detect this threat and protect users.

Read More

Topics: Evasive Malware, Turla, Kernel Rootkit Analysis

Not so fast my friend - Using Inverted Timing Attacks to Bypass Dynamic Analysis

Posted by Arunpreet Singh on 11/18/14 10:35 AM

We're very happy that a lot of you are enjoying our research. If you'd like to discuss this topic with us, please tweet @LastlineLabs or comment on HackerNews and we'll join you!

Authored by: Arunpreet SinghClemens Kolbitsch

Dynamic malware analysis - or sandboxing - has become a central piece of every major security solution... and so has the presence of evasive code in malicious software. Practically all variants of current threats include some sort of sandbox-detection logic.

One very simple form of evasive code is to delay execution of any suspicious functionality for a certain amount of time - the basic idea is to leverage the fact that dynamic analysis systems monitor execution for a limited amount of time, and in the absence of malicious behavior classify a program as benign. On a victim machine, on the other hand, delaying behavior for a few minutes does not have a real impact, allowing the attacker to easily achieve different behavior in the analysis environment and on a real target machine.

The easiest, and definitely most prevalent method of stalling behavior is to make a program “sleep” for a certain amount of time. Since this is such a common behavior, most analysis sandboxes are able to detect this kind of evasion, and in most cases, simply “skip” the sleep. While this sounds like a simple solution, it can have a wide range of unintended effects as we will see in this blog post.

Read More

Topics: Evasive Malware, Dynamic Malware Analysis

Subscribe to Email Updates