Lastline Labs

Three interesting changes in malware activity over the past year

Posted by Dr. Christopher Kruegel on 3/31/16 5:00 AM

Every day, our Lastline sensors observe millions of files that our customers download from the Internet or receive as email attachments. These files are analyzed and, in many cases, executed or opened inside our sandbox. The sandbox is a secure, instrumented analysis environment where we can safely look for interesting behaviors that indicate bad intentions and outright malice. 

Every once in a while, we take a step back and look at the malicious behaviors that we have seen. Malware authors always look for new ways to make money, get access to sensitive data, and evade detection. They introduce new behaviors, refine ideas that they have tried in the past, and add tricks to bypass security controls. By looking over the data collected over the last year, we discovered a few interesting trends that show some of the directions that malware authors take. In this research note, we discuss three findings that struck us as interesting and worth reporting. As a forth bonus item, we also revisit evasive behaviors, something that we have been tracking for many years.

Read More

Topics: Evasive Malware, Bank Malware, Lastline Labs, Banking Trojan, Browser Modification, Code Signing

Defeating Darkhotel Just-In-Time Decryption

Posted by Arunpreet Singh on 11/5/15 10:00 AM

Authored by: Arunpreet Singh and Clemens Kolbitsch

Read More

Topics: Evasive Malware, Full-system Emulation, APT, Just-In-Time Decryption, Darkhotel

Lifting the Seams of the Shifu "Patchwork" Malware

Posted by Clemens Kolbitsch on 9/4/15 3:55 PM

Authored by: Clemens Kolbitsch and Arunpreet Singh

Read More

Topics: Evasive Malware, Full-system Emulation, APT, Shifu, Banking Trojan

Turla: APT Group Gives Their Kernel Exploit a Makeover

Posted by Arunpreet Singh on 7/30/15 9:00 AM

Authored by: Arunpreet SinghClemens Kolbitsch

Read More

Topics: Evasive Malware, Turla, Kernel exploits, APT

Exposing Rombertik - Turning the Tables on Evasive Malware

Posted by Joe Giron on 5/14/15 9:00 AM

Authored by: Joe GironClemens Kolbitsch

Waves of evasive malware keep rolling in. The latest in the series: Rombertik. This malware variant uses a whole arsenal of ways to hide its functionality, including multiple layers of obfuscation to hinder static analysis, as well as stalling code to bypass execution in a sandbox.

But even beyond the obfuscation techniques, this family uses nifty tricks to stay under the radar of security solutions, as we cover in this post.

Read More

Topics: Evasive Malware, Rombertik Malware, Stalling Loop

Labs Report at RSA: Evasive Malware’s Gone Mainstream

Posted by Dr. Christopher Kruegel on 4/21/15 10:00 AM

This afternoon at the RSA Conference in San Francisco, I will present on “Evasive Malware: Exposed and Deconstructed.” During that presentation, I’ll lead a discussion around the dramatic growth of evasive malware, the increasingly sophisticated behaviors observed in the past year, and what that means for enterprise security professionals and the processes, tools and techniques that they use to protect their organizations.

Read More

Topics: Evasive Malware, Malware Analysis, NGO, Antivirus Detection Rates, RSA 2015

Malware in the Wild: Evolving to Evade Detection

Posted by Dr. Engin Kirda on 4/15/15 3:03 PM

Advanced malware is behind many headline-grabbing data breaches, and untold others. It has evolved to elude detection by sensing its environment and – if anti-malware technology is detected – performing evasive maneuvers. Once it gains entry, the malware can lay dormant until the attacker chooses to strike. Malware has also developed symbiotic relationships, with one type facilitating distribution of another type that exploits the compromised system (for example, GoZeus and Cryptolocker).

Read More

Topics: Evasive Malware, Malware in the wild, SXSW 2015

Dissecting Turla Rootkit Malware Using Dynamic Analysis

Posted by Arunpreet Singh on 4/8/15 7:00 AM

Many of today’s advanced persistent threats have been climbing up the ladder - quite literally: Instead of only using user-mode components, APTs more and more frequently include components that are running as part of the operating system kernel.

These kernel components run with the same, or even higher, privileges than most security solutions, and are thus outside the reach of traditional layers of protection. At the same time, running in the context of the kernel also evades scrutiny from security analysts as well as traditional analysis sandboxes, as we described in a previous blog post.

In this post, we want to dive deeper into one specific family containing a kernel component: Turla APT. We summarize some of the tricks the malware authors use to bypass security mechanisms present in the Windows operating system kernel. These tricks have been studied by security experts previously [1, 2], and we show how Lastline’s high-resolution sandbox is able to track this activity fully automatically to detect this threat and protect users.

Read More

Topics: Evasive Malware, Turla, Kernel Rootkit Analysis

Carbanak Malware — Ninety Five Percent Exhibits Stealthy or Evasive Behaviors

Posted by Dr. Christopher Kruegel on 2/19/15 12:00 PM

We’ve talked a lot about the increasing sophistication of malware and the serious threats it poses. But it’s rare to be able to analyze malware that is evasive or stealthy and has already been deployed in the wild to carry out cybercrime without being detected by in-place security systems for months.

From the Security Analyst Summit in Cancun this week, Kaspersky Labs published a report detailing a bank heist purported to rake in as much as $1 billion since late 2013 from banks around the world using a series of sophisticated attacks that may still be underway.

According to Kaspersky, Carbanak malware was deployed to infiltrate banks, take over ATMs, adjust balances and transfer funds via remote access. To better understand how the malware used in these attacks evaded detection by traditional security technology for so long, we took a closer look at all of the 74 Carbanak malware samples available to us through VirusTotal (nearly 70% of those listed in the report).

Read More

Topics: Evasive Malware, Bank Malware, Carbanak, Kaspersky Labs

Not so fast my friend - Using Inverted Timing Attacks to Bypass Dynamic Analysis

Posted by Arunpreet Singh on 11/18/14 10:35 AM

We're very happy that a lot of you are enjoying our research. If you'd like to discuss this topic with us, please tweet @LastlineLabs or comment on HackerNews and we'll join you!

Authored by: Arunpreet SinghClemens Kolbitsch

Dynamic malware analysis - or sandboxing - has become a central piece of every major security solution... and so has the presence of evasive code in malicious software. Practically all variants of current threats include some sort of sandbox-detection logic.

One very simple form of evasive code is to delay execution of any suspicious functionality for a certain amount of time - the basic idea is to leverage the fact that dynamic analysis systems monitor execution for a limited amount of time, and in the absence of malicious behavior classify a program as benign. On a victim machine, on the other hand, delaying behavior for a few minutes does not have a real impact, allowing the attacker to easily achieve different behavior in the analysis environment and on a real target machine.

The easiest, and definitely most prevalent method of stalling behavior is to make a program “sleep” for a certain amount of time. Since this is such a common behavior, most analysis sandboxes are able to detect this kind of evasion, and in most cases, simply “skip” the sleep. While this sounds like a simple solution, it can have a wide range of unintended effects as we will see in this blog post.

Read More

Topics: Evasive Malware, Dynamic Malware Analysis

Subscribe to Email Updates