Malware Evasion: Why It WorksGuy RosefeltSecurity Product Marketing DirectorSangfor Technologies

Contents

Use Case

Takeaways

02

01

03

04

How to Fight Against AI-Attacks

Malware Evasions

PART 1 Malware Evasions

Contents

Using best-of-breed security devices but still getting infected by ransomware

Second wave or reoccurrence of breach or infection

Has Your Organization Experienced These Problems?

Hackers are using the newest technology available to attack your network and bypass your existing security system

How Could This Happen?

Types of Malware

Virus Trojans Ransomware Adware Spyware

Worms Keyloggers Fileless Malware Rootkits Botnet

Worms

Exploit KitBrute Force

Phishing Email

Malware Transmission Method

Malicious code embedded in attachment (e.g.: Locky, Petya

Variant)Personal PC

Brute force RDP/SSH/SMB/DB services (e.g.: .java,

Globelmposter variant)Servers with Remote Access

Vulnerability & Command Exploitation (WannaCry, Petya Variant)No specific target

Backlink, iframe & drive-by download (Eg: Cerber)Vulnerable Server

0-day Vulnerability Exploit

Variants of Malware Advanced Botnet

Advanced Evasion Techniques

Delaying Execution

Malware

Hardware Detection

CPU Detection

User Detection

Environment Detection

Malware Sandbox Evasion Techniques

Sandbox allocates a finite amount of time (usually only several minutes) for

each given analysis

Uses the “Sleep” or “NtDelayExecution”

Windows APIs

Take a timestamp, go to sleep, check

the timestamp upon waking up

Malware Sandbox Evasion Techniques

Delaying Execution

Mouse Cursor Position

File Count Screen Resolution

Running Tools Application/Window/ Process Count

Malware Sandbox Evasion Techniques

User Detection

DeepLocker - AI-Powered Concealment

3 Malicious Intent Concealment

Payload is fully encrypted concealinghow the final attack is executed.

2 Target Instance Concealment

If the target class is an individual, itdoes not reveal who it is looking for.

Does not reveal what kind of target it islooking for (e. g., person, organization).

1Target Class Concealment

DeepLocker

Typical DGA: randomly generated, and uncreadable to humans

rhpmt.ws ciscqq.wsqckjqqel.ws wotybgr.wsqqjyfit.ws dhlfqaegj.wsmcoenfeoy.ws lhtryk.ws

Variant 1: Joining words and random letters

speeh4ab5893940.mespeeh062e9c0b96.cloud

speeh062e9c0b96.vipspeehe34a33001b.cloud

Variant 2: Joining words

fallcity.ru strengthbright.netfiftytold.net verygrow.netfavorleft.ru callwear.net

wellthirteen.net picturestream.ru

DGA Characteristics:

1. Resolve to the same IP

2. >90% can't be resolved

3. Human unreadable

4. Single use

DGA Algorithm Techniques

Ransomware Infection: Hacker uses weaponized AI attacks to bypass security systems,build C&C connections with his server, automatically downloading ransomware executableprogram.

Business impact:

IT Assets Under Hacker Control: Hacker controls your assets for generating illegal profits(Cryptomining/DDoS as a Service, etc.)

Data Breach: Hacker splices sensitive words when generating domain names and sendsthe requests to his server.

The Impact of AI-Based Attacks

PART 2 How to Fight Against AI-Attacks

Contents

From The Normal Point Of View Use Baselines To Find

Anomalies

From The ThreatPoint Of View

Use Anomalies To Find Anomalies

From The LateralPoint Of View

Use Correlations To Find Anomalies

Some C&C domain names used by a virus family all resolve to the same IP address. We can identify the family based on this behavior.

The propagation behavior of variants from the same virus family will be similar.

Baseline server traffic to find anomalies that deviate from the baseline.

AL/ML Techniques

Use Baselines To Find Anomalies

Label A

Label B

Label C

A1. Host Label + Access Relationship A2. Vectorization A3. TFIDF A4. Anomaly Detection Based on

Isolation Forest A5. DBScan Host Cluster

Label A

Label B

B1. Host Label + Access Relationship

B2. Vectorization

B3. Cosine Similarity with History Behaviour Vector B4. Novelty Detection B5. Cosine Similarity with Host

B6. Gain the Lowest 10% of the Arithmetical Average

Normal Internet access

Abnormal Internet access

Use Anomalies To Find Anomalies

…

Ransomware PE file structure

The originalfeatures

(byte level)

IP、Ports, registry keys, assembly instructions, etc

Features training based on semantic

High level features (extract essence behavior)

Feature selectionhigh quality features（Extract the most

effective feature to determine whether it's a

malware ）

Classification model (training/forecast)

…

…

file encryption, autostart

Result

Network connection test, file encryption, write to the registry, autostart

Dos MZ Header

DOS Stub

Image_ 0 optional_ Header

Section TableArray of Image_ Section_ Headers

Sections

PE File HeaderPE Signature

Data Directories

.idata

.rsrc

.data

.text

. src

Use Correlations To Find Anomalies

Cluster analysis is usually used for

pattern mining of unlabeled data, and

the clustering results require more

manual analysis to produce valuable

information

Classification learning of labeled data is generally divided into two stages:

• In the training stage, given a large amount of data with labels, a model of label classification is trained

• In the usage phase, input new data without label and the model outputs the predicted labels

For document detection, it is a black and white classification problem, which is very suitable to be solved by supervised learning

By combining low-level features to form more abstract high-level presentation attributes or features, the distributed features of the data are discovered. Using limited data with labels, find unknown threats associated with known threats. Usually can solve the problem of the following three categories：

• Clustering analysis

• Classification problem

• High-level feature extracting

Unsupervised Supervised Semi-supervised

Introduction for Three Types of Machine Learning

Why we can't only use signature-based technology?

• With the speed threats are evolving, we need AI technology to enhanced the ability to detect unknown threats

AI detect anomalies Quick detection by signatures

Confirmed malicious behavior Security event

Variant maliciousbehavior

Operation feedback

Security Analysis

Signature extraction and update

Data Analysis

AI detection model continuously evolving

A strong security systems should include both AI and signature-based technologies!

Why we do we still need signature-based technology?

• AI can't cover all cyber threats; actually a large numbers of threats still need signatures to detect them

• Most results for AI detection cannot be confirmed 100%, needing more resources for further investigation. Signature matches provide complete confirmation

[AI + Signature] Continuously Evolving Detection Engines

Scenarios Data Main Characteristic Algorithm Types Sangfor Products

DNS hidden tunnel DNS log The entropy of valid information in a domain name、access behavior Random forests supervised Cyber Command,

NGAF, Endpoint Secure

DGA domain name DNS log The entropy of valid information in a domain name、access behavior NLP、graph analysis supervised Cyber Command, NGAF, Endpoint

Secure

New malicious domain name DNS log The entropy of valid information in a domain name、access behavior NLP、Anomalies detection supervised

+ unsupervisedCyber Command, NGAF, Endpoint Secure

Botnet family variant tracking DNS log Host-domain name - resolve IP graph structure information graph analysis semi-

supervisedCyber Command, NGAF, Endpoint Secure

HTTPS C&C HTTPS log TLS Handshake/certificate /background flow characteristics Random forests supervised

+ unsupervised Cyber Command, NGAF

Encrypt RDP and SSH slow brute force

RDP log、SSH log Access frequency, login status characteristics Random forests supervised Cyber Command, NGAF, Endpoint

Secure

Website defacement web access log Syntactic features of web content NLP supervised Cyber Command, NGAF

Engine-Zero files anti-virus files Static file characteristics XGBOOST supervised Cyber Command, NGAF, Endpoint Secure

webshell HTTP log URL grammar characteristics, traffic behavior characteristics NLP supervised Cyber Command, NGAF

Abnormal outbound behavior session traffic behavior characteristics Anomalies detection unsupervised Cyber Command

Abnormal login behavior login log Login behavior characteristics Anomalies detection unsupervised Cyber Command

Attack path recovery multiple log multiple logs correlation characteristics Knowledge mapping unsupervised Cyber Command

AI vs. AI: Sample AI Detection Engines

Contents

PART 3 Use Case

Manufacturing

Point of entry：PC in the office

Apparent objectives：Exfiltrate data

Security Event：Organized APT attacks from Russia, using AI algorithm to identify sensitive data and generate domain names to send data.

Anomalous Activity Detected：Large numbers of DNS requests to ppxxu.ru (Russian domain name)

• With AI-driven attacks, there will be large number of

core data and source code exfiltration

• The malware automatically disguises itself as a system

file, records keystrokes and splices words together to

send data through DNS requests

IP DNS Request IP Destination IP Domain Name Requested Resolution

Core Data and Source Code Exfiltration

PART 4 Takeaways

Contents

Takeaways

Cybercriminals are using AI for more targeted and successful attacks

The best way to fight AI is with smarter AI

Deploy innovative AI to stay ahead of attackers

• Multiple & blended techniques

• Multi-dimensional analysis

• Leverage infinite cloud resources

• Identifying and exploiting 0-day

vulnerabilities

• Sophisticated APT evasion techniques

• Higher success rate for breaches

• Multi-stage AI engines

• Cloud sandbox & analysis

• Business risk aware

Next Weekly Security Webinar

365 Days Since Sangfor Launched Its Incident Response Service

Abstract: Sangfor Security Services will share some of

their cyber incident response use cases for your

education. They will also present statistics on how and

by who customers were attacked, as well as mitigation

strategies that could be used to combat the attacks.

1st December 2020 16:00 (GMT +8)

THANK YOUGuy RosefeltSecurity Product Marketing DirectorSangfor Technologies