Security researchers at ESET have been taking a deep-dive into a new cryptomining module distributed by the Stantinko crime group's botnet. What they found took a lot of looking for; new obfuscation techniques that had not been publicly described until now. Of course, malware obfuscation is nothing new in and of itself, it's part and parcel of attack methodology. Understanding how malware obfuscation techniques are evolving, however, is something that every enterprise security team needs to be on top of.
Vladislav Hrcka, the malware analyst at ESET who authored the 'Stantinko’s new cryptominer features unique obfuscation techniques' report, explains how the Stantinko cryptomining module employs various techniques to thwart analysis and so evade detection.
This new module uses techniques including "meaningful strings" that are only present in memory when they are to be used and control flow flattening that transforms into "a form that is hard to read" along with the execution order of basic blocks so as to be unpredictable.
The researchers also found evidence of dead code that is never executed but exists to make the files themselves appear legitimate and "do-nothing code" that is executed but does nothing of any real purpose other than to try and fool behavioural detection systems.
"The criminals behind the Stantinko botnet are constantly improving and developing new modules that often contain non-standard and interesting techniques," said Hrcka.
Of course, as Hrcka points out to SC Media UK, these obfuscation techniques are solely meant to obstruct reverse engineering and analysis of programs, and don't make the malware impossible to detect, even when the authors additionally attempt to bypass some layers of protection.
But is the broader problem of evolving malware obfuscation techniques one that enterprise security teams need to come to terms with. SC Media UK reached out to information security professionals for answers.
Daniel Goldberg, senior cyber-security and computer crime researcher at Guardicore Labs, doesn't think so.
"Enterprise security teams should totally avoid thinking about malware obfuscation and detecting specific strains, and focus 100 percent of their efforts on detecting abnormal behaviour. Malware changes, but the vast majority use the network to communicate with hackers. Catch them there and stop playing whack a mole," he told SC Media UK.
Oliver Pinson-Roxburgh, co-founder at Bulletproof, agrees that dealing with obfuscation is challenging for people that are not experienced at both spotting the techniques, but also investigating and tearing them apart without experience.
"It’s also challenging for vendors to keep up with the techniques, as in the examples we have seen the methods used cannot be easily understood by a machine. You could always detonate the malware and watch what happens, which is risky and again requires expertise to understand what normal looks like, as well as being time-consuming," Pinson-Roxburgh said.
Even checking for obvious signs of obfuscation comes with the risk of increasing the false-positive count and, once de-obfuscated, we still need to understand code, which is also something most businesses don’t have the experience in doing, he added.
Yossi Naar, chief visionary officer at Cybereason, argued that the first line of defence against malware obfuscation is to "move up the value chain from signatures that are easy to obfuscate up to tools, techniques and procedures".
The key to automatically detecting them is "in utilising tools that understand and can describe behaviours vs simple signatures", he said.
Tomislav Pericin, chief software architect at ReversingLabs, admits that how enterprise security teams can best deal with evolving malware obfuscation is a difficult question to answer.
In terms of detection, he says, "machine-learning-based algorithms and human-assisted heuristics have the best chance of finding new custom packers, but discerning what is custom, versus what is traditionally packed, is really hard."
However, when it comes to analysis, Pericin points to a combination of static and dynamic analysis to peer into the protected code. Reverse-engineering tooling is key, and staff should understand how it all works.
"The value of the code that needs to be analyzed really dictates the level of spend the organization might want to invest. Unfortunately, this calculation is often done post fact, when the incident already occurs, and needs to be repeated for every file that needs analysis," Pericin said.
Paul Ducklin, principal research scientist at Sophos, told SC Media UK that "ironically, perhaps, some attackers are finding what you might call 'unobfuscation' to be an even more effective tool."
They opt for “living-off-the-land methodology whereby they lie low, act normal, dress like the locals, eat the same food, speak the same language. In other words, they use conventional software tools in unconventional and deceitful ways, he explained.
Ultimately, layered defence is an important part of the answer, said Ducklin. "Security responders then have the data, and the context for it, that they need not only to spot honest and legitimate users who've been tricked into running disguised, malicious software, but also to spot malicious actors who are deliberately but dishonestly using legitimate, unexceptionable software."