Malware Analysis Introduction Part 1
“It was the last year of the 2010s, and cybercriminals let the world know they meant business.
From an increase in enterprise-focused threats to the diversification of sophisticated hacking, evasion, and stealth techniques to aggressive adware aimed at Androids, the 2019 and 2020 threat landscape was shaped by a cybercrime industry that was all grown up.”
This blog-post is part of what malware analysis is, how to work with the tools and tips from the field.
What is Malware Analysis
Malware analysis is the process of understanding the behavior and purpose of a suspicious file or a suspicious URL.
The value of malware analysis is that they assist with incident responders process and security analysts; an important high-level point in Malware Analysis is:
- Pragmatically triage incidents by the level of severity.
- Uncover hidden indicators of compromise that should be blocked
- Uncover unhidden indicators of compromise that can be blocked
- Improve the effectiveness of IOC alerts and notifications
- Enhancecontext when threat hunting
Types of Malware Analysis
There are several types of malware, and the main types are static, dynamic, hybrid, memory forensics, and more.
The Basic Static analysis doesn’t require a running code or a running file. Instead, the static analysis checks the file for signs of malicious intent, and it can help identify malicious infrastructure, libraries, or packed files.
Technical indicators are identified, such as hashes, strings, file (header or names), domains, and data can be used to determine whether that file is malicious.
Note: Analysts can use disassemblers and network analyzers to inspect the malware without running it to collect how the malware works.
Since static analysis doesn’t run the code itself, advanced malware can include malicious runtime behavior that can go undetected by static analysis. This action can be done by determining the malware binary signature; the signature is a unique identification for the binary file.
In malware analysis, you will be looking at each of that static information. What is data inside the? How can the findings be useful in the analysis process? How can we extract the data from them?
Dynamic malware analysis is the method used for extracting and determining malware’s execution functions.
The Dynamic malware analysis executes suspected malicious code in a safe environment called a sandbox. This restricted system enables you to view the malware in action without the risk of allowing it to infect their system or escape into the production environment.
The dynamic analysis gives threat hunters and incident responders deeper visibility, enabling them to uncover the real state. If you’ve got an automated sandboxing system, it can reduce the time it would take to perform the reverse engineer and shorten the time to discover the malicious code that runs behind.
The main challenge with dynamic analysis is that adversaries are intelligent. In most scenarios, they know how sandboxes are out there and how they are working, so they have become skilled at identifying them.
To bypass a sandbox, adversaries hide code inside malware that may remain dormant until some conditions are reached, and once the goal is reached, the code is running.
The hybrid analysis combines both Static analysis and dynamic analysis. Cuz’ Static analysis cannot detect an advanced malicious code, the Dynamic is come to the rescue and allows you to catch the advanced malicious code.
By blending static and dynamic analysis techniques, the hybrid analysis provides the best of both analysis types.
Hybrid malware, also known as combo malware, combines two or more types of attacks, usual ransomware with other malware.
Hybrid analysis can detect malicious code trying to hide and then extract compromise indicators by statically and previously unseen code.
Besides, hybrid malware may also combine a virus’s ability to change program code to hide in live memory and propagate a user’s parser without any action.
Types of Malware
There are many types of Malware. Some of them are new, some of them are renewed, and some of them still old – But the common denominator for them is that they can all cause harm in one way or another.
Fileless malware is a threat that uses code that already exists within your computer or device to take out an attacker’s agenda.
The correct way to describe it is a type of attack that involves attackers living off the land (LOTL and even LOLBins) because they’re simply using advantage of legitimate tools and software that exist within your computer.
These fileless attacks usually rely on executables, tools, and scripts that include Windows PowerShell, Office documents, and any Windows extubate file and program.
The uniqueness of this threat particularly dangerous is that it’s tough to detect. Because it doesn’t require downloads or executables like traditional malware, it can drive many conventional anti-malware tools.
Ransomware is a form of malware and is malicious software that infects your machine and displays messages demanding a payment to be paid to work again for your system. This malware class is a criminal moneymaking scheme that can be installed through deceptive links in an email message, instant message, or website.
Once ransomware is downloaded and opened, it can take over the victim’s machine, especially if they have built-in social engineering tools that trick users into allowing administrative access.
Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without requiring to trick users.
Cryptomining malware or Cryptojacking is also known as a crypto miner or crypto-mining malware that cybercriminals use to mine cryptocurrency. According to the CISA, it does this by running complex mathematical calculations to mine new coins, which the cybercriminals then keep for themselves.
Cryptojacking is the unauthorized use of someone else’s device to mine cryptocurrency.
A Rootkit is a remote access tool (RAT) or application that provides remote admin access to devices. This isn’t bad in and of itself. But, as you can imagine, this means that they can cause a lot of damage if they’re put to work by someone with devious intentions.
Rootkits posture is a significant security risk cuz it can act in many ways. For example, rootkits are typically associated with malware such as worms, viruses, and trojans.
Rootkits can change core files and mask other malware that may be hiding within your system. As a result, many conventional antivirus tools strive to detect them. They give unfettered access to a device without them ever knowing it.
Keyloggers are a specific type of spyware known as a keylogger. A keylogger is a type of hardware or software that records everything you type without needing access to what’s on your monitor.
That’s because it records all of your keyboard activities. Basically, every keystroke you type on your keyboard. The benefit of this to adversaries that it allows them to monitor activities and capture sensitive information such as your account credentials and passwords.
There are many other malware types such as viruses, worms, trojan, spyware botnet, and more.
The next blog-post will be focused on Malware Analysis Introduction Part 2