Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Introduction

During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Sha256e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
Threatcve-2017-0199 document
Brief DescriptionDocument Dropper exploiting cve-2017-0199
Ssdeep96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken.

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Sha256ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
ThreatEmotet
Brief DescriptionEmotet payload
Ssdeep1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Sha256a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
ThreatEmotet
Brief DescriptionEmotet payload signed using Symantec cert
Ssdeep1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level

Conclusion

The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Indicator of Compromise

Hashes:

  • e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
  • ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
  • a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
  • 127e9f68f0f97d6dafe55ad651f5b3c0f6a7b504b9b4b4d9aecc1f2141347447
  • 3170e1504a914376442766b02633252e364aa75fc9b891598c6fac9389c1723c
  • 5a87604a53f13a2afe5b760dac115af9ca028c15e853c74f9ad2e8f2c64d3bb8

This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB