Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

The experts at Yoroi-Cybaze Zlab described three techniques commonly implemented by threat actors to avoid detection.

Introduction

During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Sha256	e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
Threat	cve-2017-0199 document
Brief Description	Document Dropper exploiting cve-2017-0199
Ssdeep	96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. 

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Sha256	ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
Threat	Emotet
Brief Description	Emotet payload
Ssdeep	1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Sha256	a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
Threat	Emotet
Brief Description	Emotet payload signed using Symantec cert
Ssdeep	1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Conclusion

The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:

https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, avoid detection)

[adrotate banner=”5″]

[adrotate banner=”13″]