Research

Malicious PowerShell scripts are one of the most prevalent threats these days. There are many APT actors that have used PowerShell as delivery or migration mechanism. Commodity malware has been using PowerShell for a long time too. In many cases, the Office macro malware uses PowerShell script to proceed with their further attacks. MITRE ATT&CK matrix has a good summary of these trends. There are attack kits like PowerShell Empire and PowerSploit that uses PowerShell as main implementation language.

There are many ways to find vulnerabilities. One of the most scalable methods is fuzzing. In essence, fuzzing is a brute-forcing. In many cases, malformed input triggers a crash in the program. After you acquire a crash, the next step is understanding the root cause of the crash. Proper RCA (root cause analysis) is essential in understanding the nature of the bug. It helps to determine if the bug is actually an exploitable vulnerability and whether putting additional efforts to develop an exploit for the vulnerability makes sense or not. From the security engineer’s perspective, proper categorization of the vulnerabilities and understanding the nature of bugs is very helpful in establishing their mitigation strategy. Simply put, RCA is the starting point of exploit development and product defense strategy.

Intel PT (Processor Trace) is a technology that is part of the recent Intel CPUs. Intel Skylake and later CPU models comes with this feature. You can trace code execution at instruction level with triggering and filtering capabilities. With this article, we want to explore the practical application of this technology in exploit analysis.

Shellcode is one of the major components for the modern malware. It was originally invented to exploit vulnerabilities and run code on the target process. Recently it is used more as a malware component to defeat easy detections and analysis. It is very common to observe multi-stage highly obfuscated shellcodes used in commodity or APT attacks.

Frida has become more popular recently due to its convenience to install hooks using JavaScript language. I saw many researches using Frida for mobile platform, but it seems like Windows has more usage tractions recently. At DarunGrim, we are researching new methodology that security researchers can use for their day to day work. Frida is one of the tools that, we thought, can be useful for Windows reverse engineering. But, during our testing, we found that the symbol lookup capability was limiting factor in broader use of this tool. We made improvements and it is now available with Frida 12.9.8. We are really thankful to Ole André Vadla Ravnås for his help in merging the changes.

On Windows platform, malware analysis has become more challenging. Living-off-the-land attacks are very common and there are many different and arbitrary techniques introduced to avoid easy detections and evade endpoint sensors. It is a challenge because one researcher needs to learn different skillsets. In many cases, the ultimate payload is PE file. But, analyzing the executables is the most difficult and time-consuming work. In most cases, analysts rely on sensor data or sandbox behavioral data. But you can lose a lot of contexts or hidden behaviors in that way. Through this series, we want to talk about advanced malware analysis techniques.