“This is not the malware you’re looking for”

Jerrod Piker at Deep Instinct explains how attackers slip past cyber security defences, and how you can stop them

 

In one of the most famous Star Wars moments, Jedi Master Obi Wan Kenobi deflects the interests of a squadron of storm-troopers with a wave of his hand. At his calm assertion that these are not the droids they’re looking for, the troopers look straight past the robots they were supposed to be hunting and leave the heroes to go about their business.

 

When it comes to keeping a low profile, the classic ‘Jedi Mind Trick’ beats a light-sabre any day. But while such a trick is physically impossible outside of a galaxy far, far away, it is very feasible in the online world. 

 

Cyber threat actors have increasingly taken this approach in their attacks. Adversaries are now armed with a variety of techniques that enable them to wave their hands at many standard security tools, such as Endpoint Detection and Response (EDR), and point them in the wrong direction as they slip past.

 

Unlike that hapless squad of storm-troopers, however, there are ways for us to see through these tricks. Here, we’ll cover three of the most prominent deceptive techniques and how they can be defeated.

 

“You don’t need to see his identification”: Bypassing AMSI

The Windows AntiMalware Scan Interface (AMSI) plays a critical role in most malware defences. This framework grants access to third-party anti-malware solutions to Microsoft applications and systems like script engines, WMI, and PowerShell.

 

When a command is inputted to execute a script or activate PowerShell, AMSI will step in first to scan for known threat signatures, as well as enable antivirus and EDR solutions to do their job and scan files, memory, and streams for signs of malicious activity.

 

Bypassing AMSI will enable an attacker to deploy their malware without triggering malware scans. Savvy criminals have developed several different techniques for achieving this, including reflection, COM server hijacking, and memory patching.

 

The Remote Access Trojan (RAT) known as Agent Tesla is one of the most prominent recent examples, using the memory patching approach to wave attention away from its second-stage loader and ultimate payload.

 

“He can go about his business”: Unhooking EDR

This is another technique that targets the behind-the-scenes processes that enable anything to happen in a computer system, this time exploiting APIs (application programming interfaces).

 

APIs such as syscall are used to execute instructions that need direct system or kernel-level access. Most EDR solutions use these APIs to “hook” into the gateway ntdll.dll and monitor for any suspicious calls to memory.

 

“Unhooking” sees attackers load a fresh, unhooked version of ntdll.dll after Windows has already loaded the EDR-hooked version when the process is launched. The EDR system is thus rendered blind, unable to monitor for any API calls. Cannier threat actors will even re-hook the EDR once the initial breach is complete to better disguise any signs of intrusion.

 

“Move along”: Reflective DLL loading

Most standard EDR solutions safeguard a system by monitoring DLLs as they’re loaded from disk. This can be exploited with a reflective attack, where adversaries use remote code injection to load a DLL from memory into an existing process instead.

 

Because the EDR is focused on processes loading from disk, the attackers can again slip by unnoticed. Reflective DLL loading is a common part of the attacker’s toolkit and is a prominent feature of attack frameworks like Cobalt Strike and Metaspolit. The technique is commonly used in combination with AMSI bypassing, unhooking, and many other stealthy techniques.

 

How can defenders see through the Mind Tricks?

Deceptive techniques like these are so dangerous because they exploit and evade the very Microsoft infrastructure designed to help detect evasion in the first place. A subtle wave of the hand has standard defences convinced there is nothing to see and sends them on their way to search for threats elsewhere.

 

These attacks also hinge on being able to interfere with security processes before tools like EDR have a chance to act. Defeating them requires going beyond the normal processes, and being able to detect and stop the tricks before they can be completed.

 

AMSI bypass techniques can be prevented by using in-memory protection to halt any process attempting to subvert the system. Likewise, unhooking can be stopped by using a security solution that is able to monitor for changes to its agent’s hooks. If the solution detects an attempt to access the memory area that governs these hooks, the process is flagged as malicious and prevented from completing.

 

Reflective DLL loading can similarly be prevented by monitoring for the allocation of local memory areas used in the process, and preventing portable executable loading attempts in these areas.

 

Stopping the tricks before they begin

These mind tricks – and many more like them – are designed to exploit the fact that so many tools are focused on detecting malicious behaviour once it is already within the environment. This gives attackers a crucial window of opportunity to subvert systems and hide their presence.

 

It also means attacks like ransomware have a chance to spring into action, enabling them to start spreading and locking down systems before the intrusion can be flagged and contained.

 

The reactive security of EDR tools is important but must be backed up with a proactive ability to spot threats before they can execute within the network.

 

Deep learning-powered analytics tools represent one of the best chances of outpacing these attacks, as they are able to move faster than even the swiftest malware. The Mind Trick is spotted and stopped before the would-be Jedi can even open their mouth.

 

---

 

Jerrod Piker is a Competitive Intelligence Analyst at Deep Instinct

 

Main image courtesy of iStockPhoto.com