HITCON 2013 Session Summary : Advance Malware Evasion And Hiding Techniques

This session is origin in HITCON 2013, proposed by Chong Rong Hwa from FireEye

Attack Vector

In this session, first three type of infection vectors are discussed

1. Physical, like USB
2. Email
   Compress, Encryption, Password protected compression
3. Web
   Water Hole Attack, which attacker compromise legitimate website to host malicious page.
   ex. May 1 2013, attacker compromise US Department of Labour to host PoisonIvy Backdoor

APT Advanced Malware

Those malware not use advance technique but disguise itself as normal program or user.

Hacker may use old vulnerabilities, but slightly change the exploit code to harden the analysis.

    Add invalid characters in rtf file to confuse parser

    Replace part of shellcode to semantic-equivalent instructions

Save non-malicious code in disk, construct malicious payload in the memory

    Trojan.APT.BaneChant

Employ common used encryption(signature) algorithms with slightly change(ex. DES,AES)

Use public and legitimate service for malicious behaviors, such as : google drive, amazon aws

    Trojan.APT.Seinup

Anti-VM

   Detect human behaviors

APT Attack Source

Not from single source and the control servers are distributed over the world.

      Asia and East Europe are two most source region for APT attack. 

      Most of APT tool made in China, ex. Gh0stRAT