Security Think Tank: How to tool up to catch evasive malware comms

Malware such as remote access trojans (RATs) used to steal data or perform other actions within the system being attacked, make use of command and control (C&C) channels allowing the attacker to control the malware directly and, in some cases, download additional tools, and so on. 

These typically beacon out to the attacker from the point where the malware is installed, allowing the attacker to respond with commands or downloads. The C&C channels will typically use commonly open service ports, such as http, https and DNS, trying to blend into the other traffic. 

Over the years, attackers have attempted to obscure these channels by varying the beaconing interval and using encryption. However, these basic techniques are easily detectable by using standard monitoring and log analysis, allowing the host and attacker IP to be detected, the malware removed, and the attacker’s IP address blocked. 

Attackers are therefore adapting their techniques to evade detection using multiple IP addresses and/or domains and multiple communication paths, although the sophistication varies. 

In some cases, the malware will have a fixed starting point, or seed, and will beacon out to a linear sequence of IP addresses, or domain names. This can be detected fairly easily by developing an analytic use case coded into a Siem [security information and event management] system. 

Getting more sophisticated, the sequence may be generated by the malware as a pseudo-random sequence of addresses, so making transmissions more difficult to detect unless you have a copy of the malware and somebody skilled in reverse engineering to determine the sequence. Also, some attackers will use a sequence seeded externally – for example, by using Twitter – so that both the starting point and the sequence are unpredictable. 

Depending on the purpose of the malware, it may be left sleeping and be triggered at a pre-determined time, on a certain event, or by an unrelated channel, such as social media. This can lead to a large number of DNS requests where multiple copies of the malware have been installed, as part of a botnet or ransomware attack, for example.

Although this type of malware is becoming more sophisticated and therefore more difficult to detect, it does create some artefacts that give it away, including rapid domain registrations or DNS lookups to newly registered domains, DNS requests that return different IPs or URLs that map to multiple domains within a short timeframe. 

Large numbers of failed DNS lookups may also result because the pseudo-random sequences used to evade detection may create URLs that do not resolve to real domains. This type of activity can be detected through the use of analytic use cases based on DNS logs running as scripts within the Siem. 

Behavioural analysis and anomaly detection solutions should detect this activity through monitoring network traffic. From this, the infected machines should also be able to be identified and the malware removed. Where sleeping malware is triggered, particularly where there are multiple infections, such as part of a botnet, this will also cause a spike in network traffic, which can be detected in a similar way. 

Detecting sleeping malware before it is triggered can be more difficult, however. Attackers have taken to use existing legitimate administration tools such as PowerShell and WMI – which are routinely installed on all Windows machines – to receive commands and trigger malware. These can be used to download resident malware on boot, or trigger sleeping malware based on an event, at a pre-set time, or by downloading and running a script.

Once a target has been breached, attackers can also make use of frameworks such as open source penetration testing tool PowerShell Empire to establish a C&C channel by using stagers, agents and listeners. A “stager” payload may take the form of a Microsoft Office macro, a DLL file or an HTML application file which contains malicious shellcode, often executed by operating systems to establish communication from the victim to the attacker’s server (“listener”).

Signature-based antivirus is ineffective because PowerShell operates in system and is recognised as an integral part of Windows. However, most modern antivirus and more advanced endpoint protection suites do incorporate one or more behavioural or heuristic detection measures, which may detect activity when the script is run. This may be too late, though.

Detecting PowerShell C&C traffic is very difficult, especially when attackers use frameworks such as “Empire” to encode, encrypt and randomise communications to and from their C&C server.

To help defenders combat this threat, a robust suite of network and host-based detection tools can help. Network intrusion prevention systems can often identify traffic and protocol anomalies, as can well-crafted Siem correlation rules centred on proxy log activity such as suspicious HTTP protocol behaviour.

These detection methods often help identify the symptoms of an attack, but not necessarily the root cause. To establish confirmation of a C&C compromise, host-level investigation would be required, utilising resources such as Windows Event Logs, Sysmon events and system analysis.

While PowerShell C&C communication is evasive, network and system-level indicators/artefacts can be discovered given the right toolset and analyst knowledge. By obtaining these indicators of compromise and indicators of attack, defenders can create signatures and use-cases to automate detection, helping to identify additional compromises and real-time attacks.