Threat Analysis Unit

2019: Looking Back at Malware

In 2019, attacker behavior evolved, becoming more evasive. The most common behaviors seen across all attack data—mapped to the MITRE ATT&CK™ Framework—were: Software Packing for Defense Evasion, Hidden Windows for Defense Evasion, Standard Application Layer Protocol for Command and Control (C2), Process Discovery, and Registry Run Keys in the Startup Folder for Persistence.  Notably, evasion behaviors appeared in 90% of the samples we analyzed, a clear indication that attackers are increasingly attempting to circumvent legacy security solutions.

Top 10 Malware Behaviors of 2019

A Deeper Dive Into The Top Behaviors

Software Packing

According to MITRE, Software Packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Utilities used to perform software packing are called packers. Software Packing also includes custom encoding/compression/encryption schemes that are routinely used by droppers or installers which are common in commodity and targeted attacks.

Advice to Defenders
Defenders should look to thin out their attack surface wherever possible. Use solutions that allow you to analyze endpoints for software packers or evidence that packers were used. Getting to know the normal applications that employ this technique will help quell any noise from false positives to help the team focus. Point-in-time security solutions will offer little coverage for software packing. Employing an EPP that records and analyzes data over time is helpful in preventing and detecting these types of attacks. 

Defensive Evasion Hidden Window 

According to MITRE, Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling / disabling security software or obfuscating / encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware.

Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.

Advice to Defenders
Limit or restrict program execution using EPP or Application Allowlisting. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.

Monitor processes and command-line arguments for actions indicative of hidden windows with EDR. In Windows, enable and configure event logging and PowerShell logging to check for the hidden-window technique. Understand that obfuscation and encoding of PowerShell attacks is a very common tactic, utilized by various malware families to evade defenses. Many such attacks can even disable PowerShell logging and related defensive tools, so ensure that you use a layered approach to your overall security program.

In MacOS, PLIST files are ASCII text files with a specific format, so they’re relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious PLIST tag in PLIST files and flag them.

Come back next week when we’ll be taking a look back at ransomeware in 2019 and the pervasive attacks on state and local governments across the U.S.


 

 

To learn more about what security will look like in 2020 check out VMware Carbon Black’s 2020 Cybersecurity Outlook Report.

Read Now