- Apr 24, 2016
APT groups that attack with ransomware use many different attack tactics to achieve their objectives. AV-TEST staged attacks on security products for consumer users and corporate users in 10 currently used scenarios each deploying the techniques ".Net Reflective Assembly loading”, ".Net Dynamic P/Invoke" and "AMSI Bypass". The Advanced Threat Protection tests were quite exciting as some of the programs were not able to withstand all the attack techniques.
The Advanced Threat Protection tests are indeed quite special, but they continuously test security software using the latest attack techniques of the APT groups. Such as ".Net Reflective Assembly loading", a technique used in a basic form in attacks from Cobalt Strike, Cuba or Lazarus. The techniques ".Net Dynamic P/Invoke" and "AMSI Bypass" are also popular, however, in latest attacks with ransomware. Following a successful attack, the systems are encrypted, and the blackmail by the APT groups ensues. Unless of course: the security products for consumer users and corporate users detect the attack techniques being used, stop the attack and liquidate the ransomware.
The latest attack techniques used in the test
.Net Reflective Assembly loading: In order to obfuscate malware code, a typical technique is to load it reflectively during run time. Reflective loading enables the assignment and execution of a payload (executable malware code) directly in the memory of the process or to create a thread or process. DotNet offers the possibility of loading assemblies with Assembly.Load.
In our examples, an encrypted assembly is saved and the ransomware is implemented. It is decrypted, loaded and executed during run time, without creating an image on the hard drive.
.Net Dynamic P/Invoke: DotNet is capable of executing unmanaged code (code not specified for DotNet), which can be used to initiate standard Windows API calls. This enables the implementation of specific behavior that is not provided in DotNet. This is normally achieved by using the platform Invoke (P/Invoke). API calls used via P/Invoke can be monitored by defenders and easily intercepted. If P/Invoke is not used statically, libraries can be dynamically loaded during run time and the functions contained in them called up via the memory address. In the process, their use is obfuscated in order to avoid detection from security programs.
In our examples, we use Dynamic P/Invoke to call up API functions (VirtualAlloc, CreateThread) in order to load encrypted, reflective ransomware into the memory and execute it.
AMSI Bypass: The Antimalware Scan Interface (AMSI) is a scan API provided by Microsoft that can also be used by antivirus solutions. Part of its task consists of scanning script data before they are executed by a scripting engine. An attacker can manipulate the interface functions within a process, however, in order to interfere with the AMSI functionality.
In our examples, we use a PowerShell ransomware payload and try to execute it after the deactivation of AMSI. In another example, we launch a PowerShell process, inject a small shell code, which deactivates the AMSI, and then transfer the malicious ransomware to it.
Advanced test: protection for consumer users
In the current evaluation, the 10 security packages for consumer users were put to the advanced test. The products involved were from AhnLab, Bitdefender, G DATA, Kaspersky, McAfee, Microsoft, Microworld, Norton, PC Matic and VIPRE Security. Each product was required to stand up against 10 test scenarios, in which different attempts were made to inject and execute ransomware in the system.
The packages from Bitdefender, G DATA, Kaspersky, McAfee, Microsoft and PC Matic were able to detect all 10 attacks and block the ransomware before it was able to create any damage. Each product received 30 points on its protection score for this performance.
While Microworld and Norton also managed to detect the 10 attacks, they were not able to completely block the attacks in one case. Microworld had a point taken off, as individual files were encrypted: 29 points. With Norton, there was a total cave-in after the detection of the attack – the system was encrypted. But the product still achieved 27.5 points on its protection score.
AhnLab and VIPRE Security each detected only 9 out of 10 attacks. As a result, each lost a full 3 points in one instance. But VIPRE Security also had problems in a second instance: despite detection of the attack and the use of countermeasures, the system was encrypted in the end. This led to a deduction of an additional 1.5 points. AhnLab finished the test with 27 out of 30 points for the protection score, and VIPRE Security earned 25.5 points.
Because all products for consumer users were above the threshold of 22.5 points, they received the AV-TEST certificate "Advanced Certified".
Advanced test: solutions for business users
In the advanced test lineup of endpoint security solutions were products from AhnLab, Bitdefender (2 versions), Check Point, G DATA, Kaspersky (2 versions), Microsoft, Sangfor, Symantec, Trellix, VMware, WithSecure and Xcitium.
Each product was required to detect the attack technique and fend off ransomware in 10 scenarios. For each ransomware detected and stopped completely, the lab awarded 3 points. Delivering stellar performance with error-free detection of all attacks, and successful blocking of ransomware were the products from Bitdefender (Endpoint and Ultra version), Check Point, G DATA, Kaspersky (Endpoint and Small Office Security version), as well as Xcitium. For this they all received the maximum 30 points for the protection score.
Symantec and Microsoft did also detect all 10 attack scenarios, but they had difficulty in one instance: it is true they detected the attack, along with the ransomware. Both even initiated additional steps against the attack. But in the end, encryption occurred in individual files with Symantec, and for Microsoft even the entire system was encrypted. As a result, Symantec received 29 points and Microsoft earned 28.5 points for the protection score.
AhnLab, Sangfor and WithSecure all had the same problem. In one case, they detected neither the attack technique nor the ransomware. The system was ultimately encrypted, and all the products lost the full 3 points in one instance: they ended up with 27 points each for the protection score.
The solutions from Trellix and VMware came out the worst. Trellix was able to detect 9 out of 10 attack scenarios. In one instance, the ransomware was able to fully unfold. In two further instances, while the attack and the ransomware were detected, partial encryption of data could not be prevented. A total 24 points for the protection score.
VMware staged an even weaker finish. In two instances, there was no detection of the attack. In a third instance, while attack detection was successful, even stopping the ransomware, in the end a malicious VB script was left in the autostart of the system. At least nothing was encrypted. In final analysis, only 22.5 points remained for the protection score, and thus the number of points that are needed at least to receive the Advanced Protection certificate.
APT groups that attack with ransomware use many different attack tactics to achieve their objectives. AV-TEST staged attacks on security products for consumer users and corporate users in 10 currently used scenarios each deploying the techniques ".Net Reflective Assembly loading”, ".Net Dynamic...