New powerful malware obfuscation technique

[PhantomHacker]

Hello everyone,

I want to raise your attention to an architectonic vulnerability in the graphical user interfaces of Windows, macOS and Linux. A powerful malware obfucation technique can be developed based on this vulnerability which is building block of a new malware type – Phantom Malware.
Metaphorically speaking, Phantom Malware is an additional hidden user “who” is acting currently with the “real” user (human).
For example, Phantom Ransomware: The user encrypts its own files...
Unfortunately, state of the art malware detection techniques are unable to detect the new malware type. Due to these techniques do not consider that the malware is able to interact with the graphical user interface.
Here is the link: Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

It shows a new dimension of attack vectors: Instead of exploiting vulnerabilities of a program (e.g. Buffer Overflow), the design of a user interface is exploited for reaching an arbitrary code execution as trusted system user.
What do you think about that?

 

[Andy Ful]

Unfortunately, this method can avoid AMSI by using CMD commands. The infection part related to communication with the C&C server could be detected by AMSI if the attacker would use PowerShell or Windows Script Host, but the author uses Python.
All of this is interesting and can be dangerous by using offline ransomware (no C&C server). But in practice when the attacker wants to use C&C server then another scripting engine has to be used. If the attacker can install Python on the target machine then the Python scripts will be probably as dangerous as Phantom Malware.

 

[MacDefender]

Yeah these classes of techniques (including things like opening a VNC or RDP session to oneself or using virtualization software on the device to present a keyboard/mouse to the host that mimics user actions) are really hard for antimalware to detect because they all tend to have an anti-false-positive measure that attempts to allow either the user or trusted applications do the dirty deed.

In terms of exploiting the target machine, one attack I've previously demonstrated here is that you can add malware to Python libraries for legitimate apps that use Python like machine learning / AI python IDEs, and a very small subset of antimalware software was able to detect those apps directly going after My Documents "through the front door" so to speak, but stacked with better techniques for encrypting user data, it can be really hard to detect.


FWIW, one thing I learned months after my POC attacks is that even though initially they were undetected on VT, after a few months about half of the engines detected some aspect of my attack. Trying to defeat all of them was really hard without going back to the drawing board and fundamentally designing a new attack. It's yet another cat and mouse game -- what gets demonstrated today as a viable technique, if it actually takes off, quickly results in a myriad of detection methods by different AV vendors, and in my experience as soon as any vendor's AV engine automatically detects the threat, most other vendors are quick to follow suit.

Note that some OS'es do try to provide hardened protection against pretending to be the user. For example, on macOS there is an "accessibility" permission required to inject keyboard/mouse events to apps. The permissions dialogs that pop up on macOS for things like accessing your Documents folder cannot be easily clicked over VNC using automation. On Windows, UAC dialogs have modest protection by default against manufactured clicks. I really think these need to be a lot better but it's certainly a start.

 

[PhantomHacker]

Due to 25 pages on academic english are hard to read, I want to sum up the most important facts:

• An additional desktop will be created. The Windows Explorer (WE) will be opened on this desktop. Afterwards, the command will be inserted into its input box and confirmed for execution by sending corresponding Windows Messages. The victim will NOT see a CMD or any up popping window due to all these actions do not happened on the victim's current desktop.
• Phantom Malware splits up its malicious actions into a sequence of non-malicious SendMessage WinAPI calls. (see VI. ANALYSIS → A. FAILURE OF ANTI-VIRUS SOFTWARE).
• The WE is a preinstalled file manager and a fundamental part of the desktop environment of Windows, which makes this process trustworthy. Due to inserting and confirming a malicious command in the WE's input box, this trusted system process is manipulated to execute the command. Antivirus software will not block actions of a trusted system because it is considered bad practice. Besides, the operating system including modules of anti-virus software, such as behavior blockers, are fooled into perceiving that the user themselves has done the command insertion and its confirmation. In other words, it mistakenly looks like the execution of the malicious command has a legit basis with the user having intended the execution. (quoted form IX. CONCLUSION)

 

[Andy Ful]

Hi PhantomHacker,

It has been an interesting research. I could sum up your post even more. This method of attack can mimic the user actions very well, so most (probably all) AVs that depend on behavior-based detections will fail (for now). It will be probably adopted in-the-wild soon.

Anyway, it contains the "chain of user actions" that is suspicious. In theory such malware can be detected by machine learning. For example, the time of doing some mimicked user actions will be much shorter as compared to real user actions. The machine learning algorithms can possibly find more suspicious patterns, like opening another desktop --> opening WE --> running CMD sessions --> etc.
Of course, the attacker can refine the attack to avoid detection again and the defenders will improve the ML algorithms, etc.

 

[Jan Willy]

That technical stuff goes way over my head. Therefore a question from a dummy: offers HIPS any protection?

 

[Andy Ful]

That technical stuff goes way over my head. Therefore a question from a dummy: offers HIPS any protection?

You can disable/block the command prompt or use the setup which can alert on running cmd.exe, etc. But Phantom malware requires the 0-day initial malware/exploit, so any defense that can reduce the chances to encounter 0-day malware (anti-phishing, anti-spam, Ad-blocker, file reputation / prevalence cloud lookup, etc.) will be effective in practice, too.

 

[MacDefender]

No matter what, this attack has to start with a malicious script or executable commanding Windows Explorer to do something malicious. Yes, an AV that just looks at the second half (Windows Explorer and beyond) can’t tell this is malicious, but we have seen Kaspersky System Watcher and others defeat 7Zip and other LOLBin attacks despite the second half having good reputation.

In my opinion it really boils down to the popularity of the attack. If it is prevalent, every AV will have some answer to the threat. But if it’s newly invented, we consistently see an industry wide weakness where AVs, even with behavior blockers, are unreliable and can be bypassed by completely novel techniques. It is out of the scope of a stock AV+behavior blocker to defend machines against hand crafted custom attacks when the user is going to happily execute anything

 

[Freud2004]

Hello everyone,


Unfortunately, state of the art malware detection techniques are unable to detect the new malware type. Due to these techniques do not consider that the malware is able to interact with the graphical user interface.

I really don't like this part.... So how I know I am infected, when is too late!!!!

 

[Ink]

You can disable/block the command prompt or use the setup which can alert on running cmd.exe, etc.

What if you're using Windows XP or 7, but won't disable/block CMD?

 

[Andy Ful]

What if you're using Windows XP or 7, but won't disable/block CMD?

Nothing special will happen for home users. You have to have bad luck to encounter the 0-day malware/exploit and it has to choose this method (out of many others).
Anyway, such malware can be dangerous in the targeted attacks and can be easily overlooked by administrators.

 

[PhantomHacker]

The insertion of a command in the Window Explorer's input box is ONLY the tip of the eisberg.
The mentioned obfuscation technique in the paper is more polymorphic than it looks at first glance.

Read E. Advanced User Imitating of SECTION VII.Further Research and Improvements!
I quoted the most important parts:

Users conveniently interact with windows directly that provide the corresponding functionality in order to execute their desired action. Another option would be to insert and confirm a command in the WE’s input box which executes this action. In consequence of giving the Phantom Malware’s command execution a more humane characteristic, further research steps would be the development of techniques for interacting with specific windows on the additional desktop.
[...]
As [another] example, a file shall be overwritten by the Phantom Malware. The overwriting process shall be similar to how the humane user would conduct it: Instead of applying a command for this action, the user interacts with an editor program. The Phantom Malware sends corresponding Windows Messages to the WE window for executing the following actions in order to open the file. For this process it uses Notepad [86] (preinstalled editor in Windows): [...]

This is very dangerous. ML algorithms will have serious problems to detect this.

 

[FireHammer]

Hi, I think it is very nasty stuff, and the fact that we cant protect us against it.

 

[Andy Ful]

The insertion of a command in the Window Explorer's input box is ONLY the tip of the eisberg.
The mentioned obfuscation technique in the paper is more polymorphic than it looks at first glance.
...
This is very dangerous. ML algorithms will have serious problems to detect this.

It will be a detection problem for sure like with any new malware family. Some ML modifications are required to fully detect this method.

But there are some things that are special for the above Phantom Malware variant:

1. Opening the second Desktop by the unknown process (suspicious).
2. Unknown process inserts command to Explorer's Input box (suspicious).
3. Explorer spawns CMD to run commands (suspicious).
4. Using by CMD a redirected command output into a text file (suspicious).
5. Suspicious API used.
6. etc.

These suspicious events (in the specific sequence) can be recognized as malicious, after a few successful infections in the wild (postinfection detection).
This method could probably avoid detection for a longer time when used not by ransomware, but by spyware.

 

[PhantomHacker]

The author created a video about his paper.
Link:
He sums up the important points and demonstrates a C++ implementation for Windows 10 as a proof of concept for the impersonated user actions on the additional desktop.