Obfuscation is one the many techniques used by malware to evade static analysis methods and traditional anti-malware solutions which rely on hashes and strings for malware detection and analysis. This post is part of our series on malware evasion techniques. Feel free to read the other posts in this series which discussed Living off the Land, Sandbox Evasion, and detecting security and forensic tools.
In this post we’ll be providing an overview on the use of hashes and strings in malware detection/analysis and how obfuscation techniques are used against them.
Malware detection and analysis using hashes and strings
Traditional antivirus (AV) tools and threat analysts usually detect malware by comparing the hash of the file in question with the malware hashes they have in their database or, in the case of an analyst, by submitting the hash to a tool like VirusTotal. If a match is found, the file is identified as malware and the appropriate action is carried out—e.g., the file may be deleted, quarantined, processed to trigger an alert, and so on.
Another method often employed by threat analysts is Strings Analysis. It involves finding and analyzing readable strings of text (typically in ASCII or Unicode format) in a file that may otherwise consist mostly of non-human readable characters. Those readable strings of text can sometimes reveal filenames, IP addresses, URLs, HTTP requests, registry keys, and other important information that can provide clues on how the suspected malware works.
For instance, a filename might indicate that the malware is programmed to create a file, an IP address might point to the malware’s command and control (C2) server, or entries of registry keys might be the keys it intends to alter.
Using obfuscation to alter hashes and strings
Knowing how important hashes and strings are in threat detection and analysis, malware authors devise ways to alter these attributes in order to sow confusion and bypass detection. The act of altering the contents of a malicious file to change its hash (a.k.a. signature) or render its strings unreadable is known as obfuscation.
Here are some of the most common obfuscation methods we see in the malware variants we’ve analyzed.
Packing
One way to obfuscate a file is by packing it or, in simple terms, by compressing it. The packed or compressed version of a file will have a different hash to the original. Not only that, but it also renders several previously readable strings incomprehensible. If, therefore, you rely only on hashes and strings to analyze a piece of packed malware, chances are you won’t be very successful. We’ve encountered several types of malware that use this kind of obfuscation method, including Redline Stealer and Hancitor which are two of the most recent ones we’ve analyzed.
Encryption
Encryption is best known as a security control for preserving confidentiality. Cybersecurity teams rely heavily on encryption to protect sensitive data. However, because this method renders text unreadable, cybercriminals now also use it to obfuscate malware. BlackMatter, a ransomware we featured last year, and Emotet, a highly notorious banking trojan, are just two of the many malware variants that employ encryption for obfuscation.
Encoding
Another method similar to encryption is encoding, with the most popular variant of this method being Base64 encoding. While both of these obfuscation methods obscure information, encryption uses keys whereas encoding doesn’t. The Egregor ransomware and Quasar RAT employ this kind of obfuscation.
Blocking obfuscated malware with Minerva
While obfuscation is a pretty crafty technique for avoiding detection, it is by no means unbeatable.
In fact, Minerva Labs does not rely on any form of hash or signature detection to stop ransomware during its earliest stages, and is therefore completely unaffected by any change made to obscure the hash, stopping these ransomware regardless.