By Emilie Mavel Christensen
Have you ever received an email with a link to an unexpected invoice, or come across a suspicious looking “get rich quick” ad online? These were most likely traps designed to make you click and infect your computer or phone with malware.
This is the first post in a three-part series exploring malware reverse engineering. In this installment, we delve into why security experts dissect malicious code and how organizations can benefit from these insights.
The term malware, a portmanteau of malicious software, refers to any software designed to exploit a computer system and its data[1]. Malware comes in many shapes and sizes, from ransomware that will prevent you from accessing your files to spyware that harvest sensitive information. Unfortunately, they are part of our daily lives and make up part of our digital reality.
This article is the first in a series of three that will dive into malware reverse engineering. Part one explores why malware reverse engineering is so important, part two will focus on the how and the obstacles analysts may encounter along the way, and part three will delve into an analysis of a malware recently encountered by Trifork Security.
What is malware?
As mentioned above, malware is malicious software that will try to use your computer or smartphone for nefarious purposes – often without you noticing. There are many types of malware with various behaviours: ransomware will lock your files until you pay a ransom; spyware will steal data from your system to either sell or use it without your permission; worms will spread from system to system… The list goes on[2], [3], [4], [5].
These days, malware typically tries to be as stealthy as possible, and operates like a digital nesting doll. The initial malware is written with as few lines as possible, to make it small and easy to overlook[6], [7]. Once it has infected a system, it will retrieve additional malware (payloads) that will damage said system or even retrieve yet another payload with other malicious functionalities[8]. This layered approach makes detection and defense more complicated.
Dissecting a digital bomb
At first glance, malware reverse engineering (or MRE) may seem somewhat counterintuitive – like dismantling a bomb instead of defusing it. But sometimes, you do in fact want to take the bomb apart and analyse its components piece by piece, as it may provide valuable information as to how it works. Doing so will allow you to confirm it is a bomb and provide you with the keys to understand how it works in order to determine how to defuse it safely.
MRE is performed for the same reasons: security researchers dissect malware to understand how it works, how to identify it, and how to defeat or eliminate it[9].
There are many types of malware with different methods of infiltration and persistence, making their categorization crucial for security consultants. Figuring out how malware infects systems and spreads can reveal its identity and uncover (sometimes unknown) vulnerabilities. Such insights can then be relayed to the developers of affected devices and software, enabling them to patch and secure their products effectively[10], [11]. Some international companies even dedicate entire teams to this effort, like Google’s Project Zero group[12].
Defusing real-world threats
Another reason to reverse engineer malware is to devise both short and long-term solutions to prevent infections. Take the WannaCry ransomware attack in 2017 for example. In a single day, the ransomware spread like wildfire, contaminating an estimated 230,000 Windows computers across both public and private institutions worldwide.[13], [14]
Marcus Hutchins, a British security researcher, played a pivotal role in stopping its spread, as he was one of the first to analyse the malware. Early on, he found that the malware attempted to connect to a specific website and behaved differently when it succeeded. The website in question turned out to be a killswitch – if the malware could access the website, it would completely stop. Hutchins bought the domain to gather data about the scale and location of infected systems and unknowingly stopped the spread of that particular WannaCry strain.[15]
A more recent example is the reverse engineering of Qakbot, a malware that stole banking information and encrypted infected computers, allowing its creators to amass an estimated 60 million USD in ransom payments.[16] In August 2023, a coordinated multinational action led to the seizing and takedown of the infrastructure behind Qakbot. Additionally, the FBI redirected traffic from infected machines to FBI-controlled servers. When the malware tried to retrieve additional payloads from the malicious website, it instead downloaded an uninstaller that completely removed Qakbot from the infected systems[17].
Every contact leaves a trace
Reverse engineering can also help analysts gather clues about the identity of the individual or group behind the attack. It is, however, an arduous task, and law enforcement analysts must often gather bread crumbs from various different sources before they can attribute an attack to a specific entity.
To get a sense of the amount of work required, try browsing the arrest warrant and the associated affidavit[18] published by the American Department of Justice in June 2018, in the case against Park Jin Hyok.
This 179-page document details the leads the FBI uncovered after years of investigation, during which they meticulously combed through thousands of emails and dozens of infected systems, to connect Park Jin Hyok to the Lazarus Group. The Lazarus Group had been involved in several highly publicised cyberattacks, such as the hack of Sony Pictures Entertainment in 2014 and the development and launch of WannaCry[19].
Using reverse engineering, the FBI noted that the malware contained a Rich Text Format (“RTF”) tag “\fcharset129” in its metadata, which indicates the presence of a Hangul (Korean) character set on the computer. This specific character set is installed on a Windows device only if a user specifies Korean as a language setting. While it was just one detail in a much larger puzzle, this clue helped investigators link WannaCry to the Lazarus Group, and ultimately to Park Jin Hyok.
Hopefully, this first article has provided some insight into why analysts delve into malicious code and the concrete benefits of MRE. Next week, we will dive together into the how of malware reverse engineering and, just as importantly, examine the ways malware creators try to prevent it.
Sources:
[1] ‘Malware’, Wikipedia. Nov. 02, 2024. Accessed: Nov. 05, 2024. [Online]. Available: https://en.wikipedia.org/w/index.php?title=Malware&oldid=1254984759
[2] A. Wolf, ‘Most Common Malware Attacks’, Arctic Wolf. Accessed: Nov. 19, 2024. [Online]. Available: https://arcticwolf.com/resources/blog/8-types-of-malware
[3] ‘12 Common Types of Malware Attacks and How to Prevent Them’, Search Security. Accessed: Nov. 19, 2024. [Online]. Available: https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them
[4] ‘What is Malware? Malware Definition, Types and Protection’, Malwarebytes. Accessed: Nov. 19, 2024. [Online]. Available: https://www.malwarebytes.com/malware
[5] ‘What Is Malware? – Definition and Examples’, Cisco. Accessed: Nov. 19, 2024. [Online]. Available: https://www.cisco.com/site/us/en/learn/topics/security/what-is-malware.html
[6] B. Blunden, Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Jones & Bartlett Publishers, 2013.
[7] J. Tanner, ‘Malware 101: Additional payloads’, Barrcuda Blog. Accessed: Nov. 19, 2024. [Online]. Available: https://blog.barracuda.com/2023/11/02/malware-101-additional-payloads
[8] ‘Obfuscated Files or Information: Embedded Payloads, Sub-technique T1027.009 – Enterprise | MITRE ATT&CK®’. Accessed: Nov. 19, 2024. [Online]. Available: https://attack.mitre.org/techniques/T1027/009/
[9] ‘Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software: Sikorski, Michael, Honig, Andrew: 8601400885581: Amazon.com: Books’. Accessed: Nov. 08, 2024. [Online]. Available: https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
[10] R. Yu, ‘GINMASTER: A CASE STUDY IN ANDROID MALWARE’.
[11] S. Sengupta, ‘Reverse Engineering Malware: Techniques And Tools For Analyzing And Dissecting Malicious Software’, Medium. Accessed: Nov. 13, 2024. [Online]. Available: https://sudip-says-hi.medium.com/reverse-engineering-malware-techniques-and-tools-for-analyzing-and-dissecting-malicious-software-4dd5949135f0
[12] G. P. Zero, ‘Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst’, Project Zero. Accessed: Dec. 11, 2024. [Online]. Available: https://googleprojectzero.blogspot.com/
[13] N. H. S. England, ‘NHS England » NHS England business continuity management toolkit case study: WannaCry attack’. Accessed: Nov. 12, 2024. [Online]. Available: https://www.england.nhs.uk/long-read/case-study-wannacry-attack/
[14] ‘What Is WannaCry Ransomware’, Akamai. Accessed: Nov. 12, 2024. [Online]. Available: https://www.akamai.com/glossary/what-is-wannacry-ransomware
[15] M. Hutchins, ‘How to Accidentally Stop a Global Cyber Attacks – MalwareTech’. Accessed: Nov. 12, 2024. [Online]. Available: https://malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
[16] ‘Qakbot Malware Takedown and Defending Forward | Huntress’. Accessed: Nov. 12, 2024. [Online]. Available: https://www.huntress.com/blog/qakbot-malware-takedown-and-defending-forward
[17] ‘Office of Public Affairs | Qakbot Malware Disrupted in International Cyber Takedown | United States Department of Justice’. Accessed: Nov. 12, 2024. [Online]. Available: https://www.justice.gov/opa/pr/qakbot-malware-disrupted-international-cyber-takedown
[18] ‘dl.pdf’. Accessed: May 27, 2024. [Online]. Available: https://www.justice.gov/usao-cdca/press-release/file/1091951/dl?inline
[19] G. White, The Lazarus Heist: Based on the No 1 Hit podcast. Penguin Business, 2022.