Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 1:30 p.m. (30 minutes)

Process injection is a widely used defensive evasion technique commonly used for malware and fileless adversary transactions and requires running custom code in the address space of another process. Process injection improves invisibility, and some techniques also achieve persistence. We have observed that many APT attacks use this method to evade detection to achieve persistence. Therefore, it is increasingly important to detect such memory-resident malware which is injected through the process. Antivirus software does not have a high detection rate for memory-resident malware. As far as we know, in the face of such attacks, such as volatility, Rekall and Get-InjectedThread, YARA rules may be one of the best solutions, but the disadvantage is that it is impossible to distinguish unknown malware or shellcode-based malware.<br> <br>More and more people are proposing to use machine learning to classify malware family or detect malware. While there are many techniques for applying machine learning to implement malware classification, most works are heavily dependent on handcrafted features that can be evaded easily. In order to get rid of the above weaknesses, we present convolution neural networks (CNNs) with ensemble on memory-resident malware detection framework named "Mem2Img". This framework converts memory block which was injected by malware binaries or shellcode into images, learning features from raw data automatically, and avoiding the use of handcrafted features that can lead to information loss. Among the experiments we conducted, more than 100,000 memory blocks were used. With the best image size chosen and the fine-tuned model, we can speculate which known malware family this memory block belongs to or generate an alarm for an unknown but high-risk memory block and indicate the probability of which malware or APT group is associated with it. The experiment results show that the method can satisfy the accuracy requirement of practical use and has high scalability for the ever-changing attacks in the future.

Presenters:

• Charles Li - Chief Analyst, TeamT5
  Charles Li is the chief analyst of TeamT5. He leads the analyst team in TeamT5 for threat intelligence research. He has been studying cyber-attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often publishes research and gives training courses at security conferences.
• Aragorn Tseng - Malware Researcher, TeamT5
  Aragorn Tseng is a malware researcher at TeamT5 from Taiwan. He has worked on incident response, tracking APT campaigns in Taiwan's law enforcement agencies for two years. His research fields include malware analysis, incident response, APT campaign tracking and applying deep learning on cyber security issues.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#mem2img-memory-resident-malware-detection-via-convolution-neural-network-22262

Similar Presentations:

• DEF CON 30 (2022) / Avoiding Memory Scanners: Customizing Malware to Evade YARA, PE-sieve, and More
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• DerbyCon 3.0 All in the Family (2013) / The Malware Management Framework, a process you can use to find advanced malware. We found WinNTI with it!