Deep Impact: Recognizing Unknown Malicious Activities from Zero Knowledge

Presented at Black Hat Europe 2018, Dec. 6, 2018, 10 a.m. (50 minutes)

To detect malicious activities, there are pattern matching, blacklists, behavioral analysis, and event correlation. However, those existing approaches have several problems. For instance: - Unknown threats and sophisticated attacks could circumvent those solutions. - Some of those require huge resources. This talk will cover how to solve those issues above and how we detect unknown malicious activities from typical logs of devices which are not dedicated for attack detection such as proxies, firewalls and so on. 1. C2 Server Detection We discover malware which periodically communicates with C2 servers such as Bots/RATs from zero-knowledge. In order to achieve this, we generate over two-million communication patterns by enumerating C2-ish communication patterns with a generator script. And we use Convolutional Neural Networks by converting common logs into "virtual images" by mapping count of communications, sent/received bytes with chronological order. We will show you that our models are able to detect various C2 communications of unknown (it means unlearned) malware samples which come from actual incidents such as PlugX, RedLeaves/himawari, xxmm, Asruex, ursnif/gozi, Vawtrak, and so on. 2. Exploit Kit Detection Stable detection of Exploit Kits (EKs) is difficult because EKs' URLs and contents keep being changed frequently. However we found effective EK detection from zero-knowledge. The method is able to detect unknown (it also means unlearned) EKs from standard proxy logs, by recognizing emulated content-type sequences of EKs (e.g. html -> swf -> octet-stream) with Recurrent Neural Networks. The sequences are deeply related to behavior of EKs, therefore attackers cannot change those easily. We will show you our models which are trained with 300 thousands EK-like content-type sequences, are able to detect 14 kinds of EKs such as Rig, Nebula, Terror, Sundown, KaiXin and so on.

Presenters:

• Hisao Nashiwa - Threat Analyst, Internet Initiative Japan Inc.
  Hisao Nashiwa is a threat analyst, working for Internet Initiative Japan as a CSIRT member of the company. His main jobs include incident response, analyzing malware and analyzing network traffic, observing malicious activities over nine years. He is researching cyber crimes such as exploit kits and malware. He has five years of experience and knowledge in analyzing malware. He is a speaker and a trainer for international conferences such as FIRST.
• Hiroshi Suzuki - Malware & Forensics Analyst, Internet Initiative Japan Inc.
  Hiroshi Suzuki is a malware analyst, a forensic investigator and an incident responder, working for a Japanese ISP company, Internet Initiative Japan Inc. He is a member of IIJ-SECT which is a private CSIRT within his company. His main jobs include analyzing malware and vulnerabilities, observing malware activities, threat intelligence for attackers, digital forensics, and incident response for his company and his customers. He is especially interested in targeted attacks, those RATs and those attack tools, such as PlugX, Mimikatz and so on. He has over 12 years dedicated to those areas. He is a speaker and a hands-on trainer for international conferences such as Black Hat and FIRST.

Links:

• https://www.blackhat.com/eu-18/briefings/schedule/#deep-impact-recognizing-unknown-malicious-activities-from-zero-knowledge-12276
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Deep Impact Recognizing Unknown Malicious Activities from Zero Knowledge.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Deep Impact Recognizing Unknown Malicious Activities from Zero Knowledge.eng.srt (subtitles)
• https://www.youtube.com/watch?v=GIKpDxaAlfg

Similar Presentations:

• BSidesSF 2017 / Tired of Playing Exploit Kit Whack-A-Mole? Let's automate