A New Trend for the Blue Team - Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware

Presented at Black Hat USA 2022, Aug. 10, 2022, 4:20 p.m. (40 minutes)

Blue Teams and anyone on the defensive side face various challenges when it comes to reverse engineering suspected malware or ransomware binaries, especially ones with obfuscation techniques such as variants, embedded exploits and complex ransomware. First, identifying whether the sample is even worth the effort (what makes it unique/challenging/new), and second, choosing either static, dynamic analysis, or both! With static analysis, you give up the ability to detect obfuscated malicious programs only visible during run-time, and dynamic analysis is both labor and time intensive, and requires a high-degree of skill and experience, not to mention the threat of the binary escaping your sandbox emulation or virtualization environment.

We believe there may be a new tool in the Blue Team's toolbox, through the use of a symbolic execution engine to detect and analyze suspected malware/ransomware binaries. A practical symbolic engine can help by parsing through many of the possible execution paths of the binary, and having these pathways represented as symbols. This engine can help provide malicious execution paths analysis with relatively low computing resources, analyze contextual relationships based on instruction semantics, taint and fuzzy identification of obfuscated APIs.

Using our practical symbolic engine based on the combination and improvement of academic and practical research, you can identify and detect various exploit, techniques, and multiple malware/ransomware variants via symbolic signature attack techniques and ransomware behaviors in a fully static situation. Even if the malware binary is obfuscated, we can still statically analyze it and detect it effectively. Our plan is to make our engine available to the community via open source during Black Hat USA 2022, to help give back to the infosec community and help Blue Teams save time on an ongoing and difficult problem.

Presenters:

• Hank Chen - Threat Researcher, TXOne Networks Inc.
  Hank Chen is a threat researcher at TXOne Networks. Hank is in charge of malware analysis, product security, and vulnerability research. Hank was a teaching assistant of Cryptography at Taiwan Tsing Hua University (NTHU) and instructor of the cyber security training course for Taiwan Ministry of Defense, as well as joined in many CTF competitions with BalsiFox and 10sec to focus on crypto, reverse, and pwn challenges, and won the 12th place in HITCON CTF 2019 finals. Hank also attended several cyber security conferences such as FIRST 2022 and CYBERSEC 2022.
• Mars Cheng - Manager, PSIRT and Threat Research, TXOne Networks Inc.
  Mars Cheng (@marscheng_) is a manager of TXOne Networks PSIRT and threat research team, responsible for coordinating product security and threat research. Mars blends a background and experience in both ICS/SCADA and enterprise cybersecurity systems. Mars has directly contributed to more than ten CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Cheng was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat Europe, RSA Conference, DEFCON, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, and CLOUDSEC. Mars is general coordinator of HITCON (Hacks in Taiwan Conference) 2022 and was coordinator of HITCON 2021 and vice general coordinator of HITCON 2020.
• Sheng-Hao Ma - Threat Researcher, TXOne Networks Inc.
  Sheng-Hao Ma(@aaaddress1) is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has also served as a speaker and instructor for various international conferences and organizations such as DEFCON, HITB, Black Hat, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book "Windows APT Warfare: The Definitive Guide for Malware Researchers".

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#a-new-trend-for-the-blue-team---using-a-practical-symbolic-engine-to-detect-evasive-forms-of-malwareransomware-26932

Similar Presentations:

• VB2017 / Malware deobfuscation: symbolic analysis to the rescue!
• Black Hat Europe 2016 / Code Deobfuscation: Intertwining Dynamic, Static and Symbolic Approaches
• BSides Austin 2017 / Defending against ransomware: You already have the capability, why are we not using it? This method stopped our attacks cold. Now let me show you how to do it. And it’s FREE, you don’t have to purchase anything.