April 2023 Blog

Obfuscation – A Threat Actor’s Favorite Tactic

One of the major concerns that companies have today is how to remain secure and prevent cyberattacks given the increase in such attacks and the increase in a company’s vulnerability due to digitization. As companies digitize and seek to make use of cloud-enabled architectures and applications, the uncertainty about the extent of new vulnerabilities increases.

I would like to highlight a favorite tactic of threat actors, which is obfuscation and encryption. Threat actors can use obfuscation and encryption to disguise a malicious payload as an innocuous or unintelligible script which will then bypass automated defenses.

  1. Obfuscation in Multi-Stage Malware Infections

In this scenario, a threat actor has undertaken a detailed reconnaissance on his intended victim and has crafted a malware payload that he has engineered to be able to bypass the Firewall and Anti-Virus (AV). The way the threat actor can engineer a malicious payload to bypass your firewall and AV is by using obfuscation. Obfuscation can be defined as making something difficult to understand. Obfuscation, in programming, is used to protect intellectual property by making the source code unreadable, preventing anyone on reverse-engineering it. When obfuscation is combined with encryption it becomes very difficult to prevent using Artificial Intelligence (AI)-based automated cybersecurity products. Encryption is one of well-known methods of obfuscation. Removing metadata, replacing class and function names with irrelevant or random ones or adding random useless pieces of code are also methods of obfuscation. Unfortunately, hackers are also using these techniques to prevent their malicious payloads from detection by security solutions. The 2020 ’Solar Winds’ hack was one of the best examples of hackers using obfuscation to evade defenses.

Obfuscation works by using complex roundabout phrases or redundant logic to make the code unreadable or harder to understand. From a security perspective, obfuscation is also used to fool antivirus solutions and other security solutions that use signatures for detection and prevention.

Here is an example of how a threat intelligence tool like VirusTotal automatically flags a suspected malicious script.

In this case, the threat intelligence flagged 12 hits in the threat database…so far, so good. However as will be seen by the following slides, it is relatively easy to make subtle changes to the payload to disguise its malicious nature.

As can be seen by the green ‘0’ the 12 detections in VirusTotal have been reduced to zero. This was possible because the threat actor used equivalent characters to bring up the common invoke expression or ‘IEX’ command to run a PowerShell command to launch the virus. PowerShell is a native part of the operating system and using such a convoluted approach to create obfuscated PowerShell commands to run commands/scripts is a tactic commonly used by threat actors.

The insidious and frustrating feature of this type of attack is how the automated defenses fail to prevent it entering your computer and network. As can be seen from the graphic below, the firewall and AV are fully functional and updated, however the malicious payload has nevertheless gained entry.

A reverse shell has been opened on your computer and now the threat actor can communicate and instruct your computer to do several things, such as:

  • Disable your Anti-Virus.
  • Remove any automated cyberdefenses.
  • Begin lateral movement in your network and undertake privilege escalation to access higher levels of the network to wreak more havoc.
  • Install more backdoors and reverse shells to facilitate command and control.
  • Install malicious trojans, worms or cryptominers.
  • Exfiltrate (steal) information, credentials and personal data.
  • Steal credentials by keystroke monitoring to access financial information.
  • Launch ransomware lock screen and blackmail/extortion.

As can be seen by the graphic below, the bypassed firewall and AV now leave your computer and network totally vulnerable.

In the unhappy event that such an attack is launched against your company, you really have very few options. One option you do have, is to ensure that you have a robust back-up and isolation policy for any computers or network so attacked.

  1. How OmniSecuritas/CYDEF Smart-Monitor Helps Detect Sophisticated Attacks

This is why we highly recommend you invest in a multi-layered cybersecurity defense posture that employs OmniSecuritas/CYDEF Smart-Monitor as a patented, innovative, and powerful defense against advanced threats such as the one described above.

OmniSecuritas have partnered with CYDEF (www.cydef.ca) an innovative Canadian cybersecurity company with a unique, patented, threat hunting approach to cybersecurity.

Unlike most traditional EDRs, our SMART-Monitor advanced EDR is pro-active rather than reactive. This means that conventional EDRs use a set of queries that trigger a reactive search using Artificial Intelligence (AI) key algorithms that seek indicators of attack and/or techniques, tactics and procedures. Because most advanced malware is engineered to bypass the algorithmic reactive EDRs, they are often undetected by an AI-based reactive process.  The Omni/CYDEF SMART-Monitor managed endpoint detection and response product and services turn traditional managed EDR on its head by baselining normal, good behavior and then focusing on investigating everything that is not qualified as good. This investigation is done with a team of human threat hunters aided by patent-pending tools, so that the compendium of normal good behaviors is progressively augmented as the system is used, thus making it smarter over time. The graphic below explains the patented CYDEF Smart-Monitor, the unique methodology and its benefits:

The concept here is to develop a multi-layered defense-in-depth approach to cybersecurity by having perimeter defenses such as the firewall and anti-virus be augmented by Managed Endpoint Detection and Response (MEDR) or advanced EDR that incorporates threat-hunting as an inherent part of the multi-layered defense strategy. The key capability that OmniSecuritas/CYDEF can deliver in terms of a defense-in-depth or multi-layered security approach is that OmniSecuritas/CYDEF Smart-Monitor detects threats that have bypassed the firewall, AV and traditional EDRs – in the detonation and/or post-exploitation phase.

OmniSecuritas use Human Threat-Hunters to find sophisticated threats that are specifically engineered to bypass the firewall, AV and automated EDRs.  Smart-Monitor uses AI and ML to organize the thousands of logs of endpoint activities into 4 categories:

  • Known Good – Green
  • Unknown – White
  • Suspicious – Yellow
  • Known Bad – Red

Our technology focuses on having human threat hunters monitor all the logs for Indicators of Compromise (IoCs).  The thousands of logs have been truncated and organized by the AI and Machine Learning, as per above, to facilitate human threat hunting and this ensures that all activity is reviewed. Because of the powerful patented CYDEF software and unique ‘stack view’ analytical tool, one OmniSecuritas/CYDEF analyst can review the data for 10,000 computers a day! This is typically 5 times more activity that a comparable security analyst can review with traditional automated EDRs.

Another key discriminator of OmniSecuritas is that our solution is turnkey. There are no modules or features that must be purchased separately. All threat detections, pro-active threat-hunting, containment, and remediation support are provided as a turnkey package, thus facilitating overall budgeting, and lowering the cost of ownership. As this service is a managed EDR, the amount of effort and staffing required by our customers is far below our competitor’s product offerings, which require a significant customer level of effort and costs to make their solutions effective.

OmniSecuritas, unlike most automated Endpoint detection and Response (EDR) companies, does not issue alerts for a SOC team to review. We only issue confirmed incident tickets. This is a key discriminator when comparing the CYDEF Smart-Monitor technology against traditional EDRs from large well-known companies. We do the hard work of monitoring your systems, so that you may focus on your core business.