Obfuscated Files or Information

Entropy of a file does matter

Posted by Robert Pearce on September 1, 2020

By encrypting, encoding, compressing, or otherwise hiding the contents of an executable or file on the system or in transit, adversaries might obfuscate its contents. This is a typical adversary strategy that can be used to get past network and platform security.

This approach uses techniques like compression, archiving, packing, and archiving that alter data in order to evade discovery. In order to restore data to its original form, some of these technologies involve user interaction, such as entering a password to unlock a password-protected file.

Subtechnique 1: T1027.001 Binary Padding

Binary padding modifies the malwares binary without changing its functionality or behavior. It works by adding useless data to the original malicious binary. In order to get past security scanners that ignore files greater than a particular size and static controls based on hashes, adversaries utilize binary padding

Some security programs lack the configuration or architecture necessary to scan large files. Picus Labs studied at the available cloud-based and local antivirus and antimalware programs. The default maximum file size numbers that we encountered were 25 MB, 100 MB, 120 MB, 150 MB, and 200 MB.

The Connection Manager service profiles are installed using the built-in Windows command-line tool CMSTP (the Microsoft Connection Manager Profile Installer). By giving installation information files (.inf) infected with malicious commands to CMSTP.exe, adversaries use it for proxy execution of these commands.

"One single vulnerability is all an attacker needs. " -Window Snyder

Subtechnique 2: T1027.002 Software Packing

Examples of compressing packers that are legitimately used to decrease the file size of executables include MPRESS and UPX. However, malware developers take advantage of them to evade signature-based detections. Packers can also drastically slow down manual malware analysis, which might allow the virus to remain active for longer. Other popular packers are VMProtect, ASPack, Themida, Exe Packer, and Morphine.

...

Adversaries also employ customized packer versions in an effort to reduce the detection rate. As an illustration, Ares malware employed a modified UPX; it changed the default UPX section names (UPX0, UPX1,...) to conventional section names like.text,.data, and.rdata.

Steganography is a method for hiding secret information in a non-secret file or message such that it won't be noticed. Thus, it is usually challenging to ascertain the existence of the secret message. Image, video, audio, and text files can all be hidden via steganography by enclosing them inside of another digital file.

Always keep an eye out and be safe :) · Robert Pearce