Demystifying Malware Analysis: A Guide for Incident Responders

Malware analysis is a critical technique used by incident responders and security analysts to detect and mitigate potential threats. By understanding the behaviour and purpose of suspicious files or URLs, analysts can effectively triage incidents based on their severity and develop appropriate responses.

Malware analysis can also uncover hidden indicators of compromise (IOCs) and remnants of malware infections, providing valuable insights into the capabilities and intentions of attackers. In short, malware analysis is an essential tool for understanding and defending against the ever-evolving landscape of cyber threats. In this article, we will demystify malware analysis, explore its benefits, and review the different tools used by malware analysts in their work.

The Goals of Malware Analysis

By examining the behaviour and intentions of malicious software, security professionals can better understand and counteract it and adjust defensive security controls to give higher assurance of protection. Let's quickly cover the most common goals of malware analysis, including classification, attribution, and improved detection and response.

• Classification: Malware can have various nefarious goals, and understanding these goals is key to developing appropriate countermeasures. Malware classification is an important tool for building adversary profiles and attributing malware to specific threat actors or groups. Malware classification can take several approaches, including classifying a particular sample as a known or novel strain of malware, or categorizing it based on its core capabilities. Some common capability-based malware classifications include droppers, loaders, stealers, ransomware, remote-access trojans (RAT), and wipers. Malware may also be classified as "first-stage" malware, which is designed to gain initial access to a target system, or "second-stage" malware, which seeks to achieve the attacker's secondary objectives. By understanding these different types of malware and their goals, defenders can better prepare for and respond to attacks.

• Attribution: Attributing cyber attacks to specific threat actors or groups can help organizations identify their adversaries and develop more effective threat intelligence. This, in turn, contributes to a greater understanding of the threat landscape and a more accurate risk assessment. Attribution can also help classify attackers into one or more broad categories, such as Advanced Persistent Threat (APT), nation-state, cybercriminal, business competitor, terrorist, hacktivist, or novice hacker (aka script-kiddie). By correlating attribution with ultimate goals, such as geopolitical disruption, theft of valuable information, financial gain, or reputational damage, organizations can better understand the motivations behind the attacks and develop more targeted defenses.

• Improved Detection And Response: Analysis is a critical tool for detecting and responding to malware. By identifying new tactics and techniques and uncovering indicators of compromise (IOCs), such as filenames, process names, file hashes, and command and control domains, defenders can better understand the behaviour of the malware and develop more effective countermeasures. Once a malware's tactics, techniques, and procedures (TTPs) and IOCs have been identified, defenders can implement mitigation strategies, such as blocking access to known malicious domains and IP addresses and implementing new security controls. TTPs and IOCs can also be used to develop detection modules, such as YARA rules, for anti-malware and EDR/XDR products, enabling more proactive and effective threat detection.

The Tools Of Malware Analysis

There are multiple malware analysis tools.

These include:

Static Analysis Tools

Static analysis tools are used to examine the structure and contents of malware without executing it. Examples of static analysis tools include integrated development environments (IDE), disassemblers, decompilers, and hex editors. These tools can help analysts determine the malware's source code structures and instructions. This helps uncover any remote connections, API calls, and shared libraries such as DLLs used by malware for gaining persistence, stealing or encrypting sensitive data, and obfuscating code to avoid detection by anti-virus and other endpoint security products.

A disassembler takes machine code, which is a low-level representation of a program, and converts it into assembly code; a more human-readable format. On the other hand, a decompiler is a tool that takes a compiled software binary and converts it back into a high-level programming language, such as C or Java. Both disassemblers and compilers are used for reverse engineering malware into a human-readable format so analysts can understand how it works and what its objectives are. 

Other tools are also useful in static code analysis. For example, string extraction tools can find plain-text strings within a compiled binary which may expedite the discovery of an attacker's API endpoint, IP addresses, or URLs. Also, entropy analysis tools such as binwalk can identify parts of a malware file that have a high degree of randomness or unpredictability, which can indicate the presence of encrypted or obfuscated code. Another broad category of tools used for static malware analysis is decoders which will convert between various data formats. For example, hex editors convert binary data to hexadecimal digits and a base64 decoder can decode base64 encoded data segments.

Dynamic Analysis Tools

Dynamic analysis tools execute malware in a controlled environment and observe its behaviour. Some dynamic analysis tools include memory analysis programs, debugging tools, virtual machines, and network sniffers. The key benefit of dynamic analysis is that it can quickly reveal what a particular malware is doing such as identifying remote connections that the malware is trying to establish, as well as files it's trying to access or impact.

Memory analysis tools allow analysts to examine the contents of a system's memory as it is used by legitimate programs and malware alike. This can help identify how malware utilizes memory instead of regular files for loading and executing commands.  "Fileless malware" is a type of malware that avoid storing data as files on the victim's hard-disk, and malware also uses techniques such as process hollowing to hijack a legitimate process and inject malicious code to avoid detection. In these cases, memory analysis helps determine what the malware is doing. 

Network analysis tools such as Wireshark, tshark, or tcpdump monitor a device's network adapters (ethernet or wireless interfaces) to see if the malware connects to remote command and control (C2) servers to exfiltrate data or importing additional payloads. Network analysis can also be accomplished with Security Information and Event Management (SIEM) hardware appliances.

Debuggers allow analysts to follow how malware interacts with the underlying system by monitoring its process behaviour in real time. Debugging tools can help analysts identify important system calls, API function calls, and other indicators that may help in understanding the behavior of the malware.

Virtualization tools are used to create isolated protected environments for executing malware. This protects the research analyst's system and network from the malware by "sandboxing" it; preventing it from communicating with other devices on the network. Virtual machines also allow analysts to test the malware against different operating systems and configurations. This can help identify any behaviour or payloads that may be specific to certain environments or configurations, which can be helpful in developing effective mitigation strategies.

Conclusion

Malware analysis is vital to incident responders who need to know the potential impact of a compromise and to security analysts to help build defensive detection and response tactics that can protect organizations.

Analyzing malware depends on a wide array of essential tools to decompile malware payloads to understand its source code and dynamic analysis tools to observe how it behaves in an environment. Specific tools are crucial such as virtualization to allow the safe execution of malware in a controlled environment.

Finally, for a high degree of assurance, it's essential to put IT security products such as anti-malware and EDR/XDR products to the ultimate test by pitting them head to head against malware to verify they can mitigate cyber threats effectively.

Ready to take the next step in ransomware protection? Learn more about our ransomware penetration services or download our Buyer's Guide below.