Orchestration of APT malware evasive manoeuvers employed for eluding anti-virus and sandbox defense

Abstract

The modern day cyber attacks are highly targeted and incorporate advanced tactics, techniques and procedures for greater stealth, impact and success. These attacks are also known as Advanced Persistent Threats(APT) because of their evasive and stealth nature along with longer foothold on the victim’s digital infrastructure. The malware involved in APT attacks are sophisticated and developed with the intention of sabotaging the victim’s digital infrastructure or performing espionage. They are capable of targeting multiple operating environments starting from desktop and server operating systems (Windows, Linux and MacOS), Mobile platforms (Android, iOS), Embedded platforms (IoT Devices), to Industrial control systems (ICS/SCADA Devices). The evolution of evasive tactics and techniques employed in such advanced malware leads to extensive research efforts to develop mechanisms that can counter these evasion techniques. The research primarily aims to demonstrate that evasive manoeuvers are currently over-weighing the security countermeasures deployed by the prevalent security solutions. This paper will first explain the evasion mechanism in a systematic manner employed in modern APT malware and aims to implement a novel Evasive Manoeuvers Re-Engineering Framework(EMRF).EMRF aims to establish and demonstrate combinations of evasive manoeuvers with much known APT malware samples to elude security solutions. The payload variants, i.e., executable, dynamic link library, and shell-code, were experimented through a research-based framework EMRF to demonstrate 36% to 96% of evasive behavior countering the majority of defender engines. The EMRF system with its dynamic user defined evasion manoeuvers is able to transform non-zero-day payloads more potent by evading majority of the modern security solutions. This research clearly demonstrates the attacker’s ability to deliver non-zero-day payloads easily rather than investing resources and time in discovering zero-day exploits and developing zero-day payloads. This important observation can potentially disrupt the Advanced Persistent Threat Defenses incorporated in modern day security solution where focus is mainly on to detect zero-day payloads and exploits. Exhibiting the threat landscape poised due to APT, the paper utilizes a dataset of 4403 APT malware samples to extract and orchestrate the prevalence of evasive manoeuvers like stealth, covert communication, and anti-analysis mechanisms. This paper will contribute towards advanced malware analysis as an avenue to analyzing intrusion, evasion, and deception to prevent detection and verification, an association of responsibility, and determination of intent.