Malicious Payloads Research Articles

Yara-Based Emotet Malware Scanner – A Factual Analysis

Malware is malicious software which has the ability to compromise sensitive data and disrupt systems. At present malicious software is the most efficient tool used in compromising the security of computers or any other electronic devices connected to the internet. This has become a menace owing to the rapid progress in technologies such as encryption and data hiding techniques. A highly adaptable and persistent type of malware, Emotet is well-known for its capacity to propagate via phishing emails and send out further malicious payloads, by impairing network and data security. Emotet poses a special risk since it serves as a gateway for other viruses, such as ransomware and data thieves, which can cause serious data breaches, monetary losses, and interruptions to business operations. It poses a serious danger to both individual users and big enterprises due to its advanced evasion techniques and quick network spread. In this project, distinct file signatures and byte patterns that are distinctive of the malware are identified by YARA rules in order to detect Emotet. These patterns include specific sequences used in Emotet’s payload and obfuscation techniques, allowing for precise detection within scanned files.

CADefender: Detection of unknown malicious AutoLISP computer-aided design files using designated feature extraction and machine learning methods

Computer-aided design (CAD) files are used to create digital designs for various structures – from the smallest chips in the high-tech industry to large-scale buildings and bridges in the civil engineering space. We found that most exploits and malicious payloads are deployed through Auto List Processing (AutoLISP) source code (LSP) or Fast Load AutoLISP (FAS) files, which are non-executable files (NEFs) containing scripts in the AutoLISP language that are native to AutoCAD; While antivirus software is capable of detecting many malicious CAD files, the potential to improve protection by using a dedicated machine learning (ML) based detection solution remains, especially against unknown and sophisticated CAD malware. In this study, we are the first to propose designated feature extraction methods and a robust framework aimed at the detection of known and unknown AutoLISP malware using ML algorithms. To accomplish this, we examined the structure, functionality, and ecosystems of AutoLISP files and collected the largest known representative collection of LSP files consisting of 6418 malicious and benign files (labeled and verified). We then explored the use of two novel static-analysis-based feature extraction methods (knowledge-based and structural) designated for LSP files to extract a discriminative set of informative features, which can subsequently be used by ML models to detect malicious LSP files. These two feature extraction methods serve as the basis of the proposed detection framework, whose performance we comprehensively compare to both widely used antiviruses and baseline ML models based on existing feature extraction methods, including MinHash, Bidirectional Encoder Representations from Transformers (BERT), and n-gram. Our results highlight our methods' contributions to the detection of unknown AutoLISP malware and demonstrate their ability to outperform existing methods. The best performance in the task of unknown malicious LSP file detection was obtained by the Artificial Neural Networks (ANN) model trained on 100 knowledge-based features, which obtained a true positive rate (TPR) of 99.49% with a false positive rate (FPR) of 0.57%. Our framework's role in explainability is also highlighted, as we also present the prominent features that contribute most to the model's detection capabilities; this information can be used for explainability purposes. We conclude by evaluating the proposed framework's ability to detect a malicious file from an unknown AutoLISP malware family and by evaluating our framework on an additional independent test set that originated from another source, scenarios that are often faced by malware detection solutions.

Oblivion: an open-source system for large-scale analysis of macro-based office malware

AbstractMacro-based Office files have been extensively used as infection vectors to embed malware. In particular, VBA macros allow leveraging kernel functions and system routines to execute or remotely drop malicious payloads, and they are typically heavily obfuscated to make static analysis unfeasible. Current state-of-the-art approaches focus on discriminating between malicious and benign Office files by performing static and dynamic analysis directly on obfuscated macros, focusing mainly on detection rather than reversing. Namely, the proposed methods lack an in-depth analysis of the embedded macros, thus losing valuable information about the attack families, the embedded scripts, and the contacted external resources. In this paper, we propose Oblivion, an open-source framework for large-scale analysis of Office macros, to fill in this gap. Oblivion performs instrumentation of macros and executes them in a virtualized environment to de-obfuscate and reconstruct their behavior. Moreover, it can automatically and quickly interact with macros by extracting the embedded PowerShell and non-PowerShell attacks and reconstructing the whole macro behavior. This is the main scope of our analysis: we are more interested in retrieving specific behavioural patterns than detecting maliciousness per se. We performed a large-scale analysis of more than 30,000 files that constitute a representative corpus of attacks. Results show that Oblivion could efficiently de-obfuscate malicious macros by revealing a large corpus of PowerShell and non-PowerShell attacks. We measured that this efficiency can be quantified in an analysis time of less than 1 min per sample, on average. Moreover, we characterize such attacks by pointing out frequent attack patterns and employed obfuscation strategies. We finally release the information obtained from our dataset with our tool.

DoubleR: Effective XSS attacking reality detection

Cross-site scripting (XSS) attack has been one of the most dangerous attacks in cyberspace security. Traditional methods essentially discover XSS attack by detecting malicious payloads in requests, which is unable to distinguish blind&random scanning with the attacking reality. Moreover, it also brings tens of thousands of worthless security alerts to administrators, as well as unfriendly experience to users. In this paper, we propose DoubleR, a bi-directional framework which detects both Requests and Responses to discover XSS attacking reality. On the basis of conventional detection of malicious requests, DoubleR collects responses from web server and trains a bagging based PU learning model to determine whether the vulnerability is truly triggered. To validate our proposed framework, experiments are performed on 5 popular Web applications with 11 specified CVE recorded vulnerabilities. Results show that DoubleR effectively distinguishes attacking reality from attacking attempts, reduce the worthless security alarms, and at the same time works well on other web attacks of the same type.

TLS fingerprint for encrypted malicious traffic detection with attributed graph kernel

Recently, more and more applications have adopted security protocols like Transport Layer Security (TLS) for data encryption. However, these privacy-enhancing approaches have also been abused by the attackers to deliver malicious payloads. Many existing encrypted network classification methods suffer from the imbalanced volume of normal and malicious traffic, which leads to bad model robustness. In this paper, we propose a novel TLS fingerprinting approach to capture the characteristics of encrypted network traffic. The fingerprints are attributed graphs obtained from TLS sessions, which can simultaneously take into consideration the sequential and statistical features of these sessions. As the communication patterns of different applications differ considerably, the graphs representing TLS connections could be used to characterize the network with the help of the graph kernel method, which results in a model with high accuracy in malicious TLS session detection and application discrimination. Moreover, we adopt Locality-Sensitive Hashing (LSH) and filtering techniques to reduce the time cost of our model. Model evaluation on real-world datasets shows that our model is more robust than existing methods presented in this work when the malicious traffic takes up an extremely small portion of the whole traffic.

PellucidAttachment: Protecting Users From Attacks via E-Mail Attachments

Malicious email attachments are a common and successful attack vector on today's Internet. Sophisticated at- tackers can craft highly-targeted attachments, using publicly available information about potential victims to create convincing documents that contain hidden malicious payloads. Users who open these attachments using vulnerable applications are at a high risk of infection. Unfortunately, current mitigations are unreliable, relying either on fallible malware detection techniques or user education. In this work, we propose adopting a default policy of isolated attachment rendering. Emails bearing attachments are transpar- ently rewritten (in a sandboxed virtual machine environment) to contain static renderings of the attachments. Users who wish to obtain the original attachment are explicitly warned of the dan- gers of doing so – akin to TLS warnings as used in web browsers before being allowed to access the requested documents. We implement this technique in a system we call PellucidAttachment. We further report on an extensive user study that measures the usability and effectiveness of PellucidAttachment in shielding users from attacks. Our evaluation shows that adopting email attachment security indicators and an isolation-by-default policy results in a significant increase in user security, while maintaining the usability of email attachments.

A PU‐learning based approach for cross‐site scripting attacking reality detection

AbstractCross‐site scripting (XSS) attack has been one of the most dangerous attacks in cyberspace security. Traditional methods essentially discover XSS attack by detecting malicious payloads in requests, which is unable to distinguish attacking attempts with the attacking reality. The authors collect responses from a web server and train a bagging‐based PU learning model to determine whether the XSS vulnerability is truly triggered. To validate the authors’ proposed framework, experiments are performed on 5 popular web applications with 11 specified CVE recorded vulnerabilities and 32 vulnerable inputs. Results show that the authors’ approach outperforms existing research studies, effectively identifies the attacking reality from attacking attempts, and meanwhile reduces the number of worthless security alarms.

WAFBOOSTER: Automatic Boosting of WAF Security Against Mutated Malicious Payloads

WAFBOOSTER: Automatic Boosting of WAF Security Against Mutated Malicious Payloads

TNN-IDS: Transformer neural network-based intrusion detection system for MQTT-enabled IoT Networks

The Internet of Things (IoT) is a global network that connects a large number of smart devices. MQTT is a de facto standard, lightweight, and reliable protocol for machine-to-machine communication, widely adopted in IoT networks. Various smart devices within these networks are employed to handle sensitive information. However, the scale and openness of IoT networks make them highly vulnerable to security breaches and attacks, such as eavesdropping, weak authentication, and malicious payloads. Hence, there is a need for advanced machine learning (ML) and deep learning (DL)-based intrusion detection systems (IDS). Existing ML-based IoT-IDSs face several limitations in effectively detecting malicious activities, mainly due to imbalanced training data. To address this, this study introduces a transformer neural network-based intrusion detection system (TNN-IDS) specifically designed for MQTT-enabled IoT networks. The proposed approach aims to enhance the detection of malicious activities within these networks. The TNN-IDS leverages the parallel processing capability of the Transformer Neural Network, which accelerates the learning process and results in improved detection of malicious attacks. To evaluate the performance of the proposed system, it was compared with various IDSs based on ML and DL approaches. The experimental results demonstrate that the proposed TNN-IDS outperforms other systems in terms of detecting malicious activity. The TNN-IDS achieved optimum accuracies reaching 99.9% in detecting malicious activities.

A Long-Term Perspective of the Internet Susceptibility to Covert Channels

Modern malware now takes advantage of information hiding to avoid detection and implement various offensive and elusive mechanisms. The creation of covert channels, i.e., parasitic communication paths nested within legitimate traffic, is becoming a prime tool to exfiltrate sensitive information or retrieve additional malicious payloads. Despite their impact on the security of the Internet, a precise evaluation of the susceptibility of network traffic to covert channels is missing. Moreover, since the hiding capacity is driven by the targeted protocol and its diffusion, understanding their evolution is vital to engineering countermeasures. To fill such a research gap, this paper discusses how the susceptibility to information hiding mechanisms of major Internet protocols evolved from 1999 to 2021. Results suggest that a periodic quantification of the phenomena should be part of the continuous cyber security monitoring.

Analysis of Various Malicious Payload Deployment Cables

Cybercriminals and hackers are always thinking of clever, new ways to exploit your devices and you must be perpetually vigilant. A malicious cable is any cable (electrical or optical) which performs an unexpected, and unwanted function. The most common malicious capabilities are found in USB cables. Data exfiltration, GPS tracking, and audio eavesdropping are the primary malicious functions. The worst malicious cables take control of a user’s cell phone, laptop, or desktop. Usernames and passwords are the first bits to go. Next, the connected device’s storage is emptied. Attacks through various computer ports such as Ethernet Port, if the targeted network contains faulty Ethernet (networking) cables on the attacker's path to their victim. This project gives a broad overview and a comparative study of the list of vulnerabilities in the hardware ports of a computer that can be exploited by the attackers using various malicious cables and payloads. Keywords— malicious, payloads, data infiltration, USB cables, ethernet cables, HDMI cables

Analysis and Correlation of Visual Evidence in Campaigns of Malicious Office Documents

Many malware campaigns use Microsoft (MS) Office documents as droppers to download and execute their malicious payload. Such campaigns often use these documents because MS Office is installed on billions of devices and that these files allow the execution of arbitrary VBA code. Recent versions of MS Office prevent the automatic execution of VBA macros, so malware authors try to convince users into enabling the content via images that, e.g., forge system or technical errors. In this article, we propose a mechanism to extract and analyse the different components of the files, including these visual elements, and construct lightweight signatures based on them. These visual elements are used as input for a text extraction pipeline which, in combination with the signatures, is able to capture the intent of MS Office files and the campaign they belong to. We test and validate our approach using an extensive database of malware samples, obtaining an accuracy above 99% in the task of distinguishing between benign and malicious files. Furthermore, our signature-based scheme allowed us to identify correlations between different campaigns, illustrating that some campaigns are either using the same tools or collaborating between them.

A New Data-Balancing Approach Based on Generative Adversarial Network for Network Intrusion Detection System

An intrusion detection system (IDS) plays a critical role in maintaining network security by continuously monitoring network traffic and host systems to detect any potential security breaches or suspicious activities. With the recent surge in cyberattacks, there is a growing need for automated and intelligent IDSs. Many of these systems are designed to learn the normal patterns of network traffic, enabling them to identify any deviations from the norm, which can be indicative of anomalous or malicious behavior. Machine learning methods have proven to be effective in detecting malicious payloads in network traffic. However, the increasing volume of data generated by IDSs poses significant security risks and emphasizes the need for stronger network security measures. The performance of traditional machine learning methods heavily relies on the dataset and its balanced distribution. Unfortunately, many IDS datasets suffer from imbalanced class distributions, which hampers the effectiveness of machine learning techniques and leads to missed detection and false alarms in conventional IDSs. To address this challenge, this paper proposes a novel model-based generative adversarial network (GAN) called TDCGAN, which aims to improve the detection rate of the minority class in imbalanced datasets while maintaining efficiency. The TDCGAN model comprises a generator and three discriminators, with an election layer incorporated at the end of the architecture. This allows for the selection of the optimal outcome from the discriminators’ outputs. The UGR’16 dataset is employed for evaluation and benchmarking purposes. Various machine learning algorithms are used for comparison to demonstrate the efficacy of the proposed TDCGAN model. Experimental results reveal that TDCGAN offers an effective solution for addressing imbalanced intrusion detection and outperforms other traditionally used oversampling techniques. By leveraging the power of GANs and incorporating an election layer, TDCGAN demonstrates superior performance in detecting security threats in imbalanced IDS datasets.

Security Analysis of Web Open-Source Projects Based on Java and PHP

During website development, the selection of suitable computer language and reasonable use of relevant open-source projects is imperative. Although the two languages, PHP and Java, have been extensively investigated in this context, there are not many security test reports based on their open-source projects. In this article, we conducted separate security analyses on web-related open-source projects based on PHP and Java. To this end, different open-source frameworks and services are used to design websites used to test experimental attacks on 12 popular open-source filters available on GitHub, as well as investigate the use of Lightweight Directory Access Protocol (LDAP) in the Firefox browser environment. Using malicious payloads published by Open Web Application Security Project (OWASP) and others, Cross-site Scripting (XSS), Local File Inclusion (LFI), SQL injection, and LDAP injection are performed on the test targets. The experimental results reveal that although PHP-based open-source projects are more vulnerable to attacks than Java-based ones, there is significant room for improvement. Finally, a whitelist-based filtering scheme is proposed. This scheme filters the inline attributes of label elements so that the filter has an excellent detection rate of malicious payloads while having an excellent pass rate of benign payloads. Effective references and suggestions for web developers are also included to aid the selection of open-source web projects, and feasible solutions to improve filter performance are proposed.

Generative Adversarial Networks for Cyber Threat Hunting in Ethereum Blockchain

Ethereum blockchain has shown great potential in providing the next generation of the decentralized platform beyond crypto payments. Recently, it has attracted researchers and industry players to experiment with developing various Web3 applications for the Internet of Things (IoT), Defi, Metaverse, and many more. Although Ethereum provides a secure platform for developing decentralized applications, it is not immune to security risks and has been a victim of numerous cyber attacks. Adversarial attacks are a new cyber threat to systems that have been rising. Adversarial attacks can disrupt and exploit decentralized applications running on the Ethereum platform by creating fake accounts and transactions. Detecting adversarial attacks is challenging because the fake materials (e.g., accounts and transactions) as malicious payloads are similar to benign data. This article proposes a model using Generative Adversarial Networks (GAN) and Deep Recurrent Neural Networks (RNN) for cyber threat hunting in the Ethereum blockchain. Firstly, we employ GAN to generate fake transactions using genuine Ethereum transactions as the first phase of the proposed model. Then in the second phase, we utilize bi-directional Long Short-Term Memory (LSTM) to identify adversarial transactions in a hunting exercise. The results of the first phase evaluation show that the GAN can generate transactions identical to the actual Ethereum transactions with an accuracy of 82.51%. Also, the results of the second phase show 99.98% accuracy in identifying adversarial transactions.

A Cloud-Based AI Way to deal with Phishing URL Location

Abstract: Phishing is constantly growing to be one of the most adopted tools for conducting cyber-attacks. Recent statistics indicated that 97% of users could not recognize a sophisticated phishing email. With over 1.5 million new phishing websites being created every month, legacy black lists and rule-based filters can no longer mitigate the increasing risks and sophistication level of phishing. Phishing can deploy various malicious payloads that compromise the network’s security. In this context, machine learning can play a crucial role in adapting the capabilities of computer networks to recognize current and evolving phishing patterns. In this paper, we present PhishNot, a phishing URL detection system based on machine learning. Hence, our work uses a primarily ”learning from data” driven approach, validated with a representative scenario and dataset. The input features were reduced to 14 to assure the system’s practical applicability. Experiments showed that Random Forest presented the best performance with a very high accuracy of 97.5%. Furthermore, the design of our system also lends itself to being more adoptable in practice through a combination of high phishing detection rate and high speed (an average of 11.5 per URL) when deployed on the cloud

PhishNot: A Cloud-Based Machine-Learning Approach to Phishing URL Detection

Phishing is constantly growing to be one of the most adopted tools for conducting cyber-attacks. Recent statistics indicated that 97% of users could not recognize a sophisticated phishing email. With over 1.5 million new phishing websites being created every month, legacy black lists and rule-based filters can no longer mitigate the increasing risks and sophistication level of phishing. Phishing can deploy various malicious payloads that compromise the network’s security. In this context, machine learning can play a crucial role in adapting the capabilities of computer networks to recognize current and evolving phishing patterns. In this paper, we present PhishNot, a phishing URL detection system based on machine learning. Hence, our work uses a primarily ”learning from data” driven approach, validated with a representative scenario and dataset. The input features were reduced to 14 to assure the system’s practical applicability. Experiments showed that Random Forest presented the best performance with a very high accuracy of 97.5%. Furthermore, the design of our system also lends itself to being more adoptable in practice through a combination of high phishing detection rate and high speed (an average of 11.5μs per URL) when deployed on the cloud.

Dwarf Mongoose Optimization with Machine-Learning-Driven Ransomware Detection in Internet of Things Environment

The internet of things (ransomware refers to a type of malware) is the concept of connecting devices and objects of all types on the internet. IoT cybersecurity is the task of protecting ecosystems and IoT gadgets from cyber threats. Currently, ransomware is a serious threat challenging the computing environment, which needs instant attention to avoid moral and financial blackmail. Thus, there comes a real need for a novel technique that can identify and stop this kind of attack. Several earlier detection techniques followed a dynamic analysis method including a complex process. However, this analysis takes a long period of time for processing and analysis, during which the malicious payload is often sent. This study presents a new model of dwarf mongoose optimization with machine-learning-driven ransomware detection (DWOML-RWD). The presented DWOML-RWD model was mainly developed for the recognition and classification of goodware/ransomware. In the presented DWOML-RWD technique, the feature selection process is initially carried out using an enhanced krill herd optimization (EKHO) algorithm by the use of dynamic oppositional-based learning (QOBL). For ransomware detection, DWO with an extreme learning machine (ELM) classifier can be utilized. The design of the DWO algorithm aids in the optimal parameter selection of the ELM model. The experimental validation of the DWOML-RWD method can be examined on a benchmark dataset. The experimental results highlight the superiority of the DWOML-RWD model over other approaches.

Defeat Magic with Magic: A Novel Ransomware Attack Method to Dynamically Generate Malicious Payloads Based on PLC Control Logic

The Industrial Control System (ICS) is a public facility that provides services to lots of users; thus, its security has always been a critical factor in measuring its availability. Recently, a new type of attack on ICS has occurred frequently, which realizes the extortion of users by invading the information domain and destroying the physical domain. However, due to the diversity and unavailability of an ICS control logic, the targets of such attacks are usually limited to PCs and servers, leaving more disruptive attack methods unexplored. To contribute more possible attack methods to strengthen the immunity of ICS, in this paper, we propose a novel ransomware attack method named Industrial Control System Automatic Ransomware Constructor (ICS-ARC). Compared to existing ICS ransomware, ICS-ARC can automatically generate an International Electrotechnical Commission (IEC) compliant payload to compromise the Programmable Logic Controller (PLC) without a pre-known control logic, dramatically reducing adversary requirements and leaving room for error. To evaluate the attack capability of ICS-ARC, we built a tap water treatment system as the simulation experiment target for verification. The experimental results determine that ICS-ARC can automatically generate malicious code without the control logic and complete the attack against target PLCs. In addition, to assist the related research on future attacks and defenses, we present the statistical results and corresponding analysis of PLC based on Shodan.

GeneMiner: A Classification Approach for Detection of XSS Attacks on Web Services.

According to OWASP 2021, cross-site scripting (XSS) attacks are increasing through specially crafted XML documents. The attacker injects a malicious payload with a new pattern and combination of scripts, functions, and tags that deceits the existing security mechanisms in web services. This paper proposes an approach, GeneMiner, encompassing GeneMiner-E to extract new features and GeneMiner-C for classification of input payloads as malicious and nonmalicious. The proposed approach evolves itself to the changing patterns of attack payloads and identifies adversarial XSS attacks. The experiments have been conducted by collecting data from open source and generating various combinations of scripts, functions, and tags using an incremental genetic algorithm. The experimental results show that the proposed approach effectively detects newly crafted malicious XSS payloads with an accuracy of 98.5%, which is better than the existing classification techniques. The approach learns variations in the existing attack sample space and identifies the new attack payloads with reduced efforts.