June 27, 2018

Detecting the illicit use of cryptographic tools and activity in a network and especially on an endpoint (server, cloud, desktop, mobile) has become an Indicator of Compromise (IOC) and telltale sign of malware, as of 2017. The research presented here introduces a taxonomy related to the use of cryptography in malware, and supports newly released findings from Cisco.

In 2014 Cisco observed that about 10% to 12% of malware was using encryption in the form of SSL/TLS, which the rest was plaintext (HTTP). However, in Cisco's new research published in February of 2018 the number has been revised 50% of malware using SSL/TLS, and that 70% of malware was using some form of encryption. (The research below puts this number closer to 90%).

"Encryption is meant to enhance security, but it also provides malicious actors with a powerful tool to conceal command-and- control (C2) activity, affording them more time to operate and inflict damage.... Security teams need effective tools to prevent or detect the use of encryption for concealing malicious activity" [1]

Cryptography is used by malware developers to make it harder to detect, and subsequently prevent, block and reverse (assess and respond) to the damage it inflicts on systems.

BUT - there is more to this story and the details are important if we want to consider cryptography to be a useful IOC: so I systematically reviewed a series of closed-source and a couple open-source malware tear-down reports, looking for details associated with the use of cryptography.

Samples and sources

The following observations represent secondary research resulting from the review of 13 malware tear-downs from newly discovered and sophisticated variants from late 2017.

The tear-downs were mostly closed source but included some open source information from CIRC and 1 from Bromium. The reports were detailed explanations of how the malware worked, right down to the code level, and outlined how malware operated "mechanically" including how and where encryption was being applied.

These tear-downs were NOT specifically focused on the use of cryptography. They document the use of cryptography as a by-product of the overall tear-down. So it is possible that there were salient details about the use of cryptography in the malware samples that were over looked, left undocumented or possibly understated.

These observations are offered "as-is" for the benefit of the community and to inspire a deeper and more rigorous investigation. (If you know of other related sources, please include them in the comment section.)

How is malware using cryptography?

The sampled tear-downs revealed 6 different ways in which cryptography was being used in modern and sophisticated malware. (Cryptography also includes other capabilities such as authentication, but the reviewed works only mentioned encryption functions. It is possible that in the course of establishing the various communications paths noted in the table below, the malware may also be using underlying authentication services available within protocols like SSL/TLS.)

Of these 6 different means of applying cryptography (encryption primarily), the obfuscation of the malware payloads (their executable) was the most comment application. The encryption of malware configuration files (often registry entries) and the command and control channel was the second most common application of cryptography in the samples reviewed malware.

It should be noted that only one of the tear-downs reviewed was ransomware, which is why the incidence for using cryptography against "Victim Files" is so low in the metrics for this sample. [2] In our current reality, ransomware is a prolific type of malware and this usage of cryptography is much more common than this quick survey indicates.

Crypto is used by most malware

The observations from the sample-set indicate that 92% of modern, sophisticated malware is using cryptography in some form. Within the sample-set, 50% of the malware is using cryptography in at least 2 different ways in efforts to avoid detection and/or conceal operational tradecraft, and 8% of malware (1 of the samples in the review set) used cryptography in 5 different ways!

Conclusions:

Network cryptography

  • Monitoring and analyzing the specific characteristics of cryptography within a corporate or IoT network can provide useful information about the presence of illicit or compromised endpoints, when all other indicators are ambiguous. For instance, using deprecated or unusual algorithms or certificates to establish communications.

Endpoint (server, cloud, desktop) cryptography

  • Monitoring applications that access native cryptographic libraries can provide useful information about the presence of malware. For instance, why is an executable in ~/tempfile accessing the Microsoft CAPI?
  • Monitoring the filesystems for the presence of non-native cryptographic libraries can provide useful information about the presence of malware. For instance, why is there an isolated, novel instance of the OpenSSL crypto library installed?
  • Monitoring filesystems for data that appears encrypted in unexpected locations can provide useful information about the presence of malware. For instance, registry entries that appear encrypted?
  • Monitoring for the presence of symetric or asymmetric keys in unexpected places in the filesystems or within the payloads of files. For instance, why is there a self-signed certificate or private key-store in ~/tempfile? (Both required to establish authenticated C&C channels)
  • Monitoring open communications ports with unexpected, insecure or anomalous cryptographic features or configurations. For instance, why does port 1001 have an SSL service with a self-signed certificate?

Finally, there is more work required related to the specific means and methods of using cryptography in malware. Nonetheless, developers of network tools and end-point agents should consider improving cryptographic monitoring capabilities - where most are basic reporting functions about use of SSL/TLS and the HTTPS server configuration.

Epilogue - April 2018: A piece of ransomware has faulty crypto and is foiled. Even the bad buys get it wrong from time to time.

---

[1] Cisco 2018 Cyber Security Report

[2] The fact that encryption of "victim files" is low should not be taken to mean it is uncommon (because ransomware is VERY common): this result is an artifact of our small sample set. The important point for the purposes of this write-up is that encryption of victim files is one a several observed uses of cryptography is the taxonomy.

Tyson Macaulay, Chief Product Officer
June 27, 2018