Automating APT Hunting – Malware Analysis Tool 4 Years in the Making

Automating APT Hunting – Malware Analysis Tool 4 Years in the Making

Malware Analysis Tool NameThTtTool Recently our lab’s team released a blog entitled “From Russia(?) With Code.” The conclusion of the blog was modest at best, yet the goal of the blog was not to garner attention to the Olympic Destroyer campaign, but instead debut our new malware sequencing system. Our new system has been 4 years in the making, and at over 5 terabytes in size is the largest Malware phylogeny oracle on planet Earth. It is a machine learning system designed to solve the problem of expert resource scarcity by correctly triaging threats based on sophistication and risk.

An analyst in a box, essentially.

Over the past 4 years, the system has selectively studied the execution patterns of billions of malware submissions. It has been trained to select highly deterministic traits of maliciousness, capturing these malicious instructions, interactions, and behaviors as a simple sequence. These sequences have been stored and indexed and now allow fresh samples to be sequenced in the same way, highlighting the reuse of malicious building blocks and their evolutions and connections to malware strains.

Back to the Olympic Destroyer payload. After analyzing the payload, the system selected a sequence based on code reuse from a small dll used to load one of the Olympic Destroyer payloads and then compared this sequence to the 5 terabytes of sequences stored in our oracle. That sequenced code was extremely rare, having been seen in only a handful of other samples that were connected to few other strains, one of which connected Olympic Destroyer to a previously identified sophisticated threat group.

Developers do not throw away existing code but instead, iterate and improve with every new version.

The logic behind the system works on the basic assumption that developers do not throw away existing code but instead iterate and improve with every new version. Every time a new module is required new code is written and added as a module to the existing code base. Even if a new strain of malware is required, it will contain discrete traits inherited from previous projects that contain sequences connecting it to its malicious ancestry.

Malware Analysis Tool

Internally, we have a couple of working names for our new capability: Knowledge Base Hunter, and Agent Smith, are how it is commonly referred to in-house. Maybe there is someone out there who could think of a better name (although Malicious McMalware Face is a non-starter).