Black Hat: Entropy – the solution to malvertising and malspam?
The difference between a solid and melted ice cube has spawned an interesting concept for fighting the rise of malvertising and malspam.
Malvertising is the term given to malicious adverts served via legitimate ad networks. Code may be directly injected into content served to website visitors, or adverts may link to fraudulent websites.
Previously, websites owned by brands with large audiences including The New York Times, BBC, Experian, and Yahoo have been targeted in malvertising campaigns.
In April this year, Confiant researchers discovered 60 Revive ad servers had been compromised by threat actors, which in turn meant that thousands of websites were unwittingly serving malicious adverts.
If a victim clicks through — believing that the advert is genuine due to the legitimate website it is being shown on — they may be served an exploit kit, malware disguised as a software update, or they may be lured into handing over their credentials for an online service.
Over time, advertising networks have become more alert to this threat and have established new security measures to try and stop malicious ads from slipping through the net.
However, cyberattackers, in turn, have not been complacent and the new methods have been developed not only to serve malicious ads, but also to hide similar content in fraudulent emails, in what is known as malspam.
Steganography, a means to hide code, files, messages, images, and video within other content and file formats — such as text within binary code — was first documented as an attack vector in 2018 and has risen in popularity ever since.
Steganography can be used to trigger a payload once an ad is called up on a victim’s desktop or phone, bypassing security checks and taking advantage of whitelists for particular file formats — or in order to hide malicious code within common file formats.
Invisible to the eye and therefore an effective attack vector to gain a foothold into a system, steganographic obfuscation has since been adopted by threat actors worldwide, who have also begun experimenting with the technique.
While the most commonly-used file formats to disguise malicious code are images — such as .JPG and .PNG — last year, researchers documented the Turla group experimenting with .WAV audio files to hide cryptocurrency mining software. The operators of Lokibot, too, now hides their source code in image files.
Speaking to attendees of Black Hat USA on Thursday, lead Cisco threat researcher Shyam Sundar Ramaswami revealed recent uses of steganography to hide malicious payloads in connection to the COVID-19 pandemic.
The Cisco researcher says that over the past six months, COVID-19 malspam has “topped the charts,” with old-school phishing using coronavirus-themed lures deploying Trojans and other malware.
Recent malspam samples contained links to domains with phrasing including “test-kits,” “test-reports,” “helplines” and “lab,” and upon further examination, Cisco found changes in primary payload delivery mechanisms, obfuscation, and data exfiltration methods.
In a Trickbot/chil58 botnet case documented by Ramaswami, malspam attachments in the form of Excel files using Macro 4.0, and image files were embedded in the documents to hide deobfuscation instructions for malware payloads.
“The user receives an email with COVID themed mail, opens the .xls sheet, deobfuscates and ends up downloading the actual malware from a domain,” the researcher says.
Cisco has tracked a parallel campaign focused on compromising WordPress websites belonging to small businesses in order to host malicious code.
Steganography then comes into play. Once a victim’s PC is infected, stolen data needs to be transferred to an attacker’s command-and-control (C2) server. Instead of using HTTP/HTTPS call outs, image files are being used to hide the transfer of configuration data, operating system information, and more.
“Attackers have used this technique specifically during this pandemic phase to exfiltrate data using steganography and is part of legitimate traffic,” Ramaswami added.
The challenge in dealing with steganography is simple: if ad networks or webmasters blocked commonly-used file formats, this would cause chaos online.
However, entropy could provide the answer.
Using the example of an ice cube in both a solid and melting state, Ramaswami explained how entropy — usually a measure of thermal dynamics — could be applied to common file formats to detect suspicious code or activity.
“[An] ice cube has low entropy as it is intact, whereas melted ice has high entropy as it has no order anymore,” the researcher says. “By using the same principle we could calculate the entropy for pictures and documents. If such code is inserted via steganography, then that would raise a suspicious indicator which could allow one to examine [it].”
Speaking to ZDNet, Ramaswami said entropy can be implemented with Python scripts, Shannon’s Entropy Theory, and logic tweaking, although there is no packaged software currently available to set to this task, to his knowledge.
Entropy solutions would fall under the “historic data concept,” the researcher explained, and would require an historic data base combined with machine learning to pull off. Data sets would include records such as system information, file URLs used to download malware, passwords, and so on.
“So we calculate normal images entropy value, embed such exfiltrated data and calculate the entropy score for malicious images,” Ramaswami explained. “The real vs. malicious score can be checked; anything beyond the legitimate threshold score would be marked as malicious and could be investigated.”
In the meantime, the researcher notes that email security solutions can help reduce malspam, but due to the business models the Internet operates on, malvertising is a “tough nut to crack.”
“Small scale vendors, pornography, and gambling sites rely heavily on ads and attackers target such players,” Ramaswami commented. “These ad contents could contain more sophisticated and highly obfuscated malware.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0