Aren’t tools like VirusTotal just matching against (partial) hashes of the files? Shouldn’t any rewrite temporarily evade them?
It seems more likely to me that this was a side benefit of something else (portability, development velocity, etc) than the goal, unless I’m misunderstanding.
They typically do a bit of fuzzy matching because malware is often run through obfuscators that do some random permutations. I presume that the Rust code is a sufficiently different shape that it evades this matching.
while every AV engine matches based on hash and byte signatures, some of the more advanced ones will use emulation to guess how a program will act within the first N instructions. there are still heuristics used to match the “shape” of a program but they’re less dependent upon the physical representation of the executable.
VT (and other online services) also run executables in sandboxes to extract runtime behaviors. then they can find malware based on things like network connections to known bad infrastructure or destructive encryption of system files.
ransomware is usually really obvious to identify, especially dynamically, because it just encrypts everything. but sandbox evasion is also pretty easy (is end user software installed? is the system running for more than five minutes? correct command line argument present? etc).
so, i’d guess that the rust aspect bypassed static and emulation heuristics because the “shape” is still unusual. and there’s probably a couple trivially novel anti-sandbox checks or other guardrails to evade VT. if i get a chance i’ll poke at the sample today and update here.
It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.
so in a sandbox the default behavior is to do nothing unless the appropriate command line arguments are supplied. the automated system probably doesn’t know about them, so the executable appears benign unless the right code path is triggered.
there’s research on program analysis to figure out what CLI arguments to provide to maximize the code coverage, but i don’t think they’re widely deployed.
Aren’t tools like VirusTotal just matching against (partial) hashes of the files? Shouldn’t any rewrite temporarily evade them?
It seems more likely to me that this was a side benefit of something else (portability, development velocity, etc) than the goal, unless I’m misunderstanding.
They typically do a bit of fuzzy matching because malware is often run through obfuscators that do some random permutations. I presume that the Rust code is a sufficiently different shape that it evades this matching.
while every AV engine matches based on hash and byte signatures, some of the more advanced ones will use emulation to guess how a program will act within the first N instructions. there are still heuristics used to match the “shape” of a program but they’re less dependent upon the physical representation of the executable.
VT (and other online services) also run executables in sandboxes to extract runtime behaviors. then they can find malware based on things like network connections to known bad infrastructure or destructive encryption of system files.
ransomware is usually really obvious to identify, especially dynamically, because it just encrypts everything. but sandbox evasion is also pretty easy (is end user software installed? is the system running for more than five minutes? correct command line argument present? etc).
so, i’d guess that the rust aspect bypassed static and emulation heuristics because the “shape” is still unusual. and there’s probably a couple trivially novel anti-sandbox checks or other guardrails to evade VT. if i get a chance i’ll poke at the sample today and update here.
Ah:
so in a sandbox the default behavior is to do nothing unless the appropriate command line arguments are supplied. the automated system probably doesn’t know about them, so the executable appears benign unless the right code path is triggered.
there’s research on program analysis to figure out what CLI arguments to provide to maximize the code coverage, but i don’t think they’re widely deployed.