AI and Cybersecurity. Part 4 - Clustering URLs

In Part 3, we tried to apply the feature scaling and dimensionality reduction techniques to the dataset with phishing and benign URLs. As a result, we were able to clearly see the distribution of URLs between two classes based on four attributes: registrar, country, lifetime, and protocol.

But what if we don’t have labels (phishing and benign) for the Internet links in the beginning. Will ML still work to detect phishing attacks? In this case, we may come to unsupervised learning, in particular, clustering. Clustering enables grouping objects of unknown classes according to common features so that we do not need labeled data for a training set.

AI and Cybersecurity. Part 3 - Dimensionality Reduction and Feature Scaling

In the previous post, we created a binary classifier for detecting phishing URLs. Here, we're going to continue exploring the data with visualization techniques.

AI and Cybersecurity. Part 2 - Detecting Phishing URLs with ML

In Part 1, we already got acquainted with AI paradigms and the main ML approaches: supervised, unsupervised, and reinforcement learning. Even though the unsupervised learning approach looks more attractive as you do not need to pre-mark the data for training, supervised learning can be seen as a more precise instrument for detecting malicious objects such as phishing URLs once we have enough labeled data.

AI and Cybersecurity. Part 1 - Intro

Image via www.vpnsrus.com

[Author: Alexander Adamov]

Foreword
I have spent almost all my professional life working in the antivirus industry detecting and analyzing malware. Around ten years ago, when the malware flow had increased so much that my colleagues and I did not have enough resources to analyze them all, we started thinking about automating our efforts. How to make a machine that autonomously detects and analyzes malware and phishing URLs day and night, writes and publishes reports? As a result, we managed to create a robot (what we call now 'malware sandbox') from scratch to automate most of the processes in the malware laboratory with the help of His Majesty Artificial Intelligence (AI). Since that, we accumulated a bunch of use cases for cyberattacks detection, malware analysis, and security testing with ML that can be useful for cybersecurity professionals that decided to leverage ML for cyberdefense. I'm going to share this knowledge in the series of blog posts that will eventually become a part of a new university course 'ML in Cybersecurity' that I plan to make open-source. I also welcome cybersecurity experts and data scientists to contribute and help universities adopting the course.

Analysis of Ryuk Ransomware

[Authors: Viktoria Taran, Alexander Adamov]

The Ryuk ransomware seen for the first time in August 2018 has been successfully used in targeted attacks encrypting data and asking for a ransom payment which differs from 10 BC to 50 BC. The recent attack was executed against DCH hospitals in Alabama on October 1st, 2019. As a result, DCH paid the ransom to recover the data stored on their servers. In this report, we analyze one of the recent versions of Ryuk ransomware discovering the installation process, networking details, and encryption model.

GermanWiper: One More Wiper Pretending to Be Ransomware

[Authors: Viktoria Taran, Alexander Adamov]

GermanWiper was first seen on the BleepingComputer forum on July 30, 2019. After analysis, it turned out that the malware is rather a wiper than ransomware. Interestingly, GermanWiper managed to raise $9,000 almost reaching the result of $10,500 (4.13528947 BTC) earned by another wiper called NotPetya in June 2017. Let us take a close look at the ransomware to find out the installation process, communication details, and wiping details.

Anti-Cryptojacking Test - July 2019

Cryptojacking or malicious cryptomining is a new type of threat that can be described as the unsolicited use of a user’s computing device to mine cryptocurrency. There are two types of cryptojacking attack: general-purpose and targeted.

VB2018: Artificial intelligence to assist with ransomware cryptanalysis

It's always very exciting for me to be able to attend and, moreover, speak at the Virus Bulletin Conference. Because, it is the oldest and the most respectful antivirus conference that has been running since 1991 where cybersecurity experts from academia and industry gather to share their ideas, research, and forecasts. You can meet the researches who helped to boost the antivirus industry decades ago and are now the core of the antivirus community.

This year in Montreal, we'll present an academic research conducted by my master student Kateryna Vitiuk under my supervision and devoted to Cryptanalysis of ransomware with the help of Artificial Intelligence.

When analyzing ransomware, we often see the hardcoded implementation of the AES, RC4, Salsa20 algorithms, for example in TeslaCrypt, Locky, GlobeImposter, MoneroPay ransomware. The ciphers' code can be poorly detected in the ransomware's memory dumps using the signature-based approach using Krypto ANALyzer (KANAL) for PEiD tool and publicly available Yara rules. Therefore, we assumed that it is possible to use the smart pattern matching method to find the known crypto primitives in the ransomware's disassembled code.

See also:
https://www.virusbulletin.com/conference/vb2018/abstracts/artificial-intelligence-assist-ransomware-cryptanalysis

Corporate Backup Solutions Self-Defense Test - March 2018

In the light of the growing number of ransomware attacks in which cryptolockers terminate database processes to unlock the database files for encryption (Cerber, GlobeImposter, Rapid, Serpent) and can encrypt local and network backups to demand a ransom (Rapid, Spora), we decided to test self-defense capabilities of the top backup solutions used in business environments available for trial.

The test aims at testing the sustainability of product’s processes and services against typical attacks to security software described below, as well as self-protection of local backup and product’s files. Ransomware can encrypt local backup files and configuration files that belong to a backup program thereby disabling the recovery of the files. Moreover, once access to agent’s or server’s processes is gained, an attacker can delete backup copies of the files not only locally, but also in the cloud on behalf of a backup solution.

See the full report by the link.

Decryptor for MoneroPay Ransomware

After analysis of the MoneroPay ransomware (MD5: 14ea53020b4d0cb5acbea0bf2207f3f6), we managed to patch the binary to turn it into a decryptor.

Facebook video scam continues spreading undetected

Facebook and Google Docs continue to be used by scammers as a delivery channel for malware and adware.

In October 2016, Facebook users were sent the links to supposedly adult videos [1] that can be played from a fake Youtube portal only when a target downloads and install the malicious Video Plugin.

In August 2017, the same attack vector is used to spread adware [2].

And today, I saw the following message on my Facebook arrived from the hacked mobile Facebook app of one of my students in past. In addition to the message, I and other victim’s friends were marked in the comment to the post with a fake video.

Decrypting DeriaLock

Recently, our laboratory analyzed the new version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb).

This version of DeriaLock is unique because of two reasons. First, it demands to pay the 30 USD/EUR ransom to the Skype account. Second, DeriaLock incorporates three types of functionality: SystemLocker, CryptoLocker, and FileKiller within a single attack.

If you managed to remove the DeriaLock infection and keep your encrypted files, you can start now decrypting your documents using the encryption key and initialization vector calculated by our script based on the password string extracted from the analyzed version of DeriaLock:

AES-256 key: 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743
IV: 9fa4ed4d89b04ee7f3b74c9b46588e18

To decrypt '.deria' files, you can use OpenSSL tool specifying the discovered key and initialization vector. For example:

openssl aes-256-cbc -d -in photo.png.deria -K 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743 -iv 9fa4ed4d89b04ee7f3b74c9b46588e18 -out photo.png

Or use our Python script or executable to decrypt all '.deria' files that can be found on your computer.

List of Services

We are a security research team of skilled malware analysts with 10+ years' experience in the antivirus industry located in Ukraine.

We deliver:

• Threat intelligence data (Yara rules, Network IoCs, IDS/IPS rules, C&C links, others)
• Malware analysis reports
• Machine learning algorithms to detect 0-day threats

We provide the security services and solutions:

• Malware analysis 24/7 including APT and ransomware
• Security testing of security products

We teach:

• Advanced Malware Analysis course (the university course 7.5 ETCS within the EU master program in cybersecurity)
• Reverse engineering (x86, ARM)
• Threat hunting
• Threat modeling
• Cloud security
• Incident response
• Machine learning in cybersecurity

We collaborate with:

• ENGENSEC.EU
• Ukrainian Cyber Police

We spoke at:

• Virus Bulletin 2015 in Prague, Android ransomware: turning CryptoLocker into CryptoUnlocker
• OpenStack Summit 2015 in Vancouver, Detecting targeted attacks in the cloud
• OpenStack Summit 2016 in Austin, TX, Using Open Source Security Architecture to Defend against Targeted Attacks (video)
• OpenStack Summit 2016 in Barcelona, Digital Forensics vs. OpenStack (video)
• Virus Bulletin 2017 in Madrid, Battlefield Ukraine: finding patterns behind summer cyber attacks (video)

We were acknowledged by:

• Microsoft for the analysis of:
• MS10-061 Print Spooler Service (Stuxnet 0-day) Vulnerability  (CVE-2010-2729)
• MS10-073 Win32k Keyboard Layout Vulnerability (CVE-2010-2743)
• MS10-092 Task Scheduler Vulnerability (CVE-2010-3338)

Publications:

1. A security model of individual cyberspace / А. Adamov, V. Hahanov // Proc. of IEEE EWDTS, September 19–20, 2011. – Sevastopol, 2011. – P. 169–172.
2. Analysis and Detection of Polymorphic Spyware / Adamov A, Saprykin A // Hakin9 Magazine, Vol.8 № 01, Issue 01/2013 (61), ISSN: 1733-7186 –  P. 6-11.
3. Discovering New Indicators for Botnet Traffic Detection / A. Adamov, V. Hahanov, A. Carlsson // Proc. of IEEE EWDTS, September 26–29, 2014, Kiev, Ukraine. – Kiev, 2014. – P. 281–285.
4. Method of attribute-based URL recognition using frequency patterns / A.S. Adamov, V.I. Hahanov // Bulletin of the State Engineering University of Armenia, Yerevan, 2014, Issue 17, No. 2, C. 59-66 (UDC 681.326: 519.713).
5. Structures for information retrieval in big data / Hahanov V, Chumachenko S, Litvinova E, Adamov A et al // Proc. of 13th International Conference Experience of Designing and Application of CADSM (CADSM'2015), Lviv, Ukraine, 2015 – P. 70-75.
6. A Sandboxing Method to Protect Cloud Cyberspace / Adamov A, Carlsson A // Proceedings of IEEE EWDTS, September 27-30, 2015, Batumi, Georgia – P. 180–183.
7. Android Ransomware: Turning CryptoLocker into CryptoUnlocker / Adamov A // Proc. of the 25th Virus Bulletin International Conference, Prague, Czech Republic, 30 Sep-2 Oct 2015 – P. 220-223.
8. Detecting targeted attacks in the cloud / Adamov A // OpenStack Summit, Vancouver, Canada, 18-22 May 2015.
9. Using Open Source Security Architecture to Defend against Targeted Attacks / Alexander Adamov, Dan Lambright // OpenStack Summit, Austin, TX, US, April 25-29, 2016.
10. Cloud incident response model / Alexander Adamov, Anders Carlsson // IEEE EWDTS, October 14–17, 2016, Yerevan, Armenia. – P. 250–253
11. The State of Ransomware. Trends and Mitigation Techniques / Alexander Adamov, Anders Carlsson // Proc. of IEEE East-West Design & Test Symposium (EWDTS’2017), Sep 29 – Oct 2, 2017, Belgrad, Serbia. – P. 121–128.
12. Adamov A, Carlsson A, Battlefield Ukraine: finding patterns behind summer cyber attacks, // Proc. of the 27th Virus Bulletin International Conference, Madrid, Spain, 4-6 Oct 2017 – Appendix Last-minute presentations P. 4-5.

etc.

Find more in Google Scholar, Scopus, and IEEE Explore.



Contact us: ada@nioguard.com