Monday, July 22, 2024

Hackers Using Polyglot Files In the Wild, Here Comes PolyConv For Detection

Polyglot files have to fit in several file format specifications and respond differently depending on the calling program.

This poses a significant risk to endpoint detection and response (EDR) systems and file uploaders, which mainly rely on format identification for analysis.

By evading correct classification, polyglots can leap over feature extraction routines or signature comparisons found in malware detection systems.

Research by the following researchers from Oak Ridge National Laboratory and Assured Information Security indicates that polyglots are threats to commercial EDR tools, with 0% detection of malicious polyglots recorded during tests by some vendors:-

  • Luke Koch
  • Sean Oesch
  • Amul Chaulagain
  • Jared Dixon
  • Matthew Dixon
  • Mike Huettal
  • Amir Sadovnik
  • Cory Watson
  • Brian Weber
  • Jacob Hartman
  • Richard Patulski

The dependence on standard formats for efficient malware detection makes it vulnerable to this kind of attack whereby files can be created that are valid in multiple formats.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Polyglot Files Used In Wild

There is a critical gap in computer security research because no one has done an extensive study on how threat actors use these artifacts and how they are detected.

Polyglot files in malware campaigns were found to play a significant role in the tactics of APT groups.

To carry out an analysis, they developed Fazah, a tool imitating real-life polyglot creation methods.

Researchers trained PolyConv, a deep learning model that attained over 99% F1 score for both binary and multi-label classifications of polyglots.

These were not very effective compared to already existing tools used to identify files.

Functionality of a polyglot (Source – Arxiv)

For image-based polyglots, the most popular means was via custom CDR tool (ImSan) which is more efficient than YARA rules in sanitizing it with 100% efficacy.

This research fills essential gaps within cybersecurity defenses against this advanced threat by providing useful information on techniques of detecting and mitigating them as well as awareness of polyglot format detection strategies.

Malware detector (Source – Arxiv)

Threat actors often use polyglots to avoid detection and bypass commercial security tools.

Out of the 30 different polyglot samples found in these cyber-attack chains 15 instances were detected.

Common combinations are JAR+JPG and HTA+CHM, which are used by groups such as Lazarus and IcedID.

MalConv Architecture (Source – Arxiv)

PolyConv based on MalConv and PolyCat using CatBoost machine learning models demonstrate encouraging results in the detection of polyglots through byte-level features and format-agnostic approaches.

PolyConv Architecture (Source – Arxiv)

With mime-type and n-gram features added, the performance of PolyCat improved.

For this reason, detecting polyglots becomes an important way of increasing our cybersecurity defenses against advancing dangers.


Here below we have mentioned all the recommendations:-

  • Polyglot Detection
  • Existing Signature-based Tools
  • File-format Specifications

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles