Friday, January 24, 2025
HomeMalwareHow Malware Analysis Helps You Detect Reused Malware code

How Malware Analysis Helps You Detect Reused Malware code

Published on

SIEM as a Service

Follow Us on Google News

The fight against malware has taken another angle. Cybersecurity experts found a way to detect reused malware, improving malware analysis. In this post, we will explore how new malware analysis techniques help you detect reused malware.

Why Do Hackers Reuse Code? 

Cybercriminals aim to cause the most impact and the minimal possible effort. Like any other developer, they like to reuse code. When conducting malware analysis, security analysts think of malware regarding families and different strains. But, in reality, hackers are not unlike other developers. As such, most current malware recycles pieces of software from other malware. The hackers can add to it and change it a little (the modifications are probably also taken from public repositories).

Malware creators aim to work efficiently. Instead of creating a new piece of software with thousands of lines of code, they look for working segments and apply them to their software. While this can be counterintuitive for attackers, it creates a way to track the malware, but it doesn’t stop them from trying. Because, more often than not, it saves them time to do social engineering and phishing practices and create a more deadly product.

Examples of hackers’ code reuse

Shadow Brokers

This hacktivist group released exploit source code stolen from the National Security Association. The code included several zero-day vulnerabilities of the MS file sharing service. This code was repurposed by attackers into the famous ransomware attacks WannaCry and NotPetya.

EDA2 and Hidden Tear

In another case, a security researcher from Turkey published two ransomware variants, Eda2 and Hidden Tear, for educational purposes. Attackers quickly grabbed this opportunity and used this source code to create their ransomware variants.

They reuse attack methods too.

Hackers not only reuse code. They reuse attack techniques, methods, and practices. After all, if a specific attack line has worked in the past, why shouldn’t they use it again? This is most common among “script kiddies”—beginner hackers—. They will reuse attack methods to fill the gaps in their skills. Beginner hackers use the same tools used by pen testers.

Seasoned hackers also reuse methods when they are effective—for example, using malicious office macros. Criminals will also reuse social engineering tactics and spear phishing. Attackers build on the success of others to infringe more damage or exploit reused code.

How Genetic Malware Analysis detects reused code

Malware analysis is a critical method to respond to security incidents effectively. There is an innovative approach to automated malware analysis called Genetic Malware Analysis. This technology aims to provide detailed insights into any file suspicious of malware. Let’s dive into it.

What is genetic malware analysis?

Software is in constant evolution. Developers reuse code written by others. Searching for reused pieces of code that they can recognize is one of the tactics security researchers use. Looking for similarities is a tactic that has proven successful for threat analysis. For example, the WannaCry ransomware mentioned above contains code pieces related to the Lazarus threat actor group.

The problem with this approach is that doing it manually is time-consuming and requires a high level of expertise. As a result, it can only be applied to a limited number of files.

Genetic malware analysis solves these issues by automating and scaling the process. It compares the files against a database of trusted and malicious software. Since the process is automated, it only takes seconds.

How it works

At first, the system parses and disassembles files, then transforms the code into searchable tokens—the “genes”—. Like the tokenization used in search engines, the algorithm breaks the code into smaller fragments, ignoring variable names and non-essential. 

After the genes are extracted, the tool compares them against a code database to detect reused code among them. The code genome database is constantly updated with cataloged malware. Once a new malware enters the code database, it is flagged to prevent attackers from reusing the code. Security teams can also use genetic malware analysis to explore the similarities in other suspicious software, like metadata, strings, resources, and more.

The capabilities of genetic malware analysis are not limited to detection. Once the system detects the malware, it creates YARA signatures based on the code. These signatures can increase the protection by identifying future variants of the malware. This feature makes genetic malware analysis signatures more effective than hash-based signatures.

Summary

Detecting malware has become a more difficult task because of the increasing complexity of malware tactics. The approach of detecting reuse code to identify malware, although clever, was very time-consuming and ultimately lacked effectiveness. By automating this process and enhancing it, new technologies like genetic malware analysis give an improved approach to malware analysis.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...