Malware analysis: a successful cooperation between Cyber-Detect and Lorraine University

Malware analysis: a successful cooperation between Cyber-Detect and Lorraine University

The Europol annual the Internet Organised Crime Threat Assessment (IOCTA) [1] states that known malware threats are always active and that new threats are appearing. Ransomware are still one of the major causes of cyber-attacks, but more targeted attacks seems to more profitable for cyber-criminals. That is the collaboration between all actors, public and private sector, law enforcement and academia is essential in order to response to malware cyber-attacks.

The start-up Cyber-Detect (CYD) was created in 2017 and provides an innovative malware analysis solution, which is based on fundamental researches coming from Loria [2], the computer science laboratory of Lorraine University (UL). Loria has a quite unique research platform called High Security Lab (HSL), whose objectives are (i) to collect data and malware samples by running honey pots and (ii) to safely enable studying malware and to benchmark solutions. Thanks to HSL, Loria’s researchers designed an original method dubbed morphological analysis, which is the core of the anti-malware solution Gorille, developed by Cyber-Detect.

LockerGoga’s attacks give a good illustration of the collaboration between Cyber-Detect and Lorraine University. In January 2019, French company Altran [2] has been compromised by the LockerGoga ransomware. Two months later, Norvegian company Norks Hydro [4] has also been compromised resulting to an approximate cost of 35 millions of euros. For us, the question was to know whether or not Gorille is able to detect or at least to correlate the different LockerGoga ransomware, without having an initial signature of this kind of specific attack.

In a nutshell, Gorille identifies malicious threats embedded in binary files. For this, Gorille knows a collection of malicious behaviours. Each binary file submitted to Gorille is then scanned and as soon as a sequence of malicious inter-link behaviours is detected, Gorille raises an alert. The core heuristics is based on morphological analysis of binary executable, which has been devised at Loria’s Computer Science Lab. The idea is that each behaviour is an abstraction of the control flow graph, called site, of its implementation.

Since Gorille search process is based on a collection of malicious behaviours, the first question which comes in mind is whether or not Gorille is able to detect LockerGoga. Gorille knows about 100,000 malicious behaviours, but Gorille has no knowledge of LockerGoga. As we see below, Gorille identifies 55 malicious behaviours in the submitted sample of LockerGoga.

> gorille -d LockerGogaAltran.bin
info : Start processing files
DIST: “LockerGogaAltran.bin”: 55 matching sites
54 from Hmir.tpz

The sample named LockerGogaAltran.bin corresponds to the malware that attacks Altran in January 25th, 2019. On March 8th, 2019 that is two months later, MalwareHunter [5] discovered that a variant of LockerGoga, that we name below no-detected_LockerGoga.bin.

Again, Gorille detects 55 malicious behaviours in this other sample of LockerGoga ransomware, which are identical to the previous malicious behaviors identified.

> gorille -d LockerGoga/no-detected_LockerGoga.bin
info : Start processing files
DIST: “no-detected_LockerGoga.bin”: 55 matching sites
54 from Hmir.tpz

As a result Gorille could have been detected LockerGoga ransomware. That said, it certainly shows that this approach is able to corollate ransomware attacks. Another use case of Gorille is the attribution management the aftermath of an attack, that is to identify what kinds of malware has been used to compromised a system. And to conclude, this story demonstrates the effectiveness of academia-private cooperation through innovation exchanges and share experiments.



(By Jean-Yves Marion (UL))