Malware analysis: a successful cooperation between Cyber-Detect and Lorraine University

The Europol annual the Internet Organised Crime Threat Assessment (IOCTA) [1] states that known malware threats are always active and that new threats are appearing. Ransomware are still one of the major causes of cyber-attacks, but more targeted attacks seems to more profitable for cyber-criminals. That is the collaboration between all actors, public and private sector, law enforcement and academia is essential in order to response to malware cyber-attacks.

The start-up Cyber-Detect (CYD) was created in 2017 and provides an innovative malware analysis solution, which is based on fundamental researches coming from Loria [2], the computer science laboratory of Lorraine University (UL). Loria has a quite unique research platform called High Security Lab (HSL), whose objectives are (i) to collect data and malware samples by running honey pots and (ii) to safely enable studying malware and to benchmark solutions. Thanks to HSL, Loria’s researchers designed an original method dubbed morphological analysis, which is the core of the anti-malware solution Gorille, developed by Cyber-Detect.

LockerGoga’s attacks give a good illustration of the collaboration between Cyber-Detect and Lorraine University. In January 2019, French company Altran [2] has been compromised by the LockerGoga ransomware. Two months later, Norvegian company Norks Hydro [4] has also been compromised resulting to an approximate cost of 35 millions of euros. For us, the question was to know whether or not Gorille is able to detect or at least to correlate the different LockerGoga ransomware, without having an initial signature of this kind of specific attack.

In a nutshell, Gorille identifies malicious threats embedded in binary files. For this, Gorille knows a collection of malicious behaviours. Each binary file submitted to Gorille is then scanned and as soon as a sequence of malicious inter-link behaviours is detected, Gorille raises an alert. The core heuristics is based on morphological analysis of binary executable, which has been devised at Loria’s Computer Science Lab. The idea is that each behaviour is an abstraction of the control flow graph, called site, of its implementation.

Since Gorille search process is based on a collection of malicious behaviours, the first question which comes in mind is whether or not Gorille is able to detect LockerGoga. Gorille knows about 100,000 malicious behaviours, but Gorille has no knowledge of LockerGoga. As we see below, Gorille identifies 55 malicious behaviours in the submitted sample of LockerGoga.

> gorille -d LockerGogaAltran.bin
info : Start processing files
DIST: “LockerGogaAltran.bin”: 55 matching sites
54 from Hmir.tpz

The sample named LockerGogaAltran.bin corresponds to the malware that attacks Altran in January 25th, 2019. On March 8th, 2019 that is two months later, MalwareHunter [5] discovered that a variant of LockerGoga, that we name below no-detected_LockerGoga.bin.

Again, Gorille detects 55 malicious behaviours in this other sample of LockerGoga ransomware, which are identical to the previous malicious behaviors identified.

> gorille -d LockerGoga/no-detected_LockerGoga.bin
info : Start processing files
DIST: “no-detected_LockerGoga.bin”: 55 matching sites
54 from Hmir.tpz

As a result Gorille could have been detected LockerGoga ransomware. That said, it certainly shows that this approach is able to corollate ransomware attacks. Another use case of Gorille is the attribution management the aftermath of an attack, that is to identify what kinds of malware has been used to compromised a system. And to conclude, this story demonstrates the effectiveness of academia-private cooperation through innovation exchanges and share experiments.

References

https://twitter.com/malwrhunterteam/status/1104082562216062978

(By Jean-Yves Marion (UL))

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Malware analysis: a successful cooperation between Cyber-Detect and Lorraine University

Our site saves cookies on your device in order to deliver better content. By browsing our website you grant us the permission to store that information on your device.