How does XDR help defend against polymorphic malware?

Companies need all the help they can get to address the constantly evolving and increasingly dangerous cyberthreat landscape. Increasingly, they are finding that traditional cybersecurity measures like firewalls and antivirus software offer insufficient defenses against the sophisticated and stealthy techniques being employed by threat actors. Additional protection is necessary to effectively secure a company’s valuable IT environment from advanced threats such as those posed by polymorphic malware.

Threat actors are incentivized to find methods with which to exploit security vulnerabilities and remain hidden once they have gained access to a computing environment. Traditional security tools often rely on pattern matching and malware reputation to detect the presence of malware. These detection methods are increasingly being circumvented by a motivated hacker or cybercriminal.

Extended detection and response (XDR) is a cybersecurity solution that offers companies a complementary method of protecting themselves from stealthy and hidden threats. XDR works on top of an organization’s existing security stack to provide visibility into the entire digital estate.

An XDR platform collects and consolidates data from across the environment to uncover threats that have escaped detection with traditional security tools. XDR performs behavioral analysis that can identify threats with no known signature or reputation. An XDR solution provides security incident automation to minimize the strain on security personnel and prioritizes threats for more efficient resource utilization.

What is Polymorphic Malware?

Polymorphic malware is malicious software with the ability to change its identifiable characteristics as it traverses an IT environment or system. Typically this involves techniques such as changing encryption keys or file names to modify its signature.

The speed with which polymorphic malware evolves makes it extremely hard to detect using signature-based techniques. Threat actors make use of multiple obfuscation techniques that add to the difficulty of identifying polymorphic malware.

• Dead-code insertion inserts non-executable code randomly throughout a program to change its appearance.
• Subroutine reordering randomizes the position of subroutines to disguise the malware from antivirus tools.
• Instruction substitution replaces portions of code with equivalent instructions to deceive security tools and escape detection.
• Code integration integrates the malware with a target program to produce a new and malicious version of the target.

Polymorphism can be found in many types of malware including viruses, bots, Trojans, keyloggers, and worms.

Examples of polymorphic malware include:

• Storm Worm - This worm was launched by email in 2007 and contained an attachment that installed the wincom32 service and turned the infected machine into a bot. It changed its signature every 30 minutes as it attempted to remain hidden.

• CryptoWall - This polymorphic ransomware variant takes full control over an infected device so does not need to remain hidden. It uses polymorphism to create new variants of the malware for every potential victim.

• VirLock - Building on CryptoWall’s foundation, this malware delivers ransomware, replicates itself, and changes file formats to make it more difficult to detect and remove from an infected computer.

• Black Mamba - This malware variant was created as a proof of concept using the AI tool ChatGPT. We will look at Black Mamba more closely in the next section of this article.

• WannaCry - A ransomware cryptoworm that spreads by leveraging exploits of vulnerabilities in the Microsoft Windows operating system

How Malware Developers are Leveraging AI such as ChatGPT

Artificial intelligence and machine learning are technologies responsible for many innovative tools and solutions throughout all areas of the computing world. The release of the generative AI tool ChatGPT provided interested parties across the world with a powerful and versatile tool that can perform a wide variety of tasks.

ChatGPT is built using a large language model (LLM) which employs machine learning and training by processing enormous volumes of unstructured data.

Researchers at HYAS Labs used ChatGPT in a Proof of Concept (PoC) experiment named Black Mamba that demonstrates the ability of AI to generate polymorphic malware. Black Mamba is a polymorphic keylogger that has three distinct characteristics that make it hard to detect and eliminate.

• Each time BlackMamba executes, it displays polymorphism by re-synthesizing its keylogging capability, defeating signature-based and pattern-matching cybersecurity solutions.
• Black Mamba eliminates the need for a dedicated C2 (command and control) channel so reputation checks will not discover communication with known malicious C2 servers.
• The malware uses Microsoft Teams, a trusted collaboration platform to exfiltrate data. The use of a trusted and popular software package is a perfect disguise for Black Mamba’s malicious intentions.

This is not good news for those responsible for an organization’s cybersecurity, as the power of ChatGPT allows any motivated hacker to develop sophisticated malware without any level of technical expertise. It should be noted that ChatGPT does have safeguards which are designed to prevent its use to develop malware. Considerable effort is required in order to sidestep these safeguards.

Why Traditional Antivirus and EDR Solutions are Ineffective Against AI-powered Malware

Traditional antivirus (AV) tools and endpoint detection and response (EDR) solutions are often ineffective against AI-powered malware. Several reasons are behind the inability of these staple components of cybersecurity to detect malware developed and powered by AI engines.

• They are not designed to handle the fluctuating “shapes” and signatures of constantly evolving malware. By continuously generating unique code at runtime, malware can escape detection even when detection tools are updated regularly. There is no way these tools can keep up with the changing signatures of unique malware variants.

• These signature-based tools are also insufficient to identify the weak signals that may be the only indication of the presence of AI-controlled malware. In many cases it is necessary to correlate telemetry from sources beyond the endpoint itself in order to detect the activity of some of these malware variants.

• The use of trusted software such as Microsoft Teams as a central component of a malware infection defeats reputation-based security solutions that can identify outbound attempts to access known malicious C2 servers.

How XDR Addresses the Weaknesses of Traditional Cybersecurity

XDR provides additional cybersecurity functionality that addresses the weaknesses of traditional methods.

• The threat detection capabilities of XDR can identify stealthy intruders through the synthesis of threat intelligence (TI) and the telemetry provided by visibility into the entire environment.
• XDR employs behavioral analysis and monitoring to identify sophisticated threats that escape detection by traditional security measures.
• XDR prioritizes alerts to security personnel so they can address the serious and uncategorized threats that may indicate polymorphic malware.

Samurai XDR is a cloud-based solution for organizations of all sizes. It provides the threat hunting and detection functionality required to address the sophisticated risks posed by AI-powered malware.

You can see XDR in action by signing up for a 30 day free trial. The cybersecurity experts at Samurai will show you how XDR fills the gaps in your existing security controls for more effective threat detection and enhanced protection for your IT environment.