Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering Malware Analysis

You're reading from   Mastering Malware Analysis A malware analyst's practical guide to combating malicious software, APT, cybercrime, and IoT attacks

Arrow left icon
Product type Paperback
Published in Sep 2022
Publisher Packt
ISBN-13 9781803240244
Length 572 pages
Edition 2nd Edition
Arrow right icon
Authors (2):
Arrow left icon
Amr Thabet Amr Thabet
Author Profile Icon Amr Thabet
Amr Thabet
Alexey Kleymenov Alexey Kleymenov
Author Profile Icon Alexey Kleymenov
Alexey Kleymenov
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Part 1 Fundamental Theory
2. Chapter 1: Cybercrime, APT Attacks, and Research Strategies FREE CHAPTER 3. Chapter 2: A Crash Course in Assembly and Programming Basics 4. Part 2 Diving Deep into Windows Malware
5. Chapter 3: Basic Static and Dynamic Analysis for x86/x64 6. Chapter 4: Unpacking, Decryption, and Deobfuscation 7. Chapter 5: Inspecting Process Injection and API Hooking 8. Chapter 6: Bypassing Anti-Reverse Engineering Techniques 9. Chapter 7: Understanding Kernel-Mode Rootkits 10. Part 3 Examining Cross-Platform and Bytecode-Based Malware
11. Chapter 8: Handling Exploits and Shellcode 12. Chapter 9: Reversing Bytecode Languages – .NET, Java, and More 13. Chapter 10: Scripts and Macros – Reversing, Deobfuscation, and Debugging 14. Part 4 Looking into IoT and Other Platforms
15. Chapter 11: Dissecting Linux and IoT Malware 16. Chapter 12: Introduction to macOS and iOS Threats 17. Chapter 13: Analyzing Android Malware Samples 18. Index 19. Other Books You May Enjoy

APT and zero-day attacks and fileless malware

Here, we are going to explain the meaning of some terms commonly found in whitepapers and news articles related to malware.

APT attack

APT stands for Advanced Persistent Threat. Generally, malware receives such a title if the actors tailored it to target a particular entity, whether it was an organization or a particular individual. This means that the attackers chose a specific victim and won’t simply give up and go away if one approach doesn’t work. In addition, the threat should be relatively advanced – for example, it should have a complex structure, use non-standard techniques or zero-day exploits, and so on.

Re-using IoCs for detection purposes in many cases is useless for APT malware as attackers register new network infrastructures and re-compile samples for each victim.

In reality, there are no strict objective criteria to evaluate how advanced a particular threat is. As a result, news outlets and affected organizations often tend to overuse this term to make attacks look more sophisticated than they actually are. This way, pretty much anything that is either relatively new or has led to a successful breach can be called an APT.

Zero-day attack

Many attacks involve the use of exploits targeting certain vulnerabilities to achieve particular goals, such as gaining initial access or performing privilege escalation. Usually, once the vulnerability becomes known to the public, the software vendor addresses the issue and releases a patch so that end users can update their systems and be protected against it. Zero-day attacks involve the use of zero-day exploits, which target vulnerabilities that were not previously known, thus defining a “day zero” upon which it happened. What that means for end users is that there is no solution for them to update the vulnerable systems and thereby address the threat. In this case, users are usually offered some partial workarounds to temporarily minimize the potential impact until the patch is ready, but they commonly have various drawbacks that affect the performance of the systems used.

Fileless malware

There are many reasons for malware to stay below the radar. First, it assures that malware will successfully land in the victim environment and perform all the necessary attack stages. Second, it will complicate the detection and remediation process, prolonging the infection and increasing the chances of success.

Incident Response (IR) engineers use all possible places where malicious activity may be recorded to build up a full picture, efficiently eliminate the threat, and prevent the incident from happening again. The data science that this comprises is called digital forensics. As part of this, the analysts will collect various indicators throughout the system, including file artifacts.

So-called fileless malware has emerged to prevent malicious activity and to bypass traditional antivirus products strongly focused on detecting malicious samples in the form of files. The idea here is that malicious code has no independent sample to detect and delete. Instead, the shell and inline script commands are used. An example of such a threat is Poweliks, which stores a malicious command in the registry key that provides autorun capabilities.

With all the important terminology now clear, it is time to talk about how to approach new reverse-engineering tasks.

You have been reading a chapter from
Mastering Malware Analysis - Second Edition
Published in: Sep 2022
Publisher: Packt
ISBN-13: 9781803240244
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image