DeepSec 2021 Talk: I Will Hide, You Come And Seek – Discovering The Unknown in Known Malwares using Memory Forensics – Shyam Sundar Ramaswami

Sanna/ September 27, 2021/ Conference

Malware analysis is a key phase to extract IOCs like domains, ip, mutex and other signatures. What if malware knows what online sandboxes look for and what tools look for, decides to “showcase only 90%” and hide the rest? Well, Memory forensics comes to our rescue. This was tried and tested with a lot of samples during the pandemic phase and was aided in extracting a lot of hidden process, domains, urls and even ip. This is what the talk covers:

1. Talk about the traditional malware analysis process
2. Introduction to memory forensics and why
3. Introducing tools like Volatility and Rekall
4. Running Orcus RAT, Agent Tesla and Sodinobki Ransomware malwares usingt traditional methods like Any.run online sandbox and malware runs
5. Playing a game by capturing memory of the infected machine by invoking WMI module and suspending the machine
6. Tracking malware, bypassing malware hooks and executing wmic command to hibernate the machine
7. Obtaining the hyb.sys file and performing memory forensics
8. Extracting hidden process, spotting dll injection, dumping process memory and extracting IOCs like ip and urls
9. Voilá, we win !

We asked Shyam a few more questions about his talk.

Please tell us the top 5 facts about your talk.

• Memory forensics explained very simple. Even a 5 year old can understand what memory forensics is.
• We are going to see traditional analysis vs memory forensics analysis for some of the top threat actors/families like Remcos Rat, Emotet, Hancitor, Shathakh and lots more.
• Discussion about malwares that have no visible IOC in traditional malware analysis vs digging out IOC via memory forensics.
• Lots of Super hero stuff and forensics concepts explained using simple and super hero themes!
• I am batman,sssssh!

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Well, I was analysing malware samples and I saw a strange string of samples that went undetected in some top online sandboxes like Any.run. Performed manual analysis and memory forensics on the same to spot some surprising sneaky tactics and new IOC. Well, that made me apply for this talk.

Why do you think this is an important topic?

Memory forensics is a real asset when it comes to malware analysis. It helps to dig out unknowns in known samples. These could be real good attributes for ML, attributes for evasion and malware tagging. Also, it shows how deep threat actors go when they infect machines and it’s not just the registry and call backs.

Is there something you want everybody to know – some good advice for our readers maybe?

Never shy away from the complex topics. Complex topics are nothing but small simple topics knit together. It takes some initial understanding and determination to research or read about it. Memory forensics is an absolute art and there are so many amazing souls who are building tools to make this simple. Come, let’s discuss memory forensics and have fun learning it.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Memory forensics has come a long way and it will rise in the future too. This is such a niche field and there is so much innovation happening already. Remember, this is a game of cat & mouse. You never know who wins but you know how rapidly both parties progress.

Shyam Sundar Ramaswami is a Lead Threat Researcher with the Cisco Umbrella Threat Intelligence team. Shyam is a two-time TEDx speaker and a teacher of cybersecurity. He held talks at several conferences such as Black Hat (Las Vegas), Qubit Forensics (Serbia), Nullcon 2020 (Goa), Cisco Live (Barcelona), HackFest (Canada), DeepSec (Vienna) several universities, and IEEE forums in India. Shyam has also taught an “Advanced malware attacks and defenses” class at Stanford University’s cybersecurity program and runs a mentoring program called “Being Robin” where he mentors students all over the globe on cybersecurity. Interviews with him have been published on leading websites like ZDNet and CISO MAG. His twitter tag is @hackerbat.