My script engines know what you did in the dark

Toshinori, Usui; Otsuki, Yuto; Kawakoya, Yuhei; Miyoshi, Jun; Matsuura, Keiichi

doi:10.1145/3359789.3359849

Cited by 3 publications

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Oblivion: an open-source system for large-scale analysis of macro-based office malware

Sanna,

Cara,

Maiorca

et al. 2024

J Comput Virol Hack Tech

View full text Add to dashboard Cite

Macro-based Office files have been extensively used as infection vectors to embed malware. In particular, VBA macros allow leveraging kernel functions and system routines to execute or remotely drop malicious payloads, and they are typically heavily obfuscated to make static analysis unfeasible. Current state-of-the-art approaches focus on discriminating between malicious and benign Office files by performing static and dynamic analysis directly on obfuscated macros, focusing mainly on detection rather than reversing. Namely, the proposed methods lack an in-depth analysis of the embedded macros, thus losing valuable information about the attack families, the embedded scripts, and the contacted external resources. In this paper, we propose Oblivion, an open-source framework for large-scale analysis of Office macros, to fill in this gap. Oblivion performs instrumentation of macros and executes them in a virtualized environment to de-obfuscate and reconstruct their behavior. Moreover, it can automatically and quickly interact with macros by extracting the embedded PowerShell and non-PowerShell attacks and reconstructing the whole macro behavior. This is the main scope of our analysis: we are more interested in retrieving specific behavioural patterns than detecting maliciousness per se. We performed a large-scale analysis of more than 30,000 files that constitute a representative corpus of attacks. Results show that Oblivion could efficiently de-obfuscate malicious macros by revealing a large corpus of PowerShell and non-PowerShell attacks. We measured that this efficiency can be quantified in an analysis time of less than 1 min per sample, on average. Moreover, we characterize such attacks by pointing out frequent attack patterns and employed obfuscation strategies. We finally release the information obtained from our dataset with our tool.

show abstract

Oblivion: an open-source system for large-scale analysis of macro-based office malware

Sanna,

Cara,

Maiorca

et al. 2024

J Comput Virol Hack Tech

View full text Add to dashboard Cite

show abstract

Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers

et al. 2021

View full text Add to dashboard Cite

Script languages are designed to be easy-to-use and require low learning costs. These features provide attackers options to choose a script language for developing their malicious scripts. This diversity of choice in the attacker side unexpectedly imposes a significant cost on the preparation for analysis tools in the defense side. That is, we have to prepare for multiple script languages to analyze malicious scripts written in them. We call this unbalanced cost for script languages asymmetry problem . To solve this problem, we propose a method for automatically detecting the hook and tap points in a script engine binary that is essential for building a script Application Programming Interface (API) tracer. Our method allows us to reduce the cost of reverse engineering of a script engine binary, which is the largest portion of the development of a script API tracer, and build a script API tracer for a script language with minimum manual intervention. This advantage results in solving the asymmetry problem. The experimental results showed that our method generated the script API tracers for the three script languages popular among attackers (Visual Basic for Applications (VBA), Microsoft Visual Basic Scripting Edition (VBScript), and PowerShell). The results also demonstrated that these script API tracers successfully analyzed real-world malicious scripts.

show abstract

Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis Frameworks

Toshinori¹,

Otsuki

Kawakoya³

et al. 2022

Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

View full text Add to dashboard Cite

My script engines know what you did in the dark

Cited by 3 publications

References 16 publications

Oblivion: an open-source system for large-scale analysis of macro-based office malware

Oblivion: an open-source system for large-scale analysis of macro-based office malware

Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers

Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis Frameworks

Contact Info

Product

Resources

About