Malware Development for Ethical Hackers E-Book

Malware Development for Ethical Hackers

Learn how to develop various types of malware to strengthen cybersecurity

Zhassulan Zhussupov

Malware Development for Ethical Hackers

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Neha Sharma

Book Project Manager: Ashwini Gowda

Senior Editor: Runcil Rebello

Technical Editor: Irfa Ansari

Copy Editor: Safis Editing

Proofreader: Runcil Rebello

Indexer: Rekha Nair

Production Designer: Prafulla Nikalje

DevRel Marketing Coordinator: Marylou De Mello

First published: June 2024

Production reference: 2030725

Published by Packt Publishing Ltd.

Grosvenor House 11 St Paul’s SquareBirmingham B3 1RB, UK

ISBN 978-1-80181-017-3

www.packtpub.com

I dedicate this book to my beloved wife, Laura, my hero son, Yerzhan, and my little princess, Munira, and I thank them for their inspiration, support, and patience.

– Zhassulan Zhussupov

Contributors

About the author

Zhassulan Zhussupov is a professional who wears many hats: software developer, cybersecurity enthusiast, and mathematician. He has been developing products for law enforcement for over 10 years. Professionally, Zhassulan shares his experience as a malware analyst and threat hunter at the MSSP Research Lab in Kazakhstan, a cybersecurity researcher at Websec B.V. in the Netherlands, and Cyber5W in the US. He has also actively contributed to the Malpedia project. Zhassulan’s literary achievements include writing the popular e-books MD MZ Malware Development and Malwild: Malware in the Wild, details of which can be found on his personal GitHub page. He is the author and co-author of numerous articles on cybersecurity blogs and has also spoken at various international conferences, such as Black Hat, DEFCON, BSides, Standoff, and many others. His love for his family is reflected in his role as a loving husband and caring father.

First of all, special thanks to my parents; my fascination with computers began with them.

I want to thank the entire cybersecurity community, readers who were looking forward to the publication of this book, and all my colleagues—true professionals.

I also want to thank all the employees of the Kazdream Technologies IT holding; there are so many of them that it is impossible to list them all, so I express special gratitude to my friend and founder Dauren Tulebaev, the ideological inspirer of the +1 charity foundation, Anya Tsyganova, as well as Kakhar Kashimov, Arman Shaykhina, Madiyar Tuleuov, Gulmira Kupesheva, Uaiss Yerekesh, Alexey and Artem Rychko, Dauren Salipov, Saken Tleuberdin, Timur Omarov, Marlen Muslimov, Alisher Bektash, Kanat Zikenov, and Ayan Satybaldy.

Thanks also to my friends Olzhas Satiyev and Yenlik Satiyeva.

I also thank the entire team at Packt Publishing without whom this book would look different, in particular Ashwini Gowda, Neha Sharma, and Runcil Rebello.

About the reviewers

Marc Messer is a reverse engineer from Knoxville, TN. His professional background is primarily in incident response and malware analysis. When not staring at debuggers, he enjoys playing music, running, and creating ASCII art.

Terrence Williams’s cybersecurity journey began unexpectedly as a Marine. He thrived in the ever-evolving field, driven by growth and learning. Teaching DFIR and cloud security at SANS, he aims to transform lives and impart a growth mindset. Terrence’s expertise shines through mentorship and work at big tech companies. His practical approach and in-depth knowledge of malware and cyber threats equip aspiring ethical hackers with the skills to excel in their cybersecurity careers.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with properly written authorizations from the appropriate persons responsible.

Table of Contents

Preface

Part 1: Malware Behavior: Injection, Persistence, and Privilege Escalation Techniques

1

A Quick Introduction to Malware Development

Getting the most out of this book – get to know your free benefits

Technical requirements

What is malware development?

A simple example

Unpacking malware functionality and behavior

Types of malware

Reverse shells

Practical example: reverse shell

Practical example: reverse shell for Windows

Demo

Leveraging Windows internals for malware development

Practical example

Exploring PE-file (EXE and DLL)

Practical example

The art of deceiving a victim’s systems

Summary

2

Exploring Various Malware Injection Attacks

Technical requirements

Traditional injection approaches – code and DLL

A simple example

Code injection example

DLL injection

DLL injection example

Exploring hijacking techniques

DLL hijacking

Practical example

Understanding APC injection

A practical example of APC injection

A practical example of APC injection via NtTestAlert

Mastering API hooking techniques

What is API hooking?

Practical example

Summary

3

Mastering Malware Persistence Mechanisms

Technical requirements

Classic path: registry Run Keys

A simple example

Leveraging registry keys utilized by Winlogon process

A practical example

Implementing DLL search order hijacking for persistence

Exploiting Windows services for persistence

A practical example

Hunting for persistence: exploring non-trivial loopholes

A practical example

How to find new persistence tricks

Summary

4

Mastering Privilege Escalation on Compromised Systems

Technical requirements

Manipulating access tokens

Windows tokens

Local administrator

SeDebugPrivilege

A simple example

Impersonate

Password stealing

Practical example

Leveraging DLL search order hijacking and supply chain attacks

Practical example

Circumventing UAC

fodhelper.exe

Practical example

Summary

Part 2: Evasion Techniques

5

Anti-Debugging Tricks

Technical requirements

Detecting debugger presence

Practical example 1

Practical example 2

Spotting breakpoints

Practical example

Identifying flags and artifacts

Practical example

ProcessDebugFlags

Practical example

Summary

6

Navigating Anti-Virtual Machine Strategies

Technical requirements

Filesystem detection techniques

VirtualBox machine detection

A practical example

Demo

Approaches to hardware detection

Checking the HDD

Demo

Time-based sandbox evasion techniques

A simple example

Identifying VMs through the registry

A practical example

Demo

Summary

7

Strategies for Anti-Disassembly

Popular anti-disassembly techniques

Practical example

Exploring the function control problem and its benefits

Practical example

Obfuscation of the API and assembly code

Practical example

Crashing malware analysis tools

Practical example

Summary

8

Navigating the Antivirus Labyrinth – a Game of Cat and Mouse

Technical requirements

Understanding the mechanics of antivirus engines

Static detection

Heuristic detection

Dynamic heuristic analysis

Behavior analysis

Evasion static detection

Practical example

Evasion dynamic analysis

Practical example

Circumventing the Antimalware Scan Interface (AMSI)

Practical example

Advanced evasion techniques

Syscalls

Syscall ID

Practical example

Userland hooking

Direct syscalls

Practical example

Bypassing EDR

Practical example

Summary

Part 3: Math and Cryptography in Malware

9

Exploring Hash Algorithms

Technical requirements

Understanding the role of hash algorithms in malware

Cryptographic hash functions

Applying hashing in malware analysis

A deep dive into common hash algorithms

MD5

SHA-1

Bcrypt

Practical use of hash algorithms in malware

Hashing WINAPI calls

MurmurHash

Summary

10

Simple Ciphers

Technical requirements

Introduction to simple ciphers

Caesar cipher

ROT13 cipher

ROT47 cipher

Decrypting malware – a practical implementation of simple ciphers

Caesar cipher

ROT13

ROT47

The power of the Base64 algorithm

Base64 in practice

Summary

11

Unveiling Common Cryptography in Malware

Technical requirements

Overview of common cryptographic techniques in malware

Encryption resources such as configuration files

Practical example

Cryptography for secure communication

Practical example

Payload protection – cryptography for obfuscation

Practical example

Summary

12

Advanced Math Algorithms and Custom Encoding

Technical requirements

Exploring advanced math algorithms in malware

Tiny encryption algorithm (TEA)

A5/1

Madryga algorithm

Practical example

The use of prime numbers and modular arithmetic in malware

Practical example

Implementing custom encoding techniques

Practical example

Elliptic curve cryptography (ECC) and malware

Practical example

Summary

Part 4: Real-World Malware Examples

13

Classic Malware Examples

Historical overview of classic malware

Early malware

The 1980s-2000s – the era of worms and mass propagation

Malware of the 21st century

Modern banking Trojans

The evolution of ransomware

Analysis of the techniques used by classic malware

Evolution and impact of classic malware

Lessons learned from classic malware

Practical example

Summary

14

APT and Cybercrime

Introduction to APTs

The birth of APTs – early 2000s

Operation Aurora (2009)

Stuxnet and the dawn of cyber-physical attacks (2010)

The rise of nation-state APTs – mid-2010s onward

What about the current landscape and future challenges?

Characteristics of APTs

Infamous examples of APTs

APT28 (Fancy Bear) – the Russian cyber espionage

APT29 (Cozy Bear) – the persistent intruder

Lazarus Group – the multifaceted threat

Equation Group – the cyber-espionage arm of the NSA

Tailored Access Operations – the cyber arsenal of the NSA

TTPs used by APTs

Persistence via AppInit_DLLs

Persistence by accessibility features

Persistence by alternate data streams

Summary

15

Malware Source Code Leaks

Understanding malware source code leaks

The Zeus banking Trojan

Carberp

Carbanak

Other famous malware source code leaks

The impact of source code leaks on the malware development landscape

Zeus

Carberp

Carbanak

Practical example

Significant examples of malware source code leaks

Summary

16

Ransomware and Modern Threats

Introduction to ransomware and modern threats

Analysis of ransomware techniques

Conti

Hello Kitty

Case studies of notorious ransomware and modern threats

Case study one: WannaCry ransomware attack

Case study two: NotPetya ransomware attack

Case study three: GandCrab ransomware

Case study four: Ryuk ransomware

Modern threats

Practical example

Mitigation and recovery strategies

Summary

17

Unlock Your Book’s Exclusive Benefits

Index

Other Books You May Enjoy

Part 1: Malware Behavior: Injection, Persistence, and Privilege Escalation Techniques

In this part, we explore the fundamental behaviors of malware, examining how it operates within systems, maintains persistence, and gains elevated privileges to carry out its malicious objectives. With a deep explanation of malware development and coverage of advanced techniques such as injection attacks and privilege escalation, this section provides a solid foundation for you to explore the complex realm of offensive programming and cybersecurity.

This part contains the following chapters: