What are the challenges of attributing malware to an attacker?

There is no honor among thieves: a good idea in any malware package is likely to be borrowed or stolen if it is deemed valuable. There is also the idea of day job vs night job. A day worker for a government may use a good idea for their night job with a criminal faction. Consider APT 40 and 41 as an example (they might be the same people with two different sets of goals). The last perspective is intrusion for hire: some people just get embedded on a digital asset and then resell that intrusion to another actor.

Malware authors are good at covering their tracks, the malware landscape is constantly evolving, and there is a lack of standardization in malware attribution. Despite these challenges, malware attribution is important for identifying the perpetrators of cyberattacks, holding them accountable, and deterring future attacks.

Attributing malware to an attacker is challenging due to factors like anonymity, misdirection, shared infrastructure, nation-state involvement, malware reuse, false flags, lack of direct evidence, resource constraints, legal and political considerations, rapid threat evolution, and incomplete information. Nevertheless, it is a crucial process in cybersecurity to identify and respond to cyber threats effectively.

Malware analysis, while crucial in attributing attacks, faces hurdles due to authors' evasion tactics. Techniques like anti-debugging and encryption conceal malware's code and purpose. Analyzing malware provides insights into its origins and targets. Still, the complexity of evasion methods and sophisticated obfuscation can obscure key details, making understanding and tracing the malware's source a formidable task.

The dynamic discipline of malware analysis resembles a high-stakes game of chess, requiring foresight and adaptability. Analysts must navigate through layers of anti-analysis measures, leveraging a mix of static and dynamic toolsets. The key lies in the agility of our forensic techniques and the depth of our threat intelligence to effectively decode the attacker's playbook

1. Collect suspected malware. 2. Set up a secure environment for analysis. 3. Perform static analysis using tools to examine malware without executing it. 4. Conduct dynamic analysis by running malware in a controlled environment to observe behavior. 5. Use reverse engineering tools to decompile malware and analyze source code. 6. Apply digital forensics tools to examine the infected system. 7. Document and cross-reference findings with known malware signatures. 8. Update security measures based on findings. 9. Share information with the security community.

For a SMB, malware attribution is a fool’s errand. Let’s say you or your insurance company do find out who unleashed hell on your network. Then what? Spend the money on figuring out how the malware did what it did. Strengthen defenses. Improve training.

Cryptographic Hashing (and sometimes C2 server associations) are used to detect identical and similar samples that can be attributed to particular groups or threat actors. For example, "Fuzzy hashing" can compare malware files and determine the percentage of similarities in the code. This can be done with a "ssdeep" installation on Ubuntu Linux. Moreover, "Import hashing" can find similarities based on library/imported functions (API)- If a malware file is compiled in the same order and from the same source, they will have the same Import hash (also called imphash). Finally, "section hash" can identify related malware based on MD5 section hashes of the malware file. This can be found using tools such as PEstudio.

Malware economy has also heavily shifted in the past few years. As an example RaaS(Ransomware as a service) and malware loaders where the business model is pay per installs. As a single compromise involves multiple threat actors, it makes the malware attribution complicated for analysts.

Attackers leverage multiple tactics to escape attribution and avoid being identified. Attacks may use deceptive techniques that could through researchers on a wrong track. Ephemeral infrastructures such as lambda functions give the attackers the ability to setup and tear down infrastructures, making it very hard to retrace IOCs and permanent infrastructures. Obfuscation techniques in the malware code help them also evade being recognised. Some attackers even use the methodologies of someone else and through the researchers on a wrong track again.

The best malware is the most legitimate. Imagine a malware using the usual processes in Windows to achieve its goals. Or a Trojan sends http requests to one of Google's services, just like Chrome browser requests with the same headers, how do you want to identify them?

Malware attribution is a multifaceted challenge, impeded by non-standard methods and the dynamic evolution of malware, demanding constant updates in tools and expertise. Complicating matters are legal and ethical considerations, balancing privacy and sovereignty rights against investigative needs. Actions taken on attribution findings carry significant consequences, adding complexity to this already intricate process.

The best way to tackle this is to have security starting from the entry of the internet to the endpoint system. Let's say, Firewalls, routers, web proxies, email gateways, and endpoint systems. The important thing here is to have correlatable, and stitchable data from all these devices to produce a holistic picture of an attack. In our company, we do have such solutions, where an attack can be visualized in the entire organization's network, and this would usually give crucial data about the entry point of the attack and its variants in the systems. Then taking that initial attack source and dissecting it to find the signatures around it to see where else similar signatures were used.

Addressing the complexities of malware attribution can be aided by collaborative efforts among cybersecurity experts across various sectors, fostering information and resource sharing. Establishing unified standards and protocols enhances the consistency of classification, analysis, and attribution. Leveraging diverse sources and analytical methods improves evidence reliability. Employing critical evaluation of evidence ensures thorough consideration of alternatives and implications, bolstering the attribution process's integrity.

Private companies and government agencies both have a part to play in information sharing, though their approaches to attribution are very different, both in their processes and end goals. Private companies carry out attribution as an ongoing process that is part of their analysis, with the purpose of clustering specific malicious activity. Government entities meanwhile have the ability to pin attributions on sponsoring organizations or intelligence services - and they’re doing it in some cases to shape indictments and sanctions. The government’s public sharing of attributions and data supporting those attributions is significant to the security community because government entities have the ability to “get more granular".

In addition to my malware attribution discussion above, when performing cryptographic hashing, whether import hashing or section hashing, store your generated hashes in a repository so that when you find a new malware sample, you can compare it to your stored hashes then determine similarities. Overall, this will help organize your workflow and make it easier to attribute malware to specific groups and threat actors.

Threat actors are getting better at hiding evidence in and around their operations. Pieces of data that are used as clues in attribution, such as language strings in malware or registration details in the domain registration, can easily be faked. For example, attackers associated with the Iran-linked MuddyWater APT have attempted to throw researchers off by incorporating different languages into their coding, such as including Chinese strings in some payloads and a series of Russian words in another PowerShell RAT sample. In another infamous example, the Russia-linked cyberespionage group Turla in 2019 masqueraded as an Iranian hacking group by literally hijacking the other group’s infrastructure and using it to deliver malware.