par Bouhnine, Ayoub 
Promoteur Mees, Wim
Co-Promoteur Nikolov, Georgi
Publication Non publié, 2024-06-18
Promoteur Mees, Wim
Co-Promoteur Nikolov, Georgi
Publication Non publié, 2024-06-18
Mémoire
| Résumé : | Malware remains as one of the foremost cyber threat, with cybercriminals continually developing techniques to bypass security solutions. Open-source antivirus evasion tools now allow even individuals with limited technical knowledge to pose an increased risk to systems with active antivirus protection.Despite ongoing improvement in antivirus solutions, these systems are not infallible. Hackers constantly create new methods to bypass defenses, resulting in a continuous battle between malware creators and antivirus developers. Popular evasion tools are eventually detected as antivirus companies develop countermeasures, needing constant updates and a limited user base to maintain their effectiveness.While many studies have assessed the effectiveness of open-source evasion tools, there is a lack of research on their customization for enhanced evasion. Specifically, the ways in which hackers can create and refine malware to bypass security defenses.This thesis explores the mechanisms of malware detection and evasion. We investigate various methods to customize malware, ensuring it remains undetected by modern protections. To facilitate internal testing, we created a lab environment comprising antivirus software for static and dynamic analysis, alongside sandbox analysis using CAPEv2. This approach prevents bias in our analysis, as uploading newly developed malware samples to public platforms like VirusTotal could share our them with other vendors, potentially distorting results and increasing the likelihood of early detection as we continue our development.Our experimentation methodology involved first assessing samples generated using the AVET Framework against the CAPEv2 sandbox. We then created a custom sample based on the underlying logic of AVET to test its stealthiness. Subsequently, we applied other evasion techniques, including Dynamic Loading of APIs, Dynamic Loading of NTAPIs and Direct Syscalls. All these versions were tested against CAPEv2. Additionally, we integrated these methods into AVET and assessed the samples generated using these techniques. Finally, a comprehensive assessment was conducted targeting the Windows Defender antivirus to evaluate overall effectiveness. Our findings reveal that shellcode injection effectively bypasses the CAPEv2 monitoring system, concealing further activities performed by the payload. In reducing the Indicators of Compromise (IoCs) of the dropper, advanced evasion techniques targeting API hooking are effective. Specifically, the use of Direct Syscall significantly hides IoCs generated by CAPEv2. Regarding detection by Windows Defender, we discovered a discrepancy based on the use of the compiler when employing the Direct Syscall method generated by SysWhispers. Indeed, samples compiled with Visual Studio 2022 were not detected, whereas those compiled with MinGW were detected. |
