The Naked Sun: Malicious Cooperation Between Benign-Looking Processes

TL;DR

This paper reveals how benign-looking processes can collaborate maliciously to evade behavioral malware detection, significantly reducing detection accuracy through novel evasion techniques, even against commercial solutions.

Contribution

It introduces novel attack strategies that exploit process cooperation to evade behavioral malware detectors, highlighting vulnerabilities in current dynamic analysis methods.

Findings

Attacks reduce detection accuracy from 98.6% to 0%.

Cooperative processes can effectively evade behavioral detection.

Attacks are effective even in black-box scenarios.

Abstract

Recent progress in machine learning has generated promising results in behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. Behavioral features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore considered difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work. This paper thoroughly examines the robustness of behavioral malware detectors to evasion, focusing particularly on anti-ransomware evasion. We choose ransomware as its behavior tends to differ significantly from that of benign processes, making it a low-hanging fruit for behavioral detection (and a difficult candidate for evasion). Our analysis identifies a set of novel attacks that distribute the overall malware workload across a small set of cooperating processes to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art classifier from 98.6% to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors even in a black-box setting.