Target Attack Backdoor Malware Analysis and Attribution

TL;DR

This paper presents a novel analysis framework, TABMAX, for detecting sophisticated target attack backdoor malware in web servers, which evade traditional antivirus detection through obfuscation and custom APIs.

Contribution

The paper introduces TABMAX, a new analytical matrix combining static and dynamic features to identify targeted persistent backdoors undetectable by standard antivirus tools.

Findings

Backdoor malware can use diverse APIs, commands, and obfuscation techniques.

TABMAX effectively detects targeted backdoors that evade traditional antivirus.

Analysis revealed persistent backdoors in real-world web servers.

Abstract

Backdoor Malware are installed by an attacker on the victim's server(s) for authorized access. A customized backdoor is weaponized to execute unauthorized system, database and application commands to access the user credentials and confidential digital assets. Recently, we discovered and analyzed a targeted persistent module backdoor in Web Server in an online business company that was undetectable by their deployed Anti-Virus software for a year. This led us to carry out research to detect this specific type of persistent module backdoor installed in Web servers. Other than typical Malware static analysis, we carry out analysis with binary similarity, strings, and command obfuscation over the backdoor, resulting in the Target Attack Backdoor Malware Analysis Matrix (TABMAX) for organizations to detect this sophisticated target attack backdoor instead of a general one which can be detected by Anti-Virus detectors. Our findings show that backdoor malware can be designed with different APIs, commands, strings, and query language on top of preferred libraries used by typical Malware.