Discovering Encrypted Bot and Ransomware Payloads Through Memory Inspection Without A Priori Knowledge

Abstract

Malware writers frequently try to hide the activities of their agents within tunnelled traffic. Within the Kill Chain model the infection time is often measured in seconds, and if the infection is not detected and blocked, the malware agent, such as a bot, will often then set up a secret channel to communicate with its controller. In the case of ransomware the communicated payload may include the encryption key used for the infected host to register its infection. As a malware infection can spread across a network in seconds, it is often important to detect its activities on the air, in memory and at-rest. Malware increasingly uses encrypted channels for communicating with their controllers. This paper presents a new approach to discovering the cryptographic artefacts of real malware clients that use cryptographic libraries of the Microsoft Windows operating system. This enables malware secret communications to be discovered without any prior malware knowledge.