Author : Jean-Yves Marion

Co-writer: Fabrice Sabatier

Today, we start our blog. Our goal is to illustrate the uses of the software we develop at CYBER-DETECT. The recent LockerGoga attacks against Altran in France [1] and Norsk Hydro in Norway [2] illustrate the need for advanced anti-malware defenses. The attack in France took place in January and the one in Norway in March. These attacks should have been stopped. That is why we start with this post today. Indeed, the GORILLE behavior engine designed by CYBER-DETECT allows detecting LockerGoga and its variants without signature.

In a nutshell, GORILLE identifies malicious threats embedded in Linux, MacOS and Windows binaries. To do this, GORILLE knows a collection of malicious behaviors. Each binary file submitted to GORILLE is then analyzed and as soon as a set of malicious behaviors between links is detected, GORILLE issues an alert. There’s no magic behind it, just several years of hard work in the Loria computer lab. But I think we’ll come back to how GORILLE works in a future post, and for now, let’s get back to LockerGoga.
Since GORILLE’s search process is based on a collection of malicious behaviors, the first question that comes to mind is whether GORILLE is capable of detecting LockerGoga. GORILLE knows about 100,000 malicious behaviors. And GORILLE identifies 55 malicious behaviors in the submitted LockerGoga sample.

The sample named LockerGogaAltran.bin [3] matches the malware that attacks Altran on January 25, 2019. On March 8, 2019, two months later, MalwareHunter [4] discovered that a variant of LockerGoga, which we name here no-detected_LockerGoga.bin, was not detected by all Virus Total antivirus products [5].

As seen below, GORILLE detects 55 malicious behaviors in the yet undetected LockerGoga sample, which are identical to the ones previously identified! GORILLE’s technological advancement makes it possible to stop unknown threat variants.

In fact, we can play with GORILLE a bit more. In fact, GORILLE is able to learn the specific malicious features of LockerGoga by itself.

GORILLE finds 24632 sites in LockerGoga, which represent 24632 seen behaviors, and not only bad ones. This is because LockerGoga incorporates, like all software, third-party libraries from Microsoft and open source libraries. Collectively, the third-party libraries also indicate behaviors. That said, we can compare all the behaviors of LockerGogaAltran.bin, which was involved in the Altran incident, and LockerGoga.bin not detected by MalwareHunter.

There are 17951 common behaviors, about half, that are common to both samples. Then, using our binsim tool from the GORILLE expert suite, we can synchronize the two codes, i.e. find the correspondence between the functions of LockerGogaAltran.bin and no-detected_LockerGoga.bin. Here is an excerpt from the output of binsim:

It shows that the code of no-detected_LockerGoga.bin at address 0x4c6a9ah is very similar to the one at address 0x4caec8h. And this is confirmed by IDA as shown in the figure below:

Similarly, GORILLE shows that the LockerGoga_Norsk-Hydro.exe sample involved in the March 2019 Norsk Hydro attack again exhibits 50% similar behavior.

The conclusion is that GORILLE would have detected LockerGoga_Norsk-Hydro and stopped the attack, just as it could have detected the Altran attack. When we know that the most serious attacks come from unknown threats or freshly repackaged legacy malware, which mostly go unnoticed, we need applications that think outside the box and GORILLE is one of them!