Scan the Memory of Entire Endpoints using Genetic Malware Analysis

Update January 2023: For the most recent information about our solutions for endpoint forensics and memory analysis, check out this blog.

I am excited to announce the launch of a new Endpoint Analysis solution, located within the Intezer Analyze™ platform. The Endpoint Analysis solution consists of a zero-installation scanner that analyzes every single piece of code running in a device’s memory, enabling users to quickly detect advanced in-memory threats such as malicious code injections, packed and fileless malware.

The Endpoint Analysis solution enables organizations to automate the complex process of performing a memory analysis on every single alert. As I will present in this blog, modern endpoint protection products have their challenges. It is not sufficient enough to block malware because malicious code can still be running in a machine’s memory. Organizations must be able to detect advanced in-memory threats such as fileless malware, and the only real alternative up until now was to perform a manual memory analysis on every single alert.

Current Endpoint Security Challenges
According to a recent endpoint security report published by Cybersecurity Insiders, organizations are faced with the challenges of defending against new and increasingly sophisticated threats, such as fileless malware, advanced attacks and evasive threats. Organizations are reporting an increase in endpoint security risk, while feeling insufficiently prepared to combat new threats with existing endpoint security platforms.

• 49% of respondents, ranging from technical executives to managers and IT security practitioners spanning more than 10 industry verticals, stated they have insufficient visibility into what is happening on their endpoints.
• 42% of respondents believe they do not have the capacity or expertise to build the solutions needed to respond to increasingly sophisticated threats.
• 36% of participants feel they have good tools and processes in place but are concerned that threats are still slipping through their endpoints.
• 57% of respondents stated that their existing endpoint security products are failing to stop an increasing number of threats.

Filling in the Detection Gaps within your Endpoint
Many next-gen endpoint protection solutions are focused on guarding the “doors” of a device. These solutions are effective at preventing infected files or scripts from entering and running within an endpoint, searching for patterns such as remote access to memory or specific keys in the registry that will alert on anomalies or suspicious activity.

However, even the most advanced antivirus and endpoint protection solutions can be bypassed, since they are based on anomaly detection and there can still be malicious code running in memory. Removing a malicious file or terminating its running process is not sufficient enough to ensure that a machine is entirely clean.

Even further, malware detection techniques that are solely based on identifying specific behaviors in memory can unintentionally block legitimate software running on the machine. This can have an adverse effect on business continuity, particularly if machines are completely re-formatted, which happens often in these scenarios.

Memory Analysis is Crucial for Detecting Advanced Threats
Memory analysis is critical for detecting in-memory threats such as fileless malware. The Intezer Analyze Endpoint Analysis solution scans the inside of the device, rather than just the “doors”. Scanning every single piece of binary code running in a machine’s memory can detect sophisticated threats like malicious code injections, packed and multi-stage malware.The point is not that endpoint protection solutions are ineffective. Guarding the “doors” has many advantages, including preventing suspicious files or scripts from running. However, there are ways around this. If an attacker wants to inject malware into memory he or she can find a way to do so. Intezer’s Endpoint Analysis solution should not replace current endpoint protection products, but it should be used to analyze suspicious endpoints and leverage the value of being able to identify malicious code in memory.

Automation and Lowering the Skills Barrier for Memory Analysis
Conducting a memory analysis is a manual process. It is incredibly complex, requiring time and advanced skills that almost no organization has available.

What makes Intezer’s Endpoint Analysis solution so unique is that it automates the memory analysis process, quickly (five to ten minutes) identifying all malicious code running in memory, on every single alert. This is valuable for security operations center (SOC) and incident response (IR) functions dealing with a large volume of daily alerts. Automation can save these teams precious time, helping them to prioritize alerts and quickly respond to a greater number of potential threats.

How Does the Endpoint Analysis Solution Work?

• Scan: Upon an alert triggered by your SIEM or proactive decision, the agent-less scanner (currently Windows-based) will automatically scan the suspicious endpoint to collect running code from memory.
  Please note: The scanner collects only executable code, not documents nor other data that is not binary code.
  
• Analyze: The collected modules are analyzed using Genetic Malware Analysis technology, sifting through every single piece of binary code running in memory.
• View the Results: Intezer Analyze provides the endpoint analysis report, including:
  • The verdict (whether the endpoint is infected or not)
  • Classification (if infected, what is the threat?)
  • Code and string reuse
  • Process tree of the relevant findings
• Respond: Intezer Analyze provides IOCs and information for responding to the incident, including YARA rules and for every infected module, a file hash and path for remediation.

How Can I Get Started?
Not an Intezer Analyze member? First, you will need to sign up for the free community here. In addition to file analysis (users can upload 10 samples per day to detect code reuse in trusted and malicious software), community users now have the ability to scan one endpoint per day.

• Once logged in to the platform, browse to the Endpoint Scan page: https://analyze.intezer.com/#/endpoint-analyses
  
• Download the Endpoint Scanner to the endpoint you wish to scan.
• Scan the machine:
  • Double click on Scanner.exe and enter your API key or select scan through the Command Prompt.
• View the results in the history page.

These instructions can also be found in the platform at https://analyze.intezer.com/#/endpoint-analyses.

Examples
From January through March, Intezer launched a beta program, enabling users to access the Endpoint Analysis solution and to provide their feedback. In this section I will highlight a few of the malicious examples users detected on their endpoints using Genetic Malware Analysis.

Emotet
Emotet is a common banking trojan. In one instance a user detected an injected Emotet module on his or her endpoint. The analysis is shown below:

• Verdict: After running the scan Intezer Analyze detected the endpoint was infected with Emotet.
• Key findings: Located on the left hand side, the analysis report includes a list of key findings identified from scanning the code in the endpoint’s memory.

• Code Reuse and Process Tree: The analysis report identifies code reuse to previously seen malware and a process tree that provides context such as where the malicious code was identified. For example, was the code injected, located within a file or through a replaced module?

Cobalt Strike
The example below demonstrates how a user detected an injected Cobalt Strike, a paid penetration testing product that allows an attacker to deploy an agent on the victim’s machine module in their endpoint.

In the example below, the Endpoint Analysis scanner detected more than one malicious module injected into memory, further supporting the claim that it is not sufficient enough to only remove the malicious process.

Learn More
For more information about the Intezer Endpoint Analysis solution please contact programs@intezer.com and join us for a webinar on Wednesday, April 17 at 2:00 pm ET.

Or Fridman

Or has 10 years of experience working in technology development and product management. As director of product at Intezer he oversees the development and execution of the company's product roadmap. Or began his career in cybersecurity through a programming course in the Israeli Defense Force (IDF) and later served as a developer and product manager for the unit. Prior to joining Intezer Or was a product manager at CyberArk