Nirmal Singh
Last known affiliation: Zscaler Inc.
Bio: Nirmal Singh is Director for the security research team at Zscaler ThreatLabZ located at Chandigarh, India. Nirmal has a Ph.D. in computer science and has been working in the threat research and analysis field for the past 14 years. He oversees malware research, detection and innovation at Zscaler. Prior to Zscaler, he worked with Norman as a manager for the threat response team.
Nirmal Singh 🗣 | Avinash Kumar 🗣 | Niraj Shivtarkar
Abstract (click to view)
In the last few years we have seen a substantial growth in the Malware-as-a-Service (MaaS) market, this revenue model generates a high income revenue stream for the malware developers and also makes it easier for the malicious actors with less technical capabilities to carry out sophisticated attacks and earn multi-million-dollars by targeting large-scale enterprises and government entities. During the last few years, we have observed a MaaS Group selling a sophisticated modular Remote Access Trojan with various features and pricing plans. The most distinctive feature of this RAT is – Ransomware Module – which encrypts the files and demands for a ransom payment in order to decrypt them. The presence of those features in the RAT leads us to believe that the Threat Actors, involved, are attempting to improve their financial gain by using Ransomware.
Nirmal Singh 🗣 | Deepen Desai 🗣 | Tarun Dewan 🗣
Abstract (click to view)
Malicious office documents have become a favorite malware delivery tool for malware authors. We have observed an increase in use of malicious documents over past 4 years. 30% of the malware blocked by Zscaler Cloud Sandbox since 2017 are malicious office documents. Malicious office documents are used for the delivery of crimeware payloads and are also often involved in Advanced Persistent Threats (APT) attacks. Over the time, these malicious office documents have used various obfuscation, encryption and evasion techniques to prevent detection. In this paper, we will provide a detailed analysis of different obfuscation, encryption, exploits and evasion techniques used in these malicious documents. We have analyzed over one thousand malicious documents from fifty different campaigns for this study. This research paper also lists the different malware samples delivered by these malicious documents and the use of powershell as well as other scripting languages.
Nirmal Singh 🗣 | Rajdeepsinh Dodia 🗣
Abstract (click to view)
Malicious program authors often exploit vulnerabilities in popular software programs and employ various methods to circumvent security measures such as antivirus software, sandboxing, and intrusion detection systems. Precisely, threat actors have begun using vulnerable legitimate drivers as a means of infiltrating systems, this attack is known as BYOVD, a short form of Bring Your Own Vulnerable Driver. These drivers are responsible for facilitating communication between physical devices and the operating system, operating at a higher privilege level in kernel mode. In contrast, user mode is a less privileged mode used by various applications. By taking advantage of vulnerable drivers, attackers can execute actions without verifying the process or privileges of the caller. Numerous vulnerable drivers from different software and hardware vendors, such as LOLDrivers[2], have already been identified.
Generally threat actors use malicious payload; these are often detected by antivirus products / anti malware tools. But, by leveraging the known signed drivers from different hardware and software vendors creates less suspicion. Historical instances reveal ransomware groups [3] exploiting driver vulnerabilities to disable antivirus and EDR security tools, with APT groups like Lazarus [4] similarly leveraging these weaknesses.
Our objective is to uncover and examine vulnerable drivers designed to run on different Windows versions ( x86-64 architecture) that may be susceptible to exploitation by malicious individuals. During our investigation, we uncovered several digitally signed vulnerable drivers from reputable vendors, some of which lacked adequate measures to authenticate the calling process. Our research encompasses a range of techniques for manipulating driver functionality from user mode. It includes various approaches for exploiting driver functionality by making calls from user mode.