Polyglot files have to fit in several file format specifications and respond differently depending on the calling program.
This poses a significant risk to endpoint detection and response (EDR) systems and file uploaders, which mainly rely on format identification for analysis.
By evading correct classification, polyglots can leap over feature extraction routines or signature comparisons found in malware detection systems.
Research by the following researchers from Oak Ridge National Laboratory and Assured Information Security indicates that polyglots are threats to commercial EDR tools, with 0% detection of malicious polyglots recorded during tests by some vendors:-
- Luke Koch
- Sean Oesch
- Amul Chaulagain
- Jared Dixon
- Matthew Dixon
- Mike Huettal
- Amir Sadovnik
- Cory Watson
- Brian Weber
- Jacob Hartman
- Richard Patulski
The dependence on standard formats for efficient malware detection makes it vulnerable to this kind of attack whereby files can be created that are valid in multiple formats.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
Polyglot Files Used In Wild
There is a critical gap in computer security research because no one has done an extensive study on how threat actors use these artifacts and how they are detected.
Polyglot files in malware campaigns were found to play a significant role in the tactics of APT groups.
To carry out an analysis, they developed Fazah, a tool imitating real-life polyglot creation methods.
Researchers trained PolyConv, a deep learning model that attained over 99% F1 score for both binary and multi-label classifications of polyglots.
These were not very effective compared to already existing tools used to identify files.
For image-based polyglots, the most popular means was via custom CDR tool (ImSan) which is more efficient than YARA rules in sanitizing it with 100% efficacy.
This research fills essential gaps within cybersecurity defenses against this advanced threat by providing useful information on techniques of detecting and mitigating them as well as awareness of polyglot format detection strategies.
Threat actors often use polyglots to avoid detection and bypass commercial security tools.
Out of the 30 different polyglot samples found in these cyber-attack chains 15 instances were detected.
Common combinations are JAR+JPG and HTA+CHM, which are used by groups such as Lazarus and IcedID.
PolyConv based on MalConv and PolyCat using CatBoost machine learning models demonstrate encouraging results in the detection of polyglots through byte-level features and format-agnostic approaches.
With mime-type and n-gram features added, the performance of PolyCat improved.
For this reason, detecting polyglots becomes an important way of increasing our cybersecurity defenses against advancing dangers.
Recommendations
Here below we have mentioned all the recommendations:-
- Polyglot Detection
- Existing Signature-based Tools
- File-format Specifications
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files