STARMAP: Multi-machine Malware Analysis System for Lateral Movement Observation

STARMAP: Multi-machine Malware Analysis System for Lateral Movement Observation

연구 분야: Safety

학회: International Conference on Science of Cyber Security

One of the functions of malware used in cyber attacks is lateral movement, which plays an important role in the spread of an infection. However, existing dynamic analysis systems are often constructed with only a single machine, making it difficult to observe behaviors that affect multiple machines such as lateral movement. Therefore, we propose STARMAP, a dynamic malware analysis system that can observe behaviors for affecting multiple machines. STARMAP launches multiple machines and observes not only the machine running the malware, but also the communication to the lateral movement target and the post-lateral movement behavior. In addition, since the post lateral movement process is running on a different machine than the machine that executed the malware, it is not directly linked to the malware process. Therefore, STARMAP identifies post lateral movement behavior by extracting processes that are not normally used on the post lateral movement machine. In this paper, we present the design of STARMAP and its implementation method based on the CAPE sandbox. We also analyze real malware on the STARMAP prototype and show that the lateral movement and post-lateral movement behavior can be observed.