Inside view: How DeepRay detects Emotet campaigns early

11/14/2019
G DATA Blog

With DeepRay, G DATA relies on artificial intelligence to detect malware campaigns at an early stage. Using Emotet as an example, we explain what this looks like on a typical day.

G DATA released its DeepRay technology in late 2018. The rationale behind DeepRay is that cyber criminals typically use the same malware cores over and over again. In order to protect them from detection, they are encased in a kind of outer shell called a crypter or packer. The actual malware core is only unpacked in the main memory of a victim’s computer. DeepRay’s approach is to use a neural network to detect the presence of an outer shell. However, the presence of an outer shell is still not sufficient to conclude that the file in question is actually harmful. Even legitimate software sometimes uses comparable methods, for example in the context of copy protection systems. Therefore, after detecting an outer shell, DeepRay performs a deep analysis of the memory to look for known malware cores.

The main aim is to disrupt the cyber criminals’ business model. Replacing the outer shell is relatively inexpensive from the attacker's point of view. With traditional signature-based detection methods, each shell must be detected individually – a costly and resource-intensive process from the vantage point of traditional AV providers. The attackers therefore have a clear advantage. With DeepRay, on the other hand, the attackers need to keep repeatedly changing their malware core to avoid detection - a complex and costly process for them. Advantage G DATA!

After more than six months it is time to take stock: has DeepRay proven itself in practice?

We would like to answer this question in a three-part blog series.

Emotet: a day in the life of...

One of the most complex malware families in recent years is Emotet (see also: "Emotet - the all-purpose cyber crime weapon"). Emotet stands out especially because the authors produce new variants with high frequency. On a typical day, G DATA identifies 16 different variants of the malware via DeepRay. We then immediately tested the malware against the conventional signature engines of other providers.

The first provider we tested immediately detected eight of the 16 families distributed - just half. Apparently a signature was rolled out at around 11am that held up until the afternoon - but after that Emotet was ahead again. The next two providers did not detect a single variant to begin with. If a signature had ever been created, it would have already been too late. One provider identified a single variant, which doesn't put a dent into the numbers either.
The last provider also detected the Emotet variant from its signature for the first time at 11:09. However, this signature only lasted for three variants. The following two variants were not detected, the one after that was. Afterwards there was a detection hole again with  two variants that went undiscovered, whereupon the next five variants were detected. The protection failed again with the last variant. This is an example of the cat and mouse game typical of the AV industry. In the end, only 56 percent of the samples were detected at the outset.

Changing the rules of the game - DeepRay

DeepRay puts an end to exactly this kind of cat and mouse game, as well as the days of missed detections.  Where other providers sometimes had lengthy gaps in detection, G DATA was able to offer immediate protection with DeepRay.

The malware is identified by DeepRay directly in the main memory, where the malicious code has to show its true colors and has no way to hide. Consequently, DeepRay's Emotet detection has only had to be modified once in the past six months. For traditional providers, on the other hand, modifying the signature detection several times a day is the norm - or the attempt is abandoned immediately, or is released way too late.

Comparison of reaction times

Detection by DeepRayProvider 1Provider 2Provider 3Provider 4Provider 5 
08:50----- 
10:57----- 
11:09+---- 
11:33+---+ 
12:37+---+ 
12:51+---- 
13:12+--+- 
13:55+---+ 
14:06+---- 
14:53+---- 
16:51----+ 
16:59----+ 
17:04----+ 
17:33----+ 
17:52----+ 
19:59----- 
Detection rate in %50%0%0%6%56% 

Thomas Siebert
Software Engineer