Advanced Encryption Standard (AES) is a symmetric block cipher used for malware traffic encryption. Compared to the previously covered stream cipher XOR, AES operates on fixed data blocks (128, 192, or 256 bits), making decryption dependent on the block structure.
The article dives into the technical distinctions between these cipher types and demonstrates AES identification and decryption using CyberChef, a security analyst’s toolkit.
The AES, a symmetric block cipher chosen by NIST for the U.S. government in 2001, supports key lengths of 128, 192, or 256 bits, while the text emphasizes the AES’s strength, stating it would take billions of years to crack with current technology.
The focus then shifts from AES’s inner workings to its application in malware traffic analysis, suggesting a more practical approach in subsequent content.
It encrypts data in 128-bit blocks, which means the algorithm operates on fixed chunks of the message, similar to a machine that encrypts 16-byte segments individually.
Stream ciphers, in contrast, process data continuously, one bit or byte at a time, like a conveyor belt feeding data into an encryption function.
This difference in how data is processed has a big effect on cryptanalysis because certain block patterns can make block ciphers vulnerable, but stream ciphers depend on the statistical properties of the generated keystream to keep data safe.
During AES decryption, the key size must precisely match the block size (128, 192, or 256 bits) for successful decryption, and the correct key-block size pairing ensures proper decryption.
However, any alteration to the encrypted data, even a single bit, disrupts the decryption process due to the block cipher structure.
The mismatch between the key and the modified block size makes decrypting malware-encrypted data significantly more complex because retrieving the key alone isn’t sufficient. Understanding the encrypted data’s structure becomes crucial for successful decryption.
To achieve unpredictable encryption and prevent identical plaintexts from resulting in the same ciphertext with the same key, block ciphers like AES utilize modes (e.g., CBC, CTR) and initialization vectors (IV). Modes dictate how data blocks are processed and linked during encryption.
The IV, a unique random value, is incorporated into the encryption process to ensure distinct ciphertexts even for identical plaintexts. Decrypting AES traffic requires not only the secret key but also the corresponding IV and the correct mode selection.
This analysis focuses on decrypting AES-encrypted traffic from Lu0bot malware. To confirm AES encryption, researchers reverse engineered the Lu0bot code and identified a key.
They then used a Node.js debugger within an ANY.RUN virtual machine to step through the code and verify the encryption method, which demonstrates the capability of ANY.RUN to perform script debugging directly in its analysis environment.
Lu0Bot encrypts traffic with a dynamically generated IV for each transmission, and after analyzing traffic samples, it was discovered that Lu0Bot prepends a single byte, followed by a 16-byte IV, to the traffic data.
Two bytes are then skipped, and the encrypted message is appended, which was identified by examining the UDP connection. By isolating the IV and encrypted message, it was further discovered that Lu0Bot uses AES-CBC encryption.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!
