FLAIR (Fuzzy simiLArIty fRamework): A comprehensive study on APT analysis using Fuzzy hash similarity algorithms by providing a framework comprises of more than 25 Fuzzy hashing algorithms
Finding similar files has been a long recognized and ever-increasing need in malware research and forensic investigation. Cryptographic hash functions such as MD5, SHA1 and SHA256 are the primary methods that has been used to find the similarities between files. However, they can be easily bypassed by small changes in a file since these methods are designed to be sensitive to altering an input. To circumvent this problem, researchers have developed approximate matching (fuzzy hashing or similarity hashing) methods that stand robust against small and sometimes even large changes.
In this talk we propose FLAIR, a new open source framework which includes 25 state of the art fuzzy hashing algorithms that provides the functionality to find similarity between samples from binary level, function level, section level as well as providing fuzzy algorithm on import function calls.
We also provide the result of our experiment on detecting similarities between samples from well-known APT groups such as Fancy Bear, Deep Panda, Dark Hydrus and Lazarus group. At the end, we describe how hybrid models can lead to better results to find similarities between malware samples from an APT group.