Quick, Easy, Malware Investigations and Threat Hunting
Bsides Austin 2024
This is my talk for BSIDES Austin 2024
Malware Investigations
Why do internal malware analysis?
- Existing tools Virustotal, JoeSandbox, etc.
- Protect sensitive information from 3rd parties.
- Freedom from reliance on one tool or platform.
Malware is scary and dangerous, put in a box (container).
Malware is scary. Malware is dangerous. So it’s best to analyze in a “contained” environment.
- Virtual Machines
- Containers (Docker, Podman, etc)
Working with Malware Samples
Safely moving malware around to later analyze can be daunting. Here are some pointers.
Defang
Take a normal hyperlink or file extention and defang it so it’s not active.
- Normal
https://eduardorobles.com or superbadmalware.exe
- Defanged
hxxps://eduardorobles[.]com or superbadmalware.malz
Encrypted Archive with a Password (7zip)
Use 7zip to password encrypt an archive. This add an extra layer of protection by not allowing someone to accidently open the archive.
Disable network access
- You can disable network access to your malware analysis station.
- This stops malware from communicating to a C2 infrastruture.
- Or you can also simulate network traffic if you want to analyze what the malware might be trying to communicate with.
REMnux
If you want easy button for malware analysis use REMnux as a VM or a container! https://remnux.org
“REMnux: A Linux Toolkit for Malware Analysis”
Setup REMnux in a Container
REMnux offers several container images as well the full REMnux distro in a container.
- They chose Docker in their documentation but I have chosen to use Podman.
- Podman was easier to install and use in Windows as well as Linux.
- So I can have Podman running in both the Malware Analysis station and on my Windows machine. This gives me the flexibility to test on either machine or platform.
Install REMnux container
podman pull docker.io/remnux/remnux-distro:focal
Run REMnux as a Transient container
podman run \
--rm \
-it \
--name malContainer \
-v /var/home/core/SAMPLES:/home/remnux/files \
--privileged \
--network none \
remnux/remnux-distro:focal bash
What the previous command did
--rm
Remove the container after it exists (not the image)-it
Connect the container to the terminal--name
Name the container-u remnux
Logged in user (optional)--privileged
Runs container with Root privileges (optional)--network none
Disables any network from the container (optional)remnux/remnux-distro:focal
Container image to use, in this case use the local imagebash
Login shell
Digital Forensics
Phishing Email Analysis
ClamAV
ClamAV is great to scan for malware but also can scan eml
files including email attachments. Use the --debug
flag for more info on the scan.
clamscan sample.eml
Continued
You can also use ClamAV to scan any suspicious file.
clamscan sample.zip
Investigating a malicious link
To investigate a link REMnux offers so many awesome tools. I will cover THUG and Automater.
THUG
THUG is a “honeyclient”. A honeyclient is a tool that mimicks the behavior of a web browser. Useful for analyzing what a link does when a user clicks on it.
thug -u win7chrome49 "https://eduardorobles.com"
Continued…
Once it begins to “load” the suspicious site it executes any code that may be on the site. Once it is done running/loading the page it dumps a report. The report contains a summary of what occured plus you get any malicious artifacts that the page may have downloaded.
In one exercise a suspicous page downloaded an executable and I was able to analyze the executable from the container and it was indeed a malicous executable. Yikes!
Automater
“Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal.”
Continued…
Automater is a python tool found in /usr/local/automater
./Automater.py https://eduardorobles.com
Investigating a suspicious PDF
Malicious content will be embedded. It’s best to extract the content in order to inspect it.
Strings
You can use the command strings
to view all the different system call a file contains.
strings sus_invoice.pdf | grep http
You can also pipe grep to single out things like http
links or hashes.
Magika
pip install magika
Threat Hunting
Velociraptor
“Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints.” https://docs.velociraptor.app/
Velociraptor.exe gui
Setup REMnux container for Analysis
This container will run in priviledged mode and will have no network attached to it
podman run --rm -it \
--name malContainer \
--privileged \
--network none \
remnux/remnux-distro:focal bash
Yara
https://github.com/airbnb/binaryalert/blob/master/rules/public/eicar.yara
rule eicar_av_test {
/*
Per standard, match only if entire file is EICAR string plus optional trailing whitespace.
The raw EICAR string to be matched is:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
*/
meta:
description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly."
author = "Austin Byers | Airbnb CSIRT"
reference = "http://www.eicar.org/86-0-Intended-use.html"
strings:
$eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*\s*$/
condition:
all of them
}
rule eicar_substring_test {
/*
More generic - match just the embedded EICAR string (e.g. in packed executables, PDFs, etc)
*/
meta:
description = "Standard AV test, checking for an EICAR substring"
author = "Austin Byers | Airbnb CSIRT"
strings:
$eicar_substring = "$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"
condition:
all of them
}
Tools
Cyberchef
A great tool!
GCHQ CyberChef in a container. CyberChef is the Cyber Swiss Army Knife web app for encryption, encoding, compression and data analysis.
Let’s run it in a container!
podman run \
-d \
--name cyberchef \
-p 8000:8000 \
mpepping/cyberchef
Conclusion
- Hope you learned some quick tools to add to your daily workflow.
- Automation?? A.I?? ¯\_(ツ)_/¯
- Analyzing malware can be tricky but it shouldn’t be intimidating.