[Malware analysis]Analyze HTTP malware using signatures and behavior-based rule

Overview

You’ll investigate network traffic from a host that has been infected with the Trickbot malware. In particular, you’ll dive into Trickbot’s HTTP traffic and investigate HTTP Header IoCs. You’ll also analyze a Trickbot HTTP response to uncover a hidden executable. Towards the end of the lab, you’ll leverage Suricata to uncover Trickbot by using Signature-based (and Behavior-based) rules.

DEMO

Importing the Packet Capture

you’ll import a packet capture (pcap) into Arkime. The pcap is from Trickbot: a piece of malware that exfiltrates highly sensitive data (e.g., banking information, account credentials, etc.)

  • open MATE terminal and login into the server
  • move to the directory which the docker-compose.yml file is located. You can see the docker-compose file below.
version: '3'
networks:
internal:
driver: bridge
external:
driver: bridge
services:
victim:
image: zachroofsec/ps-trickbot-lab-suricata-arkime
privileged: true
cap_add:
- NET_ADMIN
- SYS_NICE
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.13.3
hostname: elasticsearch
environment:
- discovery.type=single-node
networks:
- internal
viewer:
image: zachroofsec/ps-trickbot-lab-suricata-arkime
hostname: viewer
privileged: true
cap_add:
- NET_ADMIN
- SYS_NICE
environment:
- ARKIME_USER=arkime
- ARKIME_PSWD=arkime
depends_on:
- elasticsearch
volumes:
- ./log:/arkime/log
- ./import:/import
- ./arkime:/arkime/etc
# - ./scripts:/arkime/bin
- suricata:/suricata/logs
- ./suricata:/suricata/configs
networks:
- internal
- external
entrypoint: /arkime/bin/viewer.sh
ports:
- 8005:8005
  • start docker environment that has Arkime and Suricate installed.
  • open the Chrome browser and navigate you to the correct page. (Please don’t open the Chrome browser directly). It might take 60 seconds for Chrome to open. Once the browser opened, sign in.
  • At this point, you should see the following message in the Arkime viewer: Oh no, Arkime is empty! There is no data to search.
  • switch back to the terminal and type this to enter the container
docker exec -it trickbot_viewer_1 bash
  • unzip the file ( -P infected because the Trickbot pcap has a password of infected.)
unzip -P infected trickbot.pcap.zip
  • you can see it is unziped
root@viewer:/import# ls -la
total 28504
drwxrwxr-x 2 1000 1000 92 Jan 12 21:22 .
drwxr-xr-x 1 root root 84 Jan 12 21:12 ..
-rw-r--r-- 1 root root 15209036 Sep 25 2019 2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap
-rw-rw-r-- 1 1000 1000 13973406 Jan 12 21:02 trickbot.pcap.zip
  • we import the Trickbot pcap into Arkime.
/data/moloch/bin/moloch-capture --config /arkime/etc/config.ini --pcapfile /import/2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap

Investigating HTTP Header IoCs

Scenario

you’re a Security Analyst and you’re investigating an Endpoint Detection Response (EDR) alert. In particular, this alert flagged a suspicious scheduled task on a Windows host. This is a major alert because scheduled tasks are often leveraged by malware to establish a persistent foothold. (Scheduled tasks can allow malware to be relaunched into the future.) you can view network traffic in Arkime.

The ?date=-1 query string parameter makes sure you view the pcap’s entire date range.

  • sort by Bytes of network traffic (in descending order).
  • Notice the multiple requests for 185.98.87.185/samerton.png.

In typical network traffic, you’ll often see .png files being downloaded via a browser. Usually, browsers have an image caching mechanism. In other words, images are cached (on disk) so that subsequent requests (for a particular image) don’t need to be made.

  • you’ll analyze the source HTTP request. In the request, notice the simplicity of the HTTP headers that are leveraged.
  • To compare, normal traffic is usually more nuanced/complicated.
  • In the Destination section, notice the Content-Type: image/png HTTP header within the response. On the surface, this seems to make sense because samerton.png is being requested.
  • However, notice the MZ within the response body. Usually, the first 2 ASCII bytes of an EXE (or DLL) start with MZ. Also, notice that This program cannot be run in DOS mode within the response body. This is usually indicative of an EXE (or DLL). Clearly, this response warrants additional attention.
  • Note the value of the Body SHA256s field.
  • Go to
https://www.virustotal.com/gui/file/4a5bdf328d682efaec55979b3e0723db5bb79775c7c133936c779e3bdc03201d

At this point in the investigation, you have proof the host is compromised

In this phase, we might need to do …..

  • Perform a network quarantine of the host to prevent data exfiltration.
  • Create a forensic image of the host to prevent the malware from destroying evidence.
  • Search the network logs for signs of literal movement. The compromised host might have infected other machines on the network.
  • Create behavioral-based alerts. For example, an alert that would trigger when the Content-Type header doesn’t match the data within the payload body.
  • Create signature-based alerts. For example, an alert that would trigger whenever the Trickbot file hash is transmitted on the network.

Suricata: Signature-based Rule

you’ll explore alerting mechanisms for Trickbot. In particular, you’ll investigate Trickbot through a Signature-based Suricata rule. You’ll also use an Suricata/Arkime integration to see the Suricata alerts within Arkime!

you will leverage Suricata to alert on Trickbot IoCs. To create an alert, you must create a rule. As far as rules go, there are signature-based rules and behavior-based rules.

  • exit from docker container and restart the environemnt
  • enter the container
docker exec -it trickbot_viewer_1 bash

Lets review the types of rules here.

Signature-based rules are static in nature. For example, create an alert when a malicious file hash is observed within network traffic. Advantages of this approach include a relatively low false positive rate. Can you think of any cons? What occurs when malware changes? Unfortunately, a new signature must be created.

Behavior-based rules are more dynamic in nature (due to the rule being based on behavior/s). For example, create an alert when the HTTP Content-Type header doesn’t match the data type of the HTTP body. The advantages of this approach include a wider range of malicious activity that can be discovered. Disadvantages include a higher false positive rate.

  • ensure that Suricata is logging file hashes (in general).
  • create a Suricata alert whenever any file is transmitted over http
echo 'alert http any any -> any any (msg:"a malicious sha256 was found"; filesha256:/suricata/configs/malicious.sha256; sid:30; rev:1;)' >> /suricata/configs/custom.rules
  • This signature-based rule will generate an alert whenever a file (transmitted over http) matches a sha256 within /suricata/configs/malicious.sha256.
echo "4a5bdf328d682efaec55979b3e0723db5bb79775c7c133936c779e3bdc03201d" > /suricata/configs/malicious.sha256

Arkime has the ability to import Suricata events. In this step, you’ll witness the configurations related to the Suricata plugin.

  • plugins=suricata.so: Enables the Suricata plugin
  • suricataAlertFile= /suricata/logs/eve.json: Defines the path to the Suricata event file. (You will generate this file in the next step.)
  • suricataExpireMinutes=1525600: This ensures Suricata alerts won’t expire (within Arkime).

The configuration flags are explained below.

suricata -c /suricata/configs/suricata.yaml -r /import/2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap -S /suricata/configs/custom.rules
  • c: path to the Suricata configuration file.
  • -r: Path of the pcap file to run through Suricata
  • -S: Path to the Suricata rules file

You can verify the alert by executing the following command

cat /suricata/logs/eve.json | grep "a malicious sha256 was found"

In the command output, you see that Suricata found two files that matched the malicious hash.

  • Scroll down to Suricata and click Load All.
  • Click a malicious sha256 was found and select the first option.
  • we see the original malicious file

At this point, you’ve created a Signature-based rule.

Suricata: Behavior-based Rules

Behavior-based rules are more dynamic in nature (due to the rule being based on behavior/s). For example, create an alert when the HTTP Content-Type header doesn’t match the data type of the HTTP body. The advantages of this approach include a wider range of malicious activity that can be discovered. Disadvantages include a higher false positive rate.

restart the docker container environement and enter it

exitdocker-compose down && docker-compose up -d

docker exec -it trickbot_viewer_1 bash

  • leverage Suricata default ruleset (i.e., /suricata/configs/suricata.rules). The default ruleset has an emphasis on behavior-based rules.
suricata -c /suricata/configs/suricata.yaml -r /import/2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap -S /suricata/configs/suricata.rules
  • load the pcap into Arkime.
/data/moloch/bin/moloch-capture --config /arkime/etc/config.ini --pcapfile /import/2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap
  • Scroll down to Suricata and click Load All.
  • Scroll down to Signature and review the various Suricata alerts that were generated from the Trickbot pcap and Click ET HUNTING Suspicious POST with Common Windows Process Names — Possible Process List Exfiltration. Within the dropdown, select the first option.
  • Click on the Sessions tab.
  • Click on the + to expand the session.
  • Scroll down until you see the Source (i.e., an HTTP request that was created from the infected machine).
  • you’ll see the process list that is being sent to the attacker! This gives the attacker valuable information as to what system they have compromised.

The Suricata rule (ET HUNTING Suspicious POST with Common Windows Process Names — Possible Process List Exfiltration) that flagged this request is an example of a Behavior-based rule.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store