Public Enemy

I found an intriguing GitHub repository with a seemingly endless number of rules. I decided to clone it, having spotted a file [10] mentioning Advanced Persistent Threats (APT) and a rule called Dropper_DeploysMalwareViaSideLoading. I started with this command:

$ git clone https://github.com/Yara-Rules/rules.git

And, once inside the resulting rules/ directory, I could see the directory listing shown in Figure 5.

Figure 5: Lots of useful rules in the Yara-Rules repository.

Figure 5 shows some of the available rules, such as rules for email, crypto, and web shells. In the exploit_kits directory, the following files are intriguing:

EK_Angler.yar EK_BleedingLife.yar
EK_Eleonore.yar EK_Phoenix.yar
EK_ZeroAcces.yar  EK_Zeus.yar
EK_Blackhole.yar EK_Crimepack.yar
EK_Fragus.yar EK_Sakura.yar
EK_Zerox88.yar

Note that you'll need YARA version 3 or later to run these rules. Figure 6 shows what happens when you use the capabilities/ directory rules against the poisoned mimikatz/ directory (I have left off the -s output as it was very noisy).

Figure 6: We have several winners.

According to the documentation for the ruleset, the capabilities/ directory rules are "…to detect capabilities that do not fit into any of the other categories. They are useful to know for analysis but might not be malicious indicators on their own." You'll find a long list of curated rule repositories, as well as a useful YARA tutorial, on GitHub [11] [12].

Other Resources

I would be remiss not to mention that makers of YARA also provide a commercial tool [13] that permits malware analysis directly in a browser (Figure 7).

Figure 7: VirusTotal lets you upload files for analysis.

I used VirusTotal to analyze a few files. I tried the online option (not the local file-upload option) against an infected mimikatz executable that is available online [14]. As you can see in Figure 8, the online service successfully identified the file as a threat.

Figure 8: The URL contains malware.

If you want to automate your own checks against the latest threat intelligence feeds, you can also hook into VirusTotal's API [15]. The functionality is impressive and already at a version 3 implementation. Table 1 shows some of the features.

See the VirusTotal website for more information on the difference between the public API and the premium API [16].

More, More, More

One commercial offering that incorporates YARA is called Thor, from Nextron Systems [17]. The community edition (known as Thor Lite [18]) is available for free (for noncommercial use) and comes with an extensive open source set of signatures (which was also included in the previous incarnation of Thor, which was called Loki [19]).

Both products are designed to provide the ability to scan files for Indicators of Compromise (IoCs). IoCs provide precise details about attempted or successful security exploits, which are expertly coupled with the functionality that the inimitable YARA provides for spotting suspicious files.

The set of signatures used by Thor are touted as being top quality [20]. For a fee, you can significantly increase the number of signatures from that repository (run by Florian Roth, Head of R&D at Nextron Systems) if you opt to use the commercial Valhalla ruleset [21]. That page is worth a read; if you are part of an organization, it makes sense to sign up.

That said, the open source feed with Thor Lite (which requires registration) apparently contains over 4,000 YARA rules. Valhalla boasts over 17,000, plus 10,000 IoC patterns, plus the open source rules.

Improvements on Loki mean that Thor is much faster, as it is written in Go and as a result supports CPU throttling. Thor can also egress its logging to a number of sources, including syslog and even JSON over UDP/TCP.

Once you have subscribed to the newsletter and registered your details, you are promised "… an email with a THOR-Lite-generated personal license file (*.lic) and a download link for the THOR Lite ZIP package."

It is then a case of downloading your license, followed by the Zip file containing Thor Lite. The license lasts for a year, and then you will receive a new license. Unsubscribing from the newsletter will also end the download subscription.

As promised, the license file has a file extension of .lic. The Download for Linux button requires a EULA acceptance, and then a 36MB Zip file is downloaded. To get started, I decompress the file and then run the following command:

$ ./thor-lite-linux-64

Some welcome ASCII art appears (Figure 9), followed by lots of interesting output.

Figure 9: ASCII lettering courtesy of Thor.

Figure 10 shows the continued output by the formidable Thor after it has run for five minutes or so.

Figure 10: Thor is hammering home the need for ongoing security.

I didn't expect Thor to be quite as thorough in the way it scrutinized my laptop's filesystem. It went off like a rocket, but surprisingly, the system load didn't increase massively.

Thor's output is multicolored and reveals intriguing information about the criteria that certain rules are using. I ran Thor as the chris user, as opposed to the root user, and it still managed to dig very deeply into my laptop's filesystem. Most striking was a large chunk of alarming red text:

Alert Malware file found SCORE: 91

Clearly, this wasn't a welcome sign, however, I remembered that I was running Thor on the laptop that I use for Ethical Hacking, where the powerful Metasploit penetration testing framework [22] was installed. Upon closer inspection, I determined that the alarming output was relating to Metasploit payloads of varying descriptions.

The Metasploit payload that first showed up as a malware alert in Thor was a PowerShell version of our old friend mimikatz (Listing 4).

FILE: /opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit-payloads-2.0.148/data/meterpreter/
  ext_server_kiwi.x64.debug.dll EXT: .dll TYPE: EXE
SIZE: 1498112
[...snip?]
REASON_1: YARA rule Powerkatz_DLL_Generic / Detects Powerkatz - a Mimikatz version prepared to run in memory via
  Powershell (overlap with other Mimikatz versions is possible) SUBSCORE_1: 80 REF_1: PowerKatz Analysis SIGTYPE_1:
  internal SIGCLASS_1: YARA Rule MATCHED_1:

Examples of the other malware or IoC hits, which were mostly found either in Metasploit files or in backup files for the laptop, appear in Listing 5.

REASON_1: Filename IOC \RottenPotato SUBSCORE_1: 85 REF_1: Relay Attack Tool Names SIGTYPE_1: internal SIGCLASS_1:
  Filename IOC MATCHED_1: /rottenpotato
REASON_1: Filename IOC \JuicyPotato SUBSCORE_1: 85 REF_1: Relay Attack Tool Names SIGTYPE_1: internal SIGCLASS_1:
  Filename IOC MATCHED_1: /juicypotato
REASON_1: Filename IOC \PetitPotam SUBSCORE_1: 90 REF_1: PetitPotam Names https://github.com/topotam/PetitPotam SIGTYPE_1:
  internal SIGCLASS_1: Filename IOC MATCHED_1: /petitpotam

To keep things simple, Thor creates a helpful HTML file summarizing the analysis report (Figure 11).

Figure 11: The summary section of Thor's excellent HTML report.

As you can see from Figure 11, my laptop had a staggering 237 IoC, or malware, hits found by the excellent Thor.

The report contains a detailed information box for each alert that helps identify which match caused the alert, as shown in Listing 6.

MATCHED_1
    - WS2_32.dll at 0x48b66 in
"mIStorage\x00ole32.dll\x00\xa4\x00freeaddrinfo\x00\x00\xa5\x00getaddrinfo\x00WS2_32.dll\x00\x00)\
  x01EnterCriticalSection\x00\x00\xa5\x03LeaveCriticalSection\x00\x00"
    - ReflectiveLoader at 0x484d4 in
"@CAKPEAX@Z\x00?triggerDCOM@CMSFRottenPotato@@QEAAHXZ\x00ReflectiveLoader\x00\x00\x00\x00\xe0\x9c\x04\x00\x00\x00\
  x00\x00\x00\x00\x00\x00\x08\x9e\x04\x00\x80S\x03\x00\x88\x99\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x9e\x04\
  x00(P\x03\x00`\x99\x04\x00\x00\x00"

To say that Thor (even the Lite version) is impressive, is an understatement. I plan on continuing my subscription for personal use and will recommend the full-fat version to any interested clients.