MADLIRA – Malware detection using learning and information retrieval for Android

MADLIRA is a tool for Android malware detection. It consists in two components: TFIDF component and SVM learning component. In gerneral, it takes an input a set of malwares and benwares and then extracts the malicious behaviors (TFIDF component) or computes training model (SVM classifier). Then, it uses this knowledge to detect malicious behaviors in the Android application.InsallingDownload file MADLIRA.7z and decompress it.Installed Data:MADLIRA.jar is the main application.noAPI.txt declares the prefix of APIs.family.txt lists malwares by family.Folder TrainData contains the training configuration and training model.Folder Samples contains sample data.Folder TempData contains data for kernel computation.FunctionalityThis tool have two main components: TFIDF component and SVM component.TFIDF componentCommand: MADLIRA TFIDFFor this component, there are two functions: the training function (Malicious behavior extraction) and the test function (Malicious behavior detection)Malicious behavior extractionCollect benign applications and malicious applications and oput them in folders named benginAPKFolder and maliciousApkFolder, respectively.Prepare training data and pack them in two files named benignPack and maliciousPack by using the command:MADLIRA TFIDF packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPackExtracting malicious behaviors from two packed files (benignPack and maliciousPack) by using the command:MADLIRA TFIDF train -B benignPack -M maliciousPackMalicious behavior detectionCollect new applications and put them in a folder named checkApk.Detect malicious behaviors of applications in the folder checkApk by using the command:MADLIRA TFIDF check -S checkApkCommand:MADLIRA TFIDF train Compute the malicious specifications for given training data. -B <filename>: the archive file contains all graphs of training benwares. -M <filename>: the archive file contains all categories of training malwares.MADLIRA TFIDF check <Options> Check malicious behaviors in the given applications in a folder. -S <folder>: the folder contains all applications (apk files).MADLIRA TFIDF test <Options> Test the classifier for a given test data. -S <folder>: the folder contains all graphs for testing.MADLIRA TFIDF clear Clean all training data.MADLIRA TFIDF install Clean old training data and install a new data for training. -B <filename>: the archive file contains all graphs of training benwares. -M <filename>: the archive file contains all categories of training malwares.Examples:Training new data:First collect training applications (APK files) and store them in folders named MalApkFolder and BenApkFolder.Pack training applications into archive files named MalPack and BenPack by using this command:MADLIRA TFIDF packAPK -PB BenApkFolder -B BenPack -PM MalApkFolder -M MalPackClean old training data:MADLIRA TFIDF clearCompute the malicious graphs from the training packs (BenPack and MalPack)MADLIRA TFIDF train -B BenPack -M MalPackChecking new applications:put these applications in a folder named checkApk and use this command:MADLIRA TFIDF check -S checkApkOutput: SVM componentCommand: MADLIRA SVMFor this component, there are two functions: the training function and the test function.Training phaseCollect benign applications in a folder named benignApkFolder and malicious applications in a folder named maliciousApkFolder.Prepare training data by using the commands:MADLIRA SVM packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPackCompute the training model by this command:MADLIRA SVM train -B benignPack -M maliciousPackMalicious behavior detectionCollect new applications and put them in a folder named checkApkDetect malicious behaviors of applications in the folder checkApk by using the command:MADLIRA SVM check -S checkApkCommand:MADLIRA SVM train <Options> Compute the classifier for given training data. -T <T>: max length of the common walks (default value = 3). -l <lambda>: lambda value to control the importance of length of walks (default value = 0.4). -B <filename>: the archive file contains all graphs of training benwares. -M <filename>: the archive file contains all graphs of training malwares.MADLIRA SVM check <Options> Check malicious behaviors in the applications in a folder. -S <foldername>: the folder contains all apk files.MADLIRA SVM test <Options> Test the classifier for given graph data. -S <foldername>: the folder contains all graphs of test data. -n <n>: the number of test samples.MADLIRA SVM clear Clean all training data.Packages:This tool uses the following packages:apktool-2.2.1 (https://ibotpeaches.github.io/Apktool/)ojalgo-41.0.0 (https://github.com/optimatika/ojAlgo)libsvm (http://www.csie.ntu.edu.tw/~cjlin/libsvm/)ReferencesKhanh Huu The Dam and Tayssir Touili. Extracting Android Malicious Behaviors. In Proceedings of ForSE 2017Khanh Huu The Dam and Tayssir Touili. Learn Android malware. In Proceedings of IWSMA@ARES 2017Download MADLIRA

Link: http://feedproxy.google.com/~r/PentestTools/~3/067FoTnPUjg/madlira-malware-detection-using.html

Malicious RTF document leading to NetwiredRC and Quasar RAT

Malware authors use a variety of clever methods to lure users into executing malicious documents. But the ThreatLabZ team recently observed a social engineering campaign with a unique approach. In these cases, malicious RTF documents basically force users to execute an embedded VBA macro, which starts the infection cycle by dropping Quasar RAT and NetWiredRC payloads. The malicious RTF documents contain Excel sheets that include a macro, which downloads the additional payload on execution. The RTF document has the .doc extension and, while opening it in Microsoft Word, a macro warning popup (Fig. 1) is shown, with which a user can enable or disable the macro. However, with this malicious RTF document, Word shows repeated macro warning popups even if the user has clicked the “Disable Macros” button during the first warning.     Fig1: Macro warning popup   There is no way to stop these popups except to click on all of them or to force-quit Word. The current malicious RTF shows the macro warning popup 10 times, since this malicious RTF document has 10 embedded Excel sheets (see Fig. 2; the yellow dots highlight embedded Excel sheets).   Fig. 2: RTF document content   To achieve this effect, the malware author used “\objupdate” control [1] for embedded Excel sheet objects (OLE object) (see Fig. 3). This function triggers the macro code inside the embedded Excel sheet to execute while the RTF document is being loaded in the MS Word application, and it’s what causes the multiple macro warning popups to appear.   Fig. 3: \objupdate control in RTF   The same “\objupdate” control was used in CVE-2017-0199 [2] . However, the current malicious document is not using this or any other vulnerability. Fig. 4: Infection flow   Malicious macro analysis   We observed two variations of the malicious macro in this campaign (see Fig. 5). Although the macro code is identical, it is executing the PowerShell command to download intermediate payloads using Schtasks and cmd.exe (See Fig. 6).   Fig. 5: Macro code   Fig. 6: PowerShell commands The malware also permanently enables macros for Word, PowerPoint, and Excel by doing registry modification. Intermediate payload Code in the macro uses PowerShell to download a malicious VBS file and saves it in the %PUBLIC% folder with the name svchost32.vbs.  This malicious VBS code (Fig7) performs the following actions – Step 1 Terminate all running instances of Microsoft Word and Excel process. Download final payload (using HTTPS protocol) and save it in %PUBLIC% folder with name svchost.exe. Execute the downloaded payload. Fig7: Deobfuscated code of malicious VBS Step 2 Enable macro and disable protected view settings for Microsoft Word, PowerPoint and Excel (Version 11-16 except 13)  by doing registry modification. Step 3 Create a scheduled task with name as “WindowsUpdates” to run this payload (svchost32.vbs) after 200 minutes. Step 4 Delete “WindowsUpdate” scheduled task, created by macro code. Step 5 Download additional payload and save it in %PUBLIC% folder with name svchosts.exe. We did not see this payload download at the time of analysis and also noticed that this functionality was removed in the recent variants.   Final Payloads We observed NetwiredRC and QusarRat malware as final payloads in this campaign. Both are Remote Admin Tools (RAT). QusarRat is an open source tool [3] and has features like remote webcam, remote shell and keylogging. Similarly, NetwiredRC has features like find file, remote shell, keylogging, screen capture, password stealing [4] etc..   IOCs MD5 File format Downloaded from f073328b984dc8ac06b23af413ad2afb RTF files.catbox[.]moe/f9boo3.doc b127b79890f9fd09c83c24b13e7f45af RTF files.catbox[.]moe/rv6ihr.doc c26fa78766da89c0c66a59a4be1308ed RTF fast-cargo[.]com/images/file/vb/doc/41.doc fef2e48585db70ca52197375a23cce57 RTF fast-cargo[.]com/images/file/vb/doc/39.doc db44996c3570d842f05c009616bec55a EXE asaigoldenrice[.]com/fedex/original_doc/fedex.exe 3468E9349C0DE79B3E5F926B8BB4974B EXE asaigoldenrice[.]com/new/document.exe fa8a7d49d1871b75a9428c1ee35815e5 EXE ksuoilfield[.]com/cgi-bim/ksuoilfield/MNBVVCXqwergfd1.exe 2beabd88e7addd0bdf2a4eb06440f322 EXE www.fast-cargo[.]com/images/file/vb/exe/door.exe c06fbecea30782c0e6410a68fa7988f6 EXE www.fast-cargo[.]com/images/file/vb/exe/door.exe   MD5 Malware name C2 db44996c3570d842f05c009616bec55a NetwiredRC shawnetw147.sytes[.]net:3136 db44996c3570d842f05c009616bec55a NetwiredRC shawnetw147bkp.sytes[.]net:3136 3468E9349C0DE79B3E5F926B8BB4974B NetwiredRC extensions14718.sytes[.]net:3324 c06fbecea30782c0e6410a68fa7988f6 QusarRat 23.105.131[.]179:4782 2beabd88e7addd0bdf2a4eb06440f322 QusarRat 173.46.85[.]227:1337   Conclusion The Zscaler ThreatLabZ team is actively tracking and reviewing these payloads to ensure that our customers are protected from malicious RTF documents and other campaigns that rely on social engineering tactics to spread malware.

Link: https://www.zscaler.com/blogs/research/malicious-rtf-document-leading-netwiredrc-and-quasar-rat

APTSimulator – A toolset to make a system look as if it was the victim of an APT attack

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.Use CasesPOCs: Endpoint detection agents / compromise assessment toolsTest your security monitoring’s detection capabilitiesTest your SOCs response on a threat that isn’t EICAR or a port scanPrepare an environment for digital forensics classesMotivesCustomers tested our scanners in a POC and sent us a complaint that our scanners didn’t report on programs that they had installed on their test systems. They had installed an Nmap, dropped a PsExec.exe in the Downloads folder and placed on EICAR test virus on the user’s Desktop. That was the moment when I decided to build a tool that simulates a real threat in a more appropriate way.Why Batch?Because it’s simple: Everyone can read, modify or extend itIt runs on every Windows system without any prerequisitesIt is closest to a real attacker working on the command lineFocusThe focus of this tool is to simulate adversary activity, not malware.Getting StartedDownload the latest release from the “release" sectionExtract the package on a demo system (Password: apt)Start a cmd.exe as AdministratorNavigate to the extracted program folder and run APTSimulator.batAvoiding Early DetectionThe batch script extracts the tools and shells from an encrypted 7z archive at runtime. Do not download the master repo using the "download as ZIP" button. Instead use the official release from the release section.Extending the Test SetSince version 0.4 it is pretty easy to extend the test sets by adding a single .bat file to one of the test-set category folders.E.g. If you want to write a simple use case for "privilege escalation", that uses a tool named "privesc.exe", clone the repo and do the following:Add you tool to the toolset folderWrite a new batch script privesc-1.bat and add it to the ./test-sets/privilege-escalation folderRun build_pack.batAdd your test to the table and action list in the README.mdCreate a pull requestTool and File ExtractionIf you script includes a tool, web shell, auxiliary or output file, place them in the folders ./toolset or ./workfiles. Running the build script build_pack.bat will include them in the encrypted archives enc-toolset.7z and enc-files.7z.Extract a Tool%ZIP% e -p%PASS% %TOOLARCH% -aoa -o%APTDIR% toolset\tool.exe > NULExtract a File%ZIP% e -p%PASS% %FILEARCH% -aoa -o%APTDIR% workfile\tool-output.txt > NULDetectionThe following table shows the different test cases and the expected detection results.AV = AntivirusNIDS = Network Intrusion Detection SystemEDR = Endpoint Detection and ResponseSM = Security MonitoringCA = Compromise Assessment Test Case AV NIDS EDR SM CA Dumps (Pwdump, Dir Listing) X Recon Activity (Typical Commands) X X X DNS (Cache Injection) (X) X X X Eventlog (WCE entries) X X X Hosts File (AV/Win Update blocks) (X) X X Backdoor (StickyKey file/debugger) X X Obfuscation (RAR with JPG ext) (X) Web Shells (a good selection) X (X) X Ncat Alternative (Drop & Exec) X X X X Remote Execution Tool (Drop) (X) X Mimikatz (Drop & Exec) X X X X PsExec (Drop & Exec) X X X At Job Creation X X X RUN Key Entry Creation X X X System File in Susp Loc (Drop & Exec) X X X Guest User (Activation & Admin) X X X LSASS Dump (with Procdump) X X X C2 Requests (X) X X X Malicious User Agent (Malware, RATs) X X X Scheduled Task Creation X X X Nbtscan Discovery (Scan & Output) X X (X) X Test Cases1. Dumpsdrops pwdump output to the working dirdrops directory listing to the working dir2. ReconExecutes command used by attackers to get information about a target system3. DNSLooks up several well-known C2 addresses to cause DNS requests and get the addresses into the local DNS cache4. EventlogCreates Windwows Eventlog entries that look as if WCE had been executed5. HostsAdds entries to the local hosts file (update blocker, entries caused by malware)6. Sticky Key BackdoorTries to replace sethc.exe with cmd.exe (a backup file is created)Tries to register cmd.exe as debugger for sethc.exe7. ObfuscationDrops a cloaked RAR file with JPG extension8. Web ShellsCreates a standard web root directoryDrops standard web shells to that diretoryDrops GIF obfuscated web shell to that diretory9. Ncat AlternativeDrops a PowerShell Ncat alternative to the working directory10. Remote Execution ToolDrops a remote execution tool to the working directory11. MimikatzDumps mimikatz output to working directory (fallback if other executions fail)Run special version of mimikatz and dump output to working directoryRun Invoke-Mimikatz in memory (github download, reflection)12. PsExecDump a renamed version of PsExec to the working directoryRun PsExec to start a command line in LOCAL_SYSTEM context13. At JobCreates an at job that runs mimikatz and dumps credentials to file14. RUN KeyCreate a suspicious new RUN key entry that dumps "net user" output to a file15. System File Suspicious LocationDrops suspicious executable with system file name (svchost.exe) in %PUBLIC% folderRuns that suspicious program in %PUBLIC% folder16. Guest UserActivates Guest userAdds Guest user to the local administrators17. LSASS DUMPDumps LSASS process memory to a suspicious folder18. C2 RequestsUses Curl to access well-known C2 servers19. Malicious User AgentsUses malicious user agents to access web sites20. Scheduled Task CreationCreates a scheduled task that runs mimikatz and dumps the output to a file21. Nbtscan DiscoveryScanning 3 private IP address class-C subnets and dumping the output to the working directoryWarningThis repo contains tools and executables that can harm your system’s integrity and stability. Do only use them on non-productive test or demo systems.ScreenshotsAdvanced SolutionsThe CALDERA automated adversary emulation system https://github.com/mitre/calderaInfection Monkey – An automated pentest tool https://github.com/guardicore/monkeyFlightsim – A utility to generate malicious network traffic and evaluate controls https://github.com/alphasoc/flightsimIntegrated Projects / SoftwareMimikatzPowerSploitPowerCatPsExecProcDump7ZipcurlDownload APTSimulator

Link: http://feedproxy.google.com/~r/PentestTools/~3/rAND2a8X3zQ/aptsimulator-toolset-to-make-system.html