Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware...
Transcript of Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware...
Suricata for Malware Classification
Tatyana Shishkova Malware Analyst @ Kaspersky Twitter: @sh1shk0va
Who Am I
Kaspersky | Suricata for Malware Classification
• Malware Analyst @ Android Threat Research team • Previously: Malware Analyst @ Shift Malware Analysts team • Writing Snort/Suricata rules since 2015
Overview
Kaspersky | Suricata for Malware Classification
• Why using Suricata for malware classification? • Examples for different cases • Summary
Common ways of using Suricata
Kaspersky | Suricata for Malware Classification
• Scanning passing traffic on your network • Scanning dumps of traffic (e.g. generated by suspicious executable on
sandbox environment)
What to do if...
Kaspersky | Suricata for Malware Classification
• Different malware families are detected by one AV rule • Samples from one campaign are detected by different AV rules • Samples from one campaign are targeting different platforms • Sample is classified as malicious, no info about family
Formbook (Noon) bot
Kaspersky | Suricata for Malware Classification
• Powerful stealer • Widespread, Malware-as-a-Service model • A lot of anti-analysis tricks • …Doesn’t change its communication with C&C significantly for years
Formbook (Noon) bot
Kaspersky | Suricata for Malware Classification
Formbook (Noon) bot
Kaspersky | Suricata for Malware Classification
One rule to catch them all!
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Trojan-Spy.Win32.Noon Сheckin"; flow:to_server,established; content:"GET"; http_method; pcre:"/^(\/[a-zA-Z0-9]{2,})+\/\?[a-zA-Z0-9\-_]{2,}\=[a-zA-Z0-9\/.&+=_-]+$/U"; pcre:"/^(www\.)?[a-z0-9\-]{2,}\.[a-z]{2,}$/W"; http_connection; content:"close"; http_header_names; content:"|0D 0A|Host|0D 0A|Connection|0D 0A 0D 0A|"; startswith; classtype:trojan-activity; sid:XXXXXX; rev:1;)
HQWar Android dropper
Kaspersky | Suricata for Malware Classification
• Malware-as-a-Service • Used mostly by banking Trojans and ransomware • Doesn’t drop the encrypted APK but loads the code
HQWar Android dropper
Kaspersky | Suricata for Malware Classification
Most popular payloads: • Faketoken • Anubis • Asacub • Marcher • Svpeng • Gustuff • Ginp (new!)
HQWar APK
Kaspersky | Suricata for Malware Classification
Anubis
HQWar APK
Kaspersky | Suricata for Malware Classification
Faketoken
HQWar APK
Kaspersky | Suricata for Malware Classification
Ginp
HQWar APK
Kaspersky | Suricata for Malware Classification
Gustuff
Anubis communication
Kaspersky | Suricata for Malware Classification
Faketoken communication
Kaspersky | Suricata for Malware Classification
Ginp communication
Kaspersky | Suricata for Malware Classification
Gustuff communication
Kaspersky | Suricata for Malware Classification
Clipper Android stealer
Kaspersky | Suricata for Malware Classification
• Tracks clipboard content • If digital wallet number (payment systems, cryptocurrencies) is found –
replaces it with attacker’s wallet number • Targets Bitcoin, Litecoin, Etherium, Dogecoin, QIWI wallet, …
Clipper Android stealer
Kaspersky | Suricata for Malware Classification
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Trojan-Banker.AndroidOS.Clipper GET Request"; flow:established,to_server; content:"GET"; http_method; content:"/gateway/attach.php?"; http_uri; content:"Apache-HttpClient"; http_user_agent; classtype:trojan-activity; sid:XXXXXX; rev:1;)
Clipper Android stealer
Kaspersky | Suricata for Malware Classification
Clipper Android stealer?
Kaspersky | Suricata for Malware Classification
Clipper Android stealer? Sauron locker
Kaspersky | Suricata for Malware Classification
Sauron Android locker
Kaspersky | Suricata for Malware Classification
• Encrypts files and contacts on the device • Asks for ransom in Bitcoin, Litecoin, Dogecoin, QIWI wallet, …
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
Clipper
Sauron
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
Clipper
Sauron
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
Clipper
Sauron
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
• First found: Clipper – Aug 2018, Sauron – Jun 2018 • Contain strings in Russian • Use beget.tech, jino.ru hosting providers • Use intercepting set of cryptocurrencies
Slempo Android banker + Clipper?
Kaspersky | Suricata for Malware Classification
Other cases
Kaspersky | Suricata for Malware Classification
• Multi-platform malware: similar patterns in traffic generated by Win and Android malware (client-server, APT attack, …)
• Malware evolution: an old rule alerted on a traffic from a new sample
Summary
Kaspersky | Suricata for Malware Classification
• Scanning traffic from already detected malicious executables may lead to interesting discoveries
• Generic rules are the best, but don’t forget about false alarms • For malware classification, rules for requests from client are better • Sometimes you can find something interesting when scanning with set of
rules for another platform