Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware...
Transcript of Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware...
![Page 1: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/1.jpg)
Suricata for Malware Classification
Tatyana Shishkova Malware Analyst @ Kaspersky Twitter: @sh1shk0va
![Page 2: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/2.jpg)
Who Am I
Kaspersky | Suricata for Malware Classification
• Malware Analyst @ Android Threat Research team • Previously: Malware Analyst @ Shift Malware Analysts team • Writing Snort/Suricata rules since 2015
![Page 3: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/3.jpg)
Overview
Kaspersky | Suricata for Malware Classification
• Why using Suricata for malware classification? • Examples for different cases • Summary
![Page 4: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/4.jpg)
Common ways of using Suricata
Kaspersky | Suricata for Malware Classification
• Scanning passing traffic on your network • Scanning dumps of traffic (e.g. generated by suspicious executable on
sandbox environment)
![Page 5: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/5.jpg)
What to do if...
Kaspersky | Suricata for Malware Classification
• Different malware families are detected by one AV rule • Samples from one campaign are detected by different AV rules • Samples from one campaign are targeting different platforms • Sample is classified as malicious, no info about family
![Page 6: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/6.jpg)
Formbook (Noon) bot
Kaspersky | Suricata for Malware Classification
• Powerful stealer • Widespread, Malware-as-a-Service model • A lot of anti-analysis tricks • …Doesn’t change its communication with C&C significantly for years
![Page 7: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/7.jpg)
Formbook (Noon) bot
Kaspersky | Suricata for Malware Classification
![Page 8: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/8.jpg)
Formbook (Noon) bot
Kaspersky | Suricata for Malware Classification
One rule to catch them all!
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Trojan-Spy.Win32.Noon Сheckin"; flow:to_server,established; content:"GET"; http_method; pcre:"/^(\/[a-zA-Z0-9]{2,})+\/\?[a-zA-Z0-9\-_]{2,}\=[a-zA-Z0-9\/.&+=_-]+$/U"; pcre:"/^(www\.)?[a-z0-9\-]{2,}\.[a-z]{2,}$/W"; http_connection; content:"close"; http_header_names; content:"|0D 0A|Host|0D 0A|Connection|0D 0A 0D 0A|"; startswith; classtype:trojan-activity; sid:XXXXXX; rev:1;)
![Page 9: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/9.jpg)
HQWar Android dropper
Kaspersky | Suricata for Malware Classification
• Malware-as-a-Service • Used mostly by banking Trojans and ransomware • Doesn’t drop the encrypted APK but loads the code
![Page 10: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/10.jpg)
HQWar Android dropper
Kaspersky | Suricata for Malware Classification
Most popular payloads: • Faketoken • Anubis • Asacub • Marcher • Svpeng • Gustuff • Ginp (new!)
![Page 11: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/11.jpg)
HQWar APK
Kaspersky | Suricata for Malware Classification
Anubis
![Page 12: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/12.jpg)
HQWar APK
Kaspersky | Suricata for Malware Classification
Faketoken
![Page 13: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/13.jpg)
HQWar APK
Kaspersky | Suricata for Malware Classification
Ginp
![Page 14: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/14.jpg)
HQWar APK
Kaspersky | Suricata for Malware Classification
Gustuff
![Page 15: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/15.jpg)
Anubis communication
Kaspersky | Suricata for Malware Classification
![Page 16: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/16.jpg)
Faketoken communication
Kaspersky | Suricata for Malware Classification
![Page 17: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/17.jpg)
Ginp communication
Kaspersky | Suricata for Malware Classification
![Page 18: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/18.jpg)
Gustuff communication
Kaspersky | Suricata for Malware Classification
![Page 19: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/19.jpg)
Clipper Android stealer
Kaspersky | Suricata for Malware Classification
• Tracks clipboard content • If digital wallet number (payment systems, cryptocurrencies) is found –
replaces it with attacker’s wallet number • Targets Bitcoin, Litecoin, Etherium, Dogecoin, QIWI wallet, …
![Page 20: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/20.jpg)
Clipper Android stealer
Kaspersky | Suricata for Malware Classification
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Trojan-Banker.AndroidOS.Clipper GET Request"; flow:established,to_server; content:"GET"; http_method; content:"/gateway/attach.php?"; http_uri; content:"Apache-HttpClient"; http_user_agent; classtype:trojan-activity; sid:XXXXXX; rev:1;)
![Page 21: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/21.jpg)
Clipper Android stealer
Kaspersky | Suricata for Malware Classification
![Page 22: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/22.jpg)
Clipper Android stealer?
Kaspersky | Suricata for Malware Classification
![Page 23: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/23.jpg)
Clipper Android stealer? Sauron locker
Kaspersky | Suricata for Malware Classification
![Page 24: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/24.jpg)
Sauron Android locker
Kaspersky | Suricata for Malware Classification
• Encrypts files and contacts on the device • Asks for ransom in Bitcoin, Litecoin, Dogecoin, QIWI wallet, …
![Page 25: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/25.jpg)
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
Clipper
Sauron
![Page 26: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/26.jpg)
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
Clipper
Sauron
![Page 27: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/27.jpg)
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
Clipper
Sauron
![Page 28: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/28.jpg)
Clipper stealer vs. Sauron locker
Kaspersky | Suricata for Malware Classification
• First found: Clipper – Aug 2018, Sauron – Jun 2018 • Contain strings in Russian • Use beget.tech, jino.ru hosting providers • Use intercepting set of cryptocurrencies
![Page 29: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/29.jpg)
Slempo Android banker + Clipper?
Kaspersky | Suricata for Malware Classification
![Page 30: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/30.jpg)
Other cases
Kaspersky | Suricata for Malware Classification
• Multi-platform malware: similar patterns in traffic generated by Win and Android malware (client-server, APT attack, …)
• Malware evolution: an old rule alerted on a traffic from a new sample
![Page 31: Suricata for Malware Classification - 2020 SuriCon in ...€¦ · Kaspersky | Suricata for Malware Classification • Scanning traffic from already detected malicious executables](https://reader034.fdocuments.net/reader034/viewer/2022051607/6033d3469c97c345df4d43f4/html5/thumbnails/31.jpg)
Summary
Kaspersky | Suricata for Malware Classification
• Scanning traffic from already detected malicious executables may lead to interesting discoveries
• Generic rules are the best, but don’t forget about false alarms • For malware classification, rules for requests from client are better • Sometimes you can find something interesting when scanning with set of
rules for another platform