Eric Partington

Malware Service - Custom Yara for the Doublekill

Blog Post created by Eric Partington Employee on May 17, 2018

A question came from a customer about a recent 0-day Doublekill (Byte Nibble Obfuscation) yara rule that they were trying to implement with RSA NetWitness. 

 

Challenge accepted !

 

First thing was to locate the yara signature in question:

c0d3inj3cT on Twitter: "Very interesting collection of Yara hunting rules to discover some of the latest techniques here… 

 

Specifically this signature:

yara-rules/RTF_Byte_Nibble_Obfuscation.rule at master · InQuest/yara-rules · GitHub 

 

Which looks like this

rule RTF_Byte_Nibble_Obfuscation_method1 {     strings:         $magic  = {7b 5c 72}         $update = "\\objupdate" nocase         $data   = "\\objdata"   nocase         $nibble = /([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){4}/     condition:         $magic in (0..30) and all of them and #nibble > 10 }  rule RTF_Byte_Nibble_Obfuscation_method2 {     strings:         $magic  = {7b 5c 72}         $nibble = /\\objupdate.{0,1024}\\objdata.{0,1024}([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){2}/     condition:         $magic in (0..30) and all of them }

How can this be applied to RSA NetWitness?
Malware service with 10.6.x or standalone with 11.x can leverage custom yara signatures following this configuration:
Investigation and Malware Analysis User Guide for Version 11.0 

Start with page 172 to start with custom yara content

current yara version on the MA service is 3.7 which is being updated in the Docs (reference to 1.7 is incorrect)
[root@nw11malware ~]# yara -v
3.7.0

Now we need to format the yara rule so that the MA service (Malware) loads the yara signature into the Yara library and runs it against files seen in the appliance.
These are the additional items to be added to each yara signature section (examples)
meta:
iocName = "FW.ecodedGenericCLSID"
fileType = "WINDOWS_PE"
score = 25
ceiling = 100
highConfidence = false

The end result of the rule is this ( The rules are doubled as i wasn't sure how the file would be presented to the engine (PE or MS Office)
rule RTF_Byte_Nibble_Obfuscation_method1
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method1"
fileType = "MS_OFFICE"
score = 85
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$update = "\\objupdate" nocase
$data = "\\objdata" nocase
$nibble = /([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){4}/
condition:
$magic in (0..30) and all of them and #nibble > 10
}

rule RTF_Byte_Nibble_Obfuscation_method2
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method2"
fileType = "MS_OFFICE"
score = 85
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$nibble = /\\objupdate.{0,1024}\\objdata.{0,1024}([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){2}/
condition:
$magic in (0..30) and all of them
}

rule RTF_Byte_Nibble_Obfuscation_method1_PE
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method1_PE"
fileType = "WINDOWS_PE"
score = 80
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$update = "\\objupdate" nocase
$data = "\\objdata" nocase
$nibble = /([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){4}/
condition:
$magic in (0..30) and all of them and #nibble > 10
}

rule RTF_Byte_Nibble_Obfuscation_method2_PE
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method2_PE"
fileType = "WINDOWS_PE"
score = 80
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$nibble = /\\objupdate.{0,1024}\\objdata.{0,1024}([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){2}/
condition:
$magic in (0..30) and all of them
}

Save that in a file like this RTF_Byte_NIbble_Obfuscation.yara

Follow the instructions in the doc to put the file in the correct directory to get it added to the yara section
(again path being updated for 11.x as it changed in from the 10.6 paths - doc update coming)

[root@TESTHOST yara]# pwd
/var/netwitness/malware-analytics-server/spectrum/yara/
[root@TESTHOST yara]# ls *.yara
rsa_mw_pdf_artifacts.yara rsa_mw_pe_artifacts.yara rsa_mw_pe_ packers.yara

This is where you can drop the yara signature to do any more work on it, then move it to the watch/ folder to import it

Once the import is successful the rule will show like this

[root@nw11malware yara]# ls
error rsa_mw_pdf_artifacts.yara rsa_mw_pe_packers.yara watch
processed rsa_mw_pe_artifacts.yara RTF_Byte_Nibble_Obfuscation.yara

If there are errors then the rule ends up in error/

The rules should be available in MA service UI (Admin > Service > MA > config > IOCs > Yara)


You can see your custom yara rules listed along with the score we assigned and the type of file it will match on


Find a sample to test ... like this one
https://www.hybrid-analysis.com/sample/10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24 

After a sign up and vetting process you can download the sample as bin.gz

Which I transferred as is to the MA service location so that i can uncompress it, change the name to .rtf , zip and add password of infected so that it can be picked up for analysis

scp over to the MA service (if you dont have the file upload dir exposed by NFS)

move the file to this directory
cd /var/netwitness/malware-analytics-server/spectrum/infectedZipWatch

Install zip
yum install zip

Ungzip the sample
gunzip 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.bin.gz

Rename from .bin to .rtf
mv 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.bin 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf

zip -e 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf.zip

Use password of 'infected'

Move to watch/

This will now get processed by the file watcher and show up in the MA UI when processed like this


The user is fileshare as that was where it was picked up from.

You can open up the report and see the details

Which looks like this


Opening that up looks like this

At the top are the sandbox related items from Threatgrid


The Yara results are shown in the static analysis section further down


Which shows us the signature fired on this sample ( the MS_OFFICE one not the PE_Executable version of the yara sig)

You can see the potential IOC listed in the IOC Summary tab


If this type of file came across the wire and matched the criteria to pull them into MA and you had the License to enable automatic analysis then files like this would be automatically analyzed in MA

Output:
If you had created the syslog output from MA to NetWitness logs or another SIEM then you would get an output like this

May 16 15:51:59 nw11malware CEF:0|RSA|Netwitness for Malware Audit logging|11.1.0.0-8295.5.0|Suspicious Event|Detected suspicious network event|2|static=100.0 community=0.0 sandbox=95.0 malware.nextgen.source=http://localhost event.type=FILE_SHARE event.id=36569 high.confidence.ioc.hit=com.netwitness.malware.rules.sandbox.autostart.registry.currentcontrolset.services USER=Unknown identity
May 16 15:51:59 nw11malware CEF:0|RSA|Netwitness for Malware Audit logging|11.1.0.0-8295.5.0|Suspicious File|Detected suspicious file|2|static=100.0 community=0.0 sandbox=95.0 fname=10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf fsize=85584 fileHash=b48ddad351dd16e4b24f3909c53c8901 file.sha1.hash=a3424a3593b6d7aaefa23f8076b141205cdbf5c0 file.sha256.hash=10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24 event.id=36569 high.confidence.ioc.hit=com.netwitness.malware.rules.sandbox.autostart.registry.currentcontrolset.services USER=Unknown identity

By default one of the three hashes are indexed but that is being changed to include all three versions of the hash so that we can match on any version of that hash if we have a known hash list in NetWitness that might match from endpoint logs or malware output. (internal change being made to add these)

 

cef-custom.xml

<DEVICEMESSAGES>
<VendorProducts>
<Vendor2Device vendor="RSA" product="rsa_netwitness_for_malware_audit_logging" device="rsa_netwitness_for_malware_audit_logging" group="Anti Virus"/>
</VendorProducts>
<ExtensionKeys>
<ExtensionKey cefName="file.sha1.hash" metaName="checksum"/>
<ExtensionKey cefName="file.sha256.hash" metaName="checksum"/>
<ExtensionKey cefName="USER" metaName="username"/>
</ExtensionKeys>
</DEVICEMESSAGES>

 

Devices look like this

 

device.type = 'rsa_netwitness_for_malware_audit_logging'

 

And in the Event analysis view you get this type of meta

 

We have the filename from the submission (matches up with filename.all and every other filename that the system might capture from logs/packets/endpoint/malware/netflow), the checksums from the submission and the threat.category.

 

Now you can hook into RE service to report on these occurrences or ESA for immediate correlation across sessions.

Outcomes