Join me in learning how to detect the STRRAT malware family with Zeek and Suricata.
Corelight Blog: https://corelight.com/blog/newsroom/news/strrat-malware
Source Code: https://github.com/corelight/zeek-strrat-detector
00:00:10:18 – 00:00:37:17
Dr. Keith Jones
Hey, welcome. We’re going to talk about how to detect STRRAT, which is a malware family. This this malware is written in Java, and this malware family is remote access Trojan, you know, provides access to a victim computer once it’s executed on it. But it also steals information and it sends this information using a C2 protocol between the victim computer and this malware infrastructure.
00:00:37:20 – 00:01:01:25
Dr. Keith Jones
And we’re going to figure out a way to detect the STRRAT malware by looking at that connection. Okay. So you probably wonder, you see why STRRAT? Why didn’t you pick something else? Well, STRRAT bubbled up to the top on this chart of one of my favorite malware sandbox providers Any dot run, they have this handy chart.
00:01:01:28 – 00:01:25:02
Dr. Keith Jones
The malware trends chart, and when you go in there, they will aggregate the information that’s been submitted to their sandbox over time. And the most prevalent families will bubble up to the top. So what I do is I usually start at the top of that chart and start looking at the most prolific malware, and I start looking at the network traffic that they send
00:01:25:26 – 00:01:45:20
Dr. Keith Jones
when that any dot run captures, when they execute the malware. Now if so, what I did is on that malware trends I noticed that STRRAT was at the top. And then I started looking at submissions and I found this submission here that when you click in there, there’s the network window pane at the bottom. And there’s a little spot down there.
00:01:45:20 – 00:01:54:11
Dr. Keith Jones
It says I think it says pcap. And when you click on that you can actually download the network traffic that occurred when this malware sample was executed.
00:01:54:11 – 00:02:08:12
Dr. Keith Jones
You can put that into another free tool called Wireshark. And it looks like this. And there’s this TCP port 8219. There’s this connection that happens in that, in that pcap that I’m showing you on your screen.
00:02:08:12 – 00:02:28:11
Dr. Keith Jones
You can see every different, all the different packets that go across the wire at that time. Now you can actually right click on any of those lines and say follow TCP stream. And it takes the data, all that ugly stuff that you see at the bottom, and it basically puts it together in one session for you. Like this.
00:02:28:13 – 00:02:48:20
Dr. Keith Jones
So once we look at this session, you can start to see some patterns. You see like a number. You see a blank line. You see this really long line. And then you see a number again blank line and then a really long line. And then it just keeps going over and over and over. So to a trained eye you look at this and you say oh well this looks like messages.
00:02:48:20 – 00:03:08:17
Dr. Keith Jones
It’s a series of messages that are sent across the network. And just eyeballing this, I mean, this is the ping command, which I just know because I studied it. It’s kind of like a check in command to STRRAT. So the victim computer every now and that’ll just check in with the malware infrastructure and say, hey, anything new?
00:03:08:17 – 00:03:29:16
Dr. Keith Jones
Should I be doing anything? And that’s the ping command that you see here. Now, just one of those messages. Like I said, it’s actually several lines here. We see, you know, the very first one I have, this number, this Ascii number, this isn’t actually a, it’s written in Ascii on the network. So it’s not the actual number on the network.
00:03:29:20 – 00:03:52:28
Dr. Keith Jones
And then it has a blank line, and then it has this big payload. And what we got to do is we got to take this number, which ends up being the length of this payload, in order to chop up this payload as well, you need that length in order to know when to stop chopping up that payload and when the next message starts.
00:03:53:01 – 00:04:14:25
Dr. Keith Jones
So now that we know that that’s the general format of these messages, we can write an analyzer in this language underneath Zeek called Spicy. Now Zeek will sit there and watch your network for different things that happen that you can, you know, you could say, hey, if the TCP connection is too big, alert me, or if I’m dropping packets, alert me, that type of thing.
00:04:14:27 – 00:04:35:05
Dr. Keith Jones
Well, what we’re going to do is we’re going to write a detector that looks for the STRRAT data that goes across the wire. But to do that, we got to write it in a lower level language underneath that Zeek called Spicy. That actually takes that low level data, chops it up into the fields. And that makes it available to Zeek.
00:04:35:07 – 00:04:59:07
Dr. Keith Jones
Sounds complicated I know. But it’s actually when I explain to you I hope it comes across that it’s not that complicated. So to get my point across, let’s talk about the Zeek, the Spicy analyzer itself. So here’s the Spicy code. And it’s only 11 lines. This is a really, really I don’t say trivial, but a very simple protocol that we’ll be chopping up.
00:04:59:10 – 00:05:29:14
Dr. Keith Jones
So the real meat of it happens between lines seven and 11. And this chops up one message and you can see I’m saying, Len, Len, that stands shorthand for length. And it’s saying you should be looking for data that is an Ascii number, which is exactly what we saw. And this is the cool part. I take that info and I plug it into or I use a function I call to int, and I turn the Ascii representation of a number into a real representation of the number in an integer.
00:05:29:14 – 00:05:46:15
Dr. Keith Jones
It’s awesome. So now this becomes an integer and I can do stuff with it. And then this field here, I don’t really care. I’m not going to save it I don’t care. So I don’t name it anything. But I do know that it’s the blank line. So I have this series of new lines and carriage returns that are expected from this malware.
00:05:46:17 – 00:06:05:21
Dr. Keith Jones
And then the last line here says, hey, your payload is going to be a size of length. That’s it. I mean, that’s that’s how simple it is. So this chops up one message. And then if we go up here, we see that one message gets turned into an array. And now we have a plural name of STRRAT messages.
00:06:05:23 – 00:06:25:19
Dr. Keith Jones
So now Spicy is going to look at a connection and pass an array of these messages. Now how do we do that in Zeek there’s this thing called a dynamic protocol detection signature that you can write. And this is what it looks like for this guy. It’s only you know actually two lines of stuff that you need to search.
00:06:25:19 – 00:06:47:25
Dr. Keith Jones
It’s lines two and three. So really what the signature says on line four is when you hit these things, enable this STRRAT analyzer that I just showed you earlier. Okay. So when these two things are are true turn on the STRRAT analyzer. And those two things are the protocol has to be TCP. So basically throw out everything else.
00:06:47:27 – 00:07:20:21
Dr. Keith Jones
And then this payload has to hit this regular expression. And it starts with an Ascii number. Has that new line. And then it’s got this command. And then you can see there’s the pipe symbol the STRRAT and the pipe symbol. And that it looks at it case Insensitively. Now when this hits it triggers this Spicy program to be running on that connection, which then starts chopping up data and sending it to Zeek so we can right now a Zeek program, which don’t get discouraged.
00:07:20:21 – 00:07:41:20
Dr. Keith Jones
The first half of this is boilerplate. So we don’t really start until line 11. So here in the Zeek code we’re saying a line 11 when there’s a separate message parsed and this event fires, we’re going to take the data that it parsed. You see here there’s the payload and all that stuff and the connection. We’re going to put that into a nice little message.
00:07:41:23 – 00:08:03:25
Dr. Keith Jones
And then we’re going to take the payload. And we’re going to put it in a sub field of the notice log. So if you run Zeek with this logic and the pcap that I talked to you about earlier, you’re going to get a notice log that will look like this, which really those two lines are the important ones. And you can see over here that it said hey I found STRRAT.
00:08:03:28 – 00:08:26:11
Dr. Keith Jones
It says it in the human readable version. And then there is the payload where it starts with ping and all that. Pretty cool So all that logic detected STRRAT on our network and then gave us the data so we could actually do something with it now. So some people, they don’t care what the payload is. To malware analysts,
00:08:26:11 – 00:08:44:23
Dr. Keith Jones
they probably will. There’s a lot of tools out there for malware analysts. You can try to decrypt things and, you know, do a complete separate analysis outside of Zeek that you would need this information that Zeek gives you. So, even if this does if you’re not a malware analyst, you look at this thing like why would I want that?
00:08:44:25 – 00:09:19:07
Dr. Keith Jones
There are people that would get this and go, oh, I got the payload. I know exactly what this malware did, and if it was encrypted, they could try to decrypt it and all that stuff. Now, I’m not going to try to pretend to be an expert in Suricata rules. We’ve got experts inside Corelight for that. Travis Green, he wrote these Suricata rules and he took my Zeek logic and basically put it on steroids for Suricata because he not only detected the ping command that we talked about earlier, but he looked for this up an exec command, which is a separate command as well, and wrote a signature for that.
00:09:19:09 – 00:09:43:15
Dr. Keith Jones
And then he also worked for distinct class names in a jar file, which a Jar file is a Java file. So because that’s got computer instructions in it, we can search it. And when he knew that this particular name shows up in there and he made a signature for it, he also went into the leaked source code for the malware itself.
00:09:43:15 – 00:10:13:12
Dr. Keith Jones
And notice that there’s a license that gets checked, because a lot of times, malware authors are not the same people that deploy the malware to the victims. So those people buy the malware from the malware authors and you got to license it. Well, he keyed in on that check and figured out a signature for that. And then he also keyed in on, I don’t want to say it’s a reconnaissance check, but when a malware infects a victim, a lot of times it’ll check what its IP address is and where it is in the world.
00:10:13:12 – 00:10:41:17
Dr. Keith Jones
It just gets its bearing straight. And it goes to this website called IP API. And humans could go there and pull their IP information. But this malware does it with a something different that humans and other malware don’t use. It uses a specific user agent string. And once we see that user agent string going to that domain of IP API dot
00:10:41:17 – 00:11:08:22
Dr. Keith Jones
com, now we know that that’s a STRRAT candidate that we’re possibly looking at. So what Travis did, he wrote a rule that would actually detect that, user agent string going to that website. So one of the very possible things that happens in the wild is malware is created on day one. Six months go by. Now the security world found out about it.
00:11:08:23 – 00:11:38:22
Dr. Keith Jones
We all went, oh God, we got to write a C2 analyzer for this thing, just like I just showed you. Right? So in that gap in that six months, people could have been infected. Right? And we don’t have a detector that’s actively watching the network before in that six months. But if you have Zeek running and there are Zeek logs historically for you, you can take some of that signature, some of those signature artifacts that Travis put into Suricata rules,
00:11:38:24 – 00:11:59:29
Dr. Keith Jones
and you can actually search your logs historically looking for some of those signatures. And another one of our researchers, Simeon, he went in and wrote a, a SEIM search. And specifically what you’re seeing on your screen is LogScale. But if you’re a Splunk user, you can translate this over to your platform of however you search logs.
00:12:00:01 – 00:12:24:10
Dr. Keith Jones
Me personally, I use the find command and I crawl a file system and I look for TSV logs and I search for these things. So whatever your flavor of your tool is, take this meat and plug it in appropriately. Okay. And let me put on a screen. This is our just internal LogScale example on this pcap that we’re showing you that hit.
00:12:24:13 – 00:12:37:09
Dr. Keith Jones
So if this is a real network and you’re running LogScale you’re dumping your Zeek logs into it, and you ran this query that we gave you, this is a high probability that this could be a STRRAT connection.
00:12:37:09 – 00:12:47:08
Dr. Keith Jones
All right. So with that I hope you walk away from this and you say you know what my network a little more secure against STRRAT.
00:12:47:13 – 00:13:08:26
Dr. Keith Jones
And I have more mechanisms now to detect if STRRAT was on my network now, at least I can tell what it did right. I got the log and I got the payloads. If there was anything, I. I try to keep these videos as short as possible because there’s a lot of details in here. I know I skipped some details, I know I did so if there’s anything in here where you go, I totally didn’t understand that,
00:13:09:01 – 00:13:24:27
Dr. Keith Jones
just put it in the comments of the video and I’ll try to answer it. Anytime anybody asks me questions like this, I try to answer them the best that I can. So if there was anything that was unclear, please do feel free to put the down there and I’ll I’ll try to answer it and then other people will catch it too.
00:13:25:00 – 00:13:39:04
Dr. Keith Jones
And with that, I hope you enjoyed this and I hope you come back. And I think Agent Tesla will probably probably be the next one that I produce for this video. So I hope you come back and check that one out. See you then.
00:13:39:05 – 00:13:49:23
Leave a Reply