Using Intezer Analyze to Reveal Malware Ancestry and Assist Incident Response and Forensic Investiga
The Creeper was one of the first worms that ran on Tenex operating systems. It was identified to have run on ARPANET (Advanced Research Projects Agency Network) in 1971 and left the message, “I’M THE CREEPER : CATCH ME IF YOU CAN” on the systems that it infected. Since then there have been millions of worms, viruses, Trojans, ransomware, and various types of malwares crawling and being released throughout the Internet, and affecting organizations all over the world.
Today, much of the malware still operates via the same concept of infecting machines and spreading throughout networks. Due to this, it only makes sense to approach malware at its genetic level in order to find relationships, origins, and leads that may aid in investigations of malware and threat actors, and add value to organizations that are trying to defend against various types of threats. Polito has tested a tool called Intezer Analyze https://analyze.intezer.com that approaches malware at its genetic level, identifying malware families, origins, source code, and strings, using Intezer's Genetic Malware Analysis approach.
Intezer Analyze™ dissects binary code into thousands of small code fragments (genes), then compares them to a massive database that contains genes from malware and legitimate software, effectively providing a full DNA mapping of each executable. Detecting even the smallest fragments of code similarities between files, security teams can identify malicious files, classify threats to their relevant malware families, and prioritize alerts according to risk and severity.
Process and Proof of Concept
Polito conducts numerous incident response, forensics, and threat hunting engagements. Recently during an engagement, the team was able to obtain sample suspected malicious files that they conducted analysis on. Polito used Intezer Analyze as one of the tools to conduct malware analysis and assist the affected organization in understanding what type of malware was targeting them. This assisted in effective remediation of the spread of malware by containing the identified malware.
The malware analysis process by Intezer Analyze is started by uploading the suspected file to the File Analysis module. The Enterprise edition ensures that any samples uploaded are private. Some examples of files to be uploaded are .dll, .exe, .sys, and more. Files can be uploaded by drag and dropping into the box or via browsing the computer by clicking on the upload box.
After the engine analyzes the uploaded file, it outputs the results and the verdict. This specific uploaded executable has been classified as malicious, and the code has been analyzed to break it down by its genes. In this case, the file contains predominantly TrickBot malware code, in addition to CoinMiner, PhotoMiner, and JigsawLocker code or genes.
The analyst is then able to find out more information about the type of malware identified by a short synopsis and numerous resources, as well as link to VirusTotal to view any related samples available. Additionally, by clicking on Shared Code it is possible view the code (and shared code) at assembly level to further analyze the exact steps and actions the malware will behave in, and compare to other pieces of malware and files that were uploaded during an incident or other occasions of malware analysis.
In addition to code and malware analysis, it is possible to use Intezer Analyze as a platform to assist in remediation, defensive cybersecurity, and tuning of Security Identification and Event Management (SIEM) systems such as Splunk, ELK (Elastic), and others. This is done by the Intezer Analyze engine creating YARA, OpenIOC, STIX, and/or STIX2 signatures based on the strings identified within the code that was analyzed during the file upload. These signature based rules can be downloaded by hovering over the injection icon and selecting the type of signature desired to be downloaded.
This can be extremely valuable in automating rule creation and integrating these rules into a SIEM and other detection and protection tools used throughout organizations to harden systems, networks, and organizational security posture, in addition to being used during incident response to stop malware execution and further spread of malware throughout the networks.
IDA Pro Plug-in
In addition to the Analyze Intezer, Polito was able to utilize Intezer's IDA Pro plug-in for the investigation, and obtain additional results for the suspicious files. The analysis of the files discovered that Emotet was also present in the code resuse and affecting the organization.
Use of Intezer Analyze https://analyze.intezer.com allows for the ability to identify possible threat actors responsible for intrusion or attacks by breaking down the code by genes, families, relations, origins, and functions, and aiding the incident response and forensic investigation process.
Knowing information about where the malware came from, the make-up and origin of code, and similarities to other samples will add value for organizations to focus their cybersecurity efforts to the type of attacks being detected by tailoring the risk management process to address repeated and targeted incidents.
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.