#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
I have two recent examples of the malware:
a252b2e2e1eb1423cb2781dd194fd5758817157847b3eb18bc86486c2f366643
164421af114cb376d86e8c28d1b3749a3dbfa12328e928c22735930ff200aa28
The code-signing signature; revoked thanks to CertGraveyard friends.
Both have 2/68 detections on VT.
2/7
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
Once unpacked, we can click into the Setup file and view it in the Disassembly view to see what the setup script does. It essentially unpacks its dependencies and then executes a base64 string.
In the video, I show inspecting the setup and decoding the base64 within malcat
4/7
For YARA, I investigate other options. One is being able to identify NSIS installers.
The classic way is looking for the Nullsoft magic bytes in the compressed data or other classic strings.
Malcat has some built in YARA rules that do this.
5/7
While comparing the two binaries above, I also found that NSIS installers have a PE section ".ndata"
The .ndata PE section has a size of 0, but exists and helps us identify NSIS installers.
https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
6/7
My rule just uses the pe module to check for the ndata pe section.
However, this gave us some opportunity to poke at and practice analyzing NSIS installers using Malcat.
Would love to see other methods for detecting this malware.
https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day13.yara
7/7
Squiblydoo