This post describes how security professionals streamline malware analysis by automatically extracting configurations from multiple samples to quickly triage and identify IoCs. It showcases Malware Configuration Extraction (MCE) to map samples to families, uncover shared IoCs, and speed protections for customers. #QuasarRAT #LummaStealer
Keypoints
- Automated extraction of configurations from multiple malware families greatly speeds analysis and IoC identification.
- A Bitbucket repository containing second-stage payloads can reveal numerous related samples when pivoted from an initial sample.
- Obfuscated code and encrypted configurations (e.g., AES with Base64) hinder manual reverse engineering but can be parsed by MCE from memory.
- Sandbox/memory-based analysis enables memory extraction of C2 addresses and other IoCs, accelerating triage.
- IoCs include C2 domains/IPs and sample artifacts across multiple families (Lumma Stealer, Remcos RAT, Quasar RAT, Redline Stealer, Vidar Stealer).
- Sharing accelerated analysis results helps protect customers and supports broader defense via CTA collaboration and Palo Alto Networks products.
MITRE Techniques
- [T1203] Malware Analysis – Automated extraction of configurations from multiple malware families to speed analysis. ‘Using MCE, we automated the extraction of configurations from multiple malware families to speed our analysis.’
- [T1071] Command and Control – Extraction of command and control (C2) addresses from malware samples. ‘Extraction of command and control (C2) addresses from malware samples.’ and ‘Identification of shared C2 server IP addresses among different malware samples.’
- [T1027] Obfuscated Files or Information – Analysis of obfuscated code in malware samples to extract configurations and IoCs. ‘The samples not only have obfuscated code, but their configurations that contain the IoCs are also encrypted. For instance, in the case of Quasar RAT, its configurations are encrypted using AES and then encoded with Base64 as shown below in Figure 3.’
- [T1213] Data from Information Repositories – Pivoting on known malware samples to discover additional related samples in repositories. ‘Pivoting on this information revealed a Bitbucket repository hosting the second stage payloads. Further investigation revealed 10 additional samples hosted and deployed from the same repository.’
Indicators of Compromise
- [SHA-256 Hash] context – 50351b1ff64cd2e8d799f5153ff853a650e8782c49f241a123c8779ff3fa2a3d, 5b8e99a46d7c077152ef954e74a2ff1ad3de0adb34aa0b96f6f02fa60426d12f, and 8 more hashes
- [Domain] context – assaultseekwoodywod.pw, cakecoldsplurgrewe.pw, and 16 more domains
- [IP] context – 104.21.32.12, 142.132.232.235, and 6 more IPs
- [File name] context – gbrem.exe, gbquas.exe, and 0 more file names
- [URL] context – https://steamcommunity.com/profiles/76561199588685141, http://128.140.69.37:80, and 1 more URL
- [Domain] context – neighborhoodfeelsa.fun, opposesicknessopw.pw, and 0 more domains
Read more: https://unit42.paloaltonetworks.com/accelerating-malware-analysis/