This article describes how Sekoia TDR uses the Assemblyline analysis pipeline and its ConfigExtractor service (backed by MACO) to automate extraction of malware configuration data, demonstrated with a Kaiji IoT botnet sample. The workflow covers staged services, YARA-based detection, a Python extractor that decodes Base64-embedded configuration strings to retrieve C2:Port tuples, and ingestion of results into threat intelligence. #Kaiji #Assemblyline
Keypoints
- Assemblyline is a staged, service-based open-source malware analysis platform developed by CCCS that processes submitted files through ordered services to produce analyzable artifacts.
- The ConfigExtractor service in Assemblyline uses the ConfigExtractor Python library and integrates MACO parsers to extract structured configuration fields (C2 domains, IPs, URLs, cryptographic material).
- Extractors are implemented as modules with YARA rules, extraction logic, and mapping to the MACO model; the service can dynamically update extractors from repositories and install dependencies.
- Kaiji, a Go-based IoT botnet, spreads via SSH brute-force and vulnerability exploitation (notably CVE-2024-7954 and CVE-2023-1389) and newer Chaos variants add built-in exploitation and cryptomining.
- Static analysis of a Kaiji sample showed main_connect decodes a Base64 string preceded by the marker “use ParseCertificate” and splits it with the delimiter “|(odk)/*-” to obtain a C2:Port tuple.
- A Python extractor using FLOSS strings, regex to find the prefixed Base64 value, Base64 decoding, delimiter splitting, and validation of IP/domain maps results into MACO and exports IOCs into TDR’s threat intelligence pipeline.
MITRE Techniques
- [T1110 ] Brute Force – Kaiji attempted credential guessing via SSH to gain access to exposed root accounts (‘it spread via SSH brute‑force attacks, trying to guess credentials on exposed root accounts.’)
- [T1190 ] Exploit Public-Facing Application – Kaiji and its Chaos variant propagated through vulnerability exploitation, specifically targeting known CVEs (‘spreading through vulnerability exploitation, notably targeting CVE‑2024‑7954 and CVE‑2023‑1389.’)
- [T1071 ] Application Layer Protocol – The sample’s main_connect function is responsible for establishing connections to the command-and-control infrastructure (‘main_connect … responsible for establishing the connection with the command‑and‑control (C2) infrastructure.’)
- [T1498 ] Network Denial of Service – Kaiji retains DDoS capabilities used for network-based denial-of-service operations (‘retains Kaiji’s DDoS capabilities’).
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Kaiji includes reverse-shell modules providing interactive remote shells (‘reverse‑shell modules’).
- [T1140 ] Deobfuscate/Decode Files or Information – The extractor decodes a Base64-encoded configuration string using the Go runtime decode routine to obtain C2:Port information (‘loads a Base64‑encoded string and decodes it using the Go runtime’s (*Encoding).DecodeString method.’)
- [T1496 ] Resource Hijacking – The Chaos variant incorporates cryptocurrency mining functionality indicative of resource hijacking (‘additional functionalities such as cryptocurrency mining’).
Indicators of Compromise
- [File hash ] analyzed sample – 695909032488e34315857ef6da0c23eb1f6bba491c3c467a75e78228e0f289e4
- [Vulnerabilities/CVEs ] exploited targets – CVE-2024-7954, CVE-2023-1389
- [Embedded strings ] config markers and delimiters found in binaries – ‘use ParseCertificate’, ‘|(odk)/*-‘
- [Encoded configuration ] Base64-encoded config blob – Base64-encoded string embedded in binary that decodes to a C2:Port tuple (decoded value used to extract C2 and port)
- [YARA rules ] detection signatures – YARA rules to identify Ares and Chaos variants (used by the extractor module to trigger parsing)