Unveiling Cyber Threats: Harnessing YARA and Veeam for Malware Detection! - Part 2

  • 26 February 2024
  • 5 comments
  • 166 views

Userlevel 4
Badge

Hello everyone. Last time we explored how to identify basic file Indicators of Compromise (IoCs), develop YARA rules to detect malicious actors, and incorporate these rules into Veeam Backup & Replication to identify potential malware in our backups.

Taking it a step further, today we will explore how to automatically generate YARA rules using YarGen.

 

YarGen

YarGen is a tool that generates YARA rules from a specified malware file. It identifies unique strings within the malware and excludes those prevalent in non-malicious files. This is achieved using YarGen's comprehensive database of strings and opcodes typically found in non-malicious files. Essentially, it creates YARA rules from strings in malware files while discarding those also present in goodware files.

There are many variable and options that can be set in YarGen, today we are going to look at how it can create a YARA rule based off of a potential malware file.

 

Back to basics - IoCS

A user has noticed a folder called “freestuffhere” on their system. Inside there is a file called freeiphones.txt. Much like in Part 1, we can analyze the file to identify any indicators of compromise (IoCs).

  • File name: freeiphones.txt
  • File path: /home/veeam/tools/yarGen/freestuffhere/freeipones.txt
  • Size: 90 bytes
  • Strings: “VGhpcyBpcyBub3QgdGhlIGRyb2lkIHlvdSBhcmUgbG9va2luZyBmb3Iu O66. DV. LS. #%%%^apple##promax”
  • MD5 Hash: bc869ef7b6d284cd066c35842d3a3742

YarGen Setup

Now that we have the information as reference, let’s take a look at YarGen in action and let it create the YARA rule.

First thing we need to do is install YaraGen and its dependencies. I am running my demo in ubuntu, so YMMV.

Repo for yarGen: github.com/Neo23x0/yargen

git clone https://github.com/Neo23x0/yarGen.git

Now we need to install some additional components.

sudo apt install python3-pip

pip install lief

pip install lxml

Then let’s update yarGen’s database.

python yarGen.py -u

Now we can run yarGen against the suspicious directory to create the YARA rule:

python yarGen.py -m ./freestuffhere/ -o veeamGen.yara --score

(-m path to scan for malware, -o output rule file name, —score shows string scores from yarGen database)

yarGen analyzes the files/strings against its database and looks for items identified as malware, while also remove the strings of goodware.

Now let’s take a look at the YARA rule yarGen has created:

You can see that it created the needed variables including meta, stings and conditions.

The string in the freeiphones.txt file is identified with a score of 4. If this was something else like an actual piece of malware, it may have a higher score. As previously mentioned, yarGen has many configurable options to configure, including setting minimum and maximum scores.

Now to validate this YARA rule let’s run it:

You can see it properly returned the conditions based on the strings.

Well that was just an example of whats possible on creating YARA rules with yaraGen. For more information on yarGen and how deep the rabbit hole can go, check out their Github page - https://github.com/Neo23x0/yarGenhttps://github.com/Neo23x0/yarGen

 


5 comments

Userlevel 7
Badge +17

Nice YARA series @andy.sturniolo . I may spin up a test Linux VM and test this myself. Thanks!

Userlevel 4
Badge

Nice YARA series @andy.sturniolo . I may spin up a test Linux VM and test this myself. Thanks!

Thanks @coolsport00. Such a simple cool tool and yet so many things you can do with it.  Let me know how it goes in the lab. 

Userlevel 3
Badge

Well done @andy.sturniolo !!   

Userlevel 7
Badge +21

I am loving all YARA series in the community.  Thanks for sharing @andy.sturniolo 

Userlevel 7
Badge +9

I am finding these series very insightful. Thank you for sharing @andy.sturniolo

Comment