Close your ransomware case with Open NDR
Corelight now powers CrowdStrike solutions and services
Alerts, meet evidence.
5 Ways Corelight Data Helps Investigators Win
10 Considerations for Implementing an XDR Strategy
Don't trust. Verify with evidence
The Power of Open-Source Tools for Network Detection and Response
The Evolving Role of NDR
Detecting 5 Current APTs without heavy lifting
Network Detection and Response
Introduction
In this edition of Corelight’s Hunt of the Month blog, we bring you a STRRAT malware detector. In recent months STRRAT has become one of the top malware families submitted to Any.Run’s malware sandbox:
https://any.run/malware-trends/
STRRAT is a Java-based remote access tool (RAT) that uses a plugin architecture to provide full remote access to an attacker, as well as credential stealing, key logging, and additional plugins. The first version of the RAT focused on stealing browser cryptocurrency wallets and other stored credentials, but in version 1.5 it gained ransomware capabilities.
We picked a sample submitted to Any.Run with an example PCAP you can download and follow along with this blog:
https://app.any.run/tasks/4423258f-59bc-4a88-bfec-d8ac08c88538/
Opening this PCAP in Wireshark and searching for TCP port 8219, you will see the plain text and pipe delimited C2, such as in the screenshot below:
If we follow this TCP stream, we see the following obvious plain-text STRRAT C2 records:
Specifically, we see:
144
ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not IdleNotice how the communication starts with an ASCII version of the record size, followed by two line breaks and a record. We also see the record is delimited by a pipe symbol, and the second field has the name of the malware family in plain text: STRRAT. Each record follows this format throughout the lifetime of the TCP connection. We can use all these details to detect STRRAT’s C2 communications.
A Zeek Spicy analyzer
There are a few ways we can detect the STRRAT malware family. We could write a simple Zeek script-only signature to detect the “|STRRAT|” plain text string. However, there are limitations to the Zeek signature framework that make this approach less attractive than others. Notably, we’re only able to search the first 1,000 bytes and, therefore, there’s an inherent inability to dump every command in the connection. We can record much more data about the malware C2 session if we write a Zeek protocol analyzer using the (relatively) new Spicy language.
A Zeek Spicy analyzer allows us to write arbitrary protocol analyzers fairly quickly. In the case of this simple protocol, the Spicy analyzer will also be simple:
The Spicy code above will read a series of records (defined in lines 7-11) in lines 3-5. Next, the analyzer will read the record’s length in ASCII but then translate it to an unsigned integer on line 8. Line 9 looks for the double new line between the record size and the payload. Finally, the payload is parsed in line 10.
Next, we need a dynamic protocol detection (DPD) signature to activate our new Spicy analyzer:
The signature above looks for TCP sessions that will match the regular expression defined on line 3. When this occurs, the STRRAT Spicy analyzer is activated on line 5 (or line 4 for older versions of Zeek).
Once we’ve married this code with the Zeek code in lines 11-14 below, any time a STRRAT record is parsed, a notice will be generated:
Putting this logic together in a fully working Zeek Spicy analyzer (https://github.com/corelight/zeek-strrat-detector) and the file downloaded from Any.run (which has the unwieldy name of 4423258f-59bc-4a88-bfec-d8ac08c88538.pcap) will generate output such as the following in your notice logs:
% zeek -Cr strrat-4423258f-59bc-4a88-bfec-d8ac08c88538.pcap zeek-strrat-detector
% cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2024-03-07-10-42-56
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1709664364.822047 Cgemrk320YLbiOonOd 192.168.100.11 49227 185.255.114.40 8219 - - - tcp STRRAT::C2_Traffic_Observed Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field. ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle 192.168.100.11 185.255.114.40 8219 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1709664371.522546 Cgemrk320YLbiOonOd 192.168.100.11 49227 185.255.114.40 8219 - - - tcp STRRAT::C2_Traffic_Observed Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field. ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|2 Sec 192.168.100.11 185.255.114.40 8219 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
…
#close 2024-03-07-10-42-56
The full output is available at https://github.com/corelight/zeek-strrat-detector. You can also install this Spicy analyzer using Zeek’s package manager (zkg) or by visiting the same link.
Suricata rules
We can also detect this malware family using Suricata rules. By leveraging Suricata to highlight certain network traffic observed when analyzing the STRRAT sample, we complement the Spicy protocol analyzer's detection.
First, we create 2 simple rules to detect the pipe-delimited C2 commands illustrated above:
The first signature will detect the malware check-in via STRRAT’s ping command:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CORELIGHT MALWARE STRRAT C2 Request"; flow:established,to_server; content:"ping|7c|STRRAT|7c|"; depth:12; classtype:trojan-activity; sid:3000075; rev:1;)
The first command from the C2 was often “up-n-exec”, a command to update the JAR file used by the RAT. The following signature will detect this command:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT MALWARE STRRAT C2 Response"; flow:established,to_client; content:"|0d 0a 0d 0a|up-n-exec|7c|"; offset:2; depth:14; classtype:trojan-activity; sid:3000076; rev:1;)
When up-n-exec succeeds, we see a JAR file downloaded with a distinct class name “carLambo”, so we can build an additional detection for this:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT MALWARE STRRAT JAR File Inbound"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"carLambo"; fast_pattern; distance:0; content:".class"; distance:0; within:16; classtype:trojan-activity; sid:3000079; rev:1; metadata:mitre_tactic_id TA0011, mitre_technique_id T1105;)
When reviewing the leaked source code, we noticed twoother potential connections STRRAT malware could make. First, STRRAT checks to make sure it is being operated by a paid subscriber via a license check:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CORELIGHT MALWARE STRRAT C2 Infected Computer License Check"; flow:established,to_server; http.uri; content:"/ping.php?lid="; fast_pattern; http.host; content:"str-master."; http.user_agent; content:"Java/"; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:trojan-activity; sid:3000077; rev:1;)
Also, STRRAT sends an HTTP request to ip-api.com to discover the infected computer’s external IP address:
Which we can detect with:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CORELIGHT MALWARE STRRAT C2 External IP Check Via ip-api.com"; flow:established,to_server; http.uri; content:"/json/"; bsize:6; http.host; content:"ip-api.com"; fast_pattern; startswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; startswith; classtype:trojan-activity; sid:3000078; rev:1;)
Note that we’re relying on the hard-coded User-Agent string and HTTP request header order to prevent false positive alerts for regular users’ requests to ip-api.com. This can be a risky strategy as it can be difficult to determine how common any particular user agent is. In this example, we’re relying on a lack of Accept- headers that a normal browser would send by using the following logic, which requires only these headers and in this order:
http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|";
When we put that all together, we get:
Zeek log search
Finally, the license check HTTP request would appear in ordinary Zeek http.log output, enabling a log search similar to the Suricata rule (minus the check for the lack of a Referrer header). Here is a LogScale query:
uri="*/ping.php?lid=*" AND host="str-master.*" AND user_agent="Java/*"
Having loaded Zeek logs generated from the PCAP into a LogScale instance, we can test this query:
Conclusion
In this Hunt of the Month blog, we’ve demonstrated several methods for detecting STRRAT C2 communications, even though this C2 is a custom protocol. We showed that writing your own custom protocol analyzer to detect this C2 with Spicy is quite simple. And if you don’t use Zeek, we’ve got you covered with Suricata rules too!
Be sure to head to https://github.com/corelight/zeek-strrat-detector to get the detection code we released with this blog!
We also recommend checking out Corelight’s C2 Collection, which covers known C2 toolkits and MITRE ATT&CK® C2 techniques and is based on Zeek metadata, for more than 50 unique insights and detections that illuminate command and control activity and help defenders find novel attacks.