CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Detecting the STRRAT Malware Family

Introduction

In this edition of Corelight’s Hunt of the Month blog, we bring you a STRRAT malware detector. In recent months STRRAT has become one of the top malware families submitted to Any.Run’s malware sandbox:

https://any.run/malware-trends/

STRRAT is a Java-based remote access tool (RAT) that uses a plugin architecture to provide full remote access to an attacker, as well as credential stealing, key logging, and additional plugins. The first version of the RAT focused on stealing browser cryptocurrency wallets and other stored credentials, but in version 1.5 it gained ransomware capabilities.

We picked a sample submitted to Any.Run with an example PCAP you can download and follow along with this blog:

https://app.any.run/tasks/4423258f-59bc-4a88-bfec-d8ac08c88538/

Opening this PCAP in Wireshark and searching for TCP port 8219, you will see the plain text and pipe delimited C2, such as in the screenshot below:

wireshark-pcap-view

If we follow this TCP stream, we see the following obvious plain-text STRRAT C2 records:

tcp-stream-showing-strrat-c2-records

Specifically, we see:

144

ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle

Notice how the communication starts with an ASCII version of the record size, followed by two line breaks and a record. We also see the record is delimited by a pipe symbol, and the second field has the name of the malware family in plain text: STRRAT. Each record follows this format throughout the lifetime of the TCP connection. We can use all these details to detect STRRAT’s C2 communications.

A Zeek Spicy analyzer

There are a few ways we can detect the STRRAT malware family. We could write a simple Zeek script-only signature to detect the “|STRRAT|” plain text string. However, there are limitations to the Zeek signature framework that make this approach less attractive than others. Notably, we’re only able to search the first 1,000 bytes and, therefore, there’s an inherent inability to dump every command in the connection. We can record much more data about the malware C2 session if we write a Zeek protocol analyzer using the (relatively) new Spicy language.

A Zeek Spicy analyzer allows us to write arbitrary protocol analyzers fairly quickly. In the case of this simple protocol, the Spicy analyzer will also be simple:

zeek-spicy-analyzer

The Spicy code above will read a series of records (defined in lines 7-11) in lines 3-5. Next, the analyzer will read the record’s length in ASCII but then translate it to an unsigned integer on line 8. Line 9 looks for the double new line between the record size and the payload. Finally, the payload is parsed in line 10.

Next, we need a dynamic protocol detection (DPD) signature to activate our new Spicy analyzer:

dpd-signature

The signature above looks for TCP sessions that will match the regular expression defined on line 3. When this occurs, the STRRAT Spicy analyzer is activated on line 5 (or line 4 for older versions of Zeek).

Once we’ve married this code with the Zeek code in lines 11-14 below, any time a STRRAT record is parsed, a notice will be generated:

dpd-married-to-zeek-code

Putting this logic together in a fully working Zeek Spicy analyzer (https://github.com/corelight/zeek-strrat-detector) and the file downloaded from Any.run (which has the unwieldy name of 4423258f-59bc-4a88-bfec-d8ac08c88538.pcap) will generate output such as the following in your notice logs:

 % zeek -Cr strrat-4423258f-59bc-4a88-bfec-d8ac08c88538.pcap zeek-strrat-detector

% cat notice.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2024-03-07-10-42-56
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1709664364.822047	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664371.522546	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|2 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-

…

#close	2024-03-07-10-42-56

The full output is available at https://github.com/corelight/zeek-strrat-detector. You can also install this Spicy analyzer using Zeek’s package manager (zkg) or by visiting the same link.

Suricata rules

We can also detect this malware family using Suricata rules. By leveraging Suricata to highlight certain network traffic observed when analyzing the STRRAT sample, we complement the Spicy protocol analyzer's detection.

First, we create 2 simple rules to detect the pipe-delimited C2 commands illustrated above:

The first signature will detect the malware check-in via STRRAT’s ping command:


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CORELIGHT MALWARE STRRAT C2 Request"; flow:established,to_server; content:"ping|7c|STRRAT|7c|"; depth:12; classtype:trojan-activity; sid:3000075; rev:1;)

The first command from the C2 was often “up-n-exec”, a command to update the JAR file used by the RAT. The following signature will detect this command:


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT MALWARE STRRAT C2 Response"; flow:established,to_client; content:"|0d 0a 0d 0a|up-n-exec|7c|"; offset:2; depth:14; classtype:trojan-activity; sid:3000076; rev:1;)

When up-n-exec succeeds, we see a JAR file downloaded with a distinct class name “carLambo”, so we can build an additional detection for this:


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT MALWARE STRRAT JAR File Inbound"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"carLambo"; fast_pattern; distance:0; content:".class"; distance:0; within:16; classtype:trojan-activity; sid:3000079; rev:1; metadata:mitre_tactic_id TA0011, mitre_technique_id T1105;)

When reviewing the leaked source code, we noticed two other potential connections STRRAT malware could make. First, STRRAT checks to make sure it is being operated by a paid subscriber via a license check:


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CORELIGHT MALWARE STRRAT C2 Infected Computer License Check"; flow:established,to_server; http.uri; content:"/ping.php?lid="; fast_pattern; http.host; content:"str-master."; http.user_agent; content:"Java/"; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:trojan-activity; sid:3000077; rev:1;)

Also, STRRAT sends an HTTP request to ip-api.com to discover the infected computer’s external IP address:

http-ip-api.com

Which we can detect with:


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CORELIGHT MALWARE STRRAT C2 External IP Check Via ip-api.com"; flow:established,to_server; http.uri; content:"/json/"; bsize:6; http.host; content:"ip-api.com"; fast_pattern; startswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; startswith; classtype:trojan-activity; sid:3000078; rev:1;)

Note that we’re relying on the hard-coded User-Agent string and HTTP request header order to prevent false positive alerts for regular users’ requests to ip-api.com. This can be a risky strategy as it can be difficult to determine how common any particular user agent is. In this example, we’re relying on a lack of Accept- headers that a normal browser would send by using the following logic, which requires only these headers and in this order:


http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|";

When we put that all together, we get:

http-lack-of-accept-headers

Zeek log search

Finally, the license check HTTP request would appear in ordinary Zeek http.log output, enabling a log search similar to the Suricata rule (minus the check for the lack of a Referrer header). Here is a LogScale query:


uri="*/ping.php?lid=*" AND host="str-master.*" AND user_agent="Java/*"

Having loaded Zeek logs generated from the PCAP into a LogScale instance, we can test this query:

query-test

Conclusion

In this Hunt of the Month blog, we’ve demonstrated several methods for detecting STRRAT C2 communications, even though this C2 is a custom protocol. We showed that writing your own custom protocol analyzer to detect this C2 with Spicy is quite simple. And if you don’t use Zeek, we’ve got you covered with Suricata rules too!

Be sure to head to https://github.com/corelight/zeek-strrat-detector to get the detection code we released with this blog!

We also recommend checking out Corelight’s C2 Collection, which covers known C2 toolkits and MITRE ATT&CK® C2 techniques and is based on Zeek metadata, for more than 50 unique insights and detections that illuminate command and control activity and help defenders find novel attacks.

Recent Posts