Identification and Classification of Crypto-Malware Using ThreatMapper


Authors: devi prasad Y Shyam Krishnaswamy

Threat Mapper, Our open source Cloud Native Application Protection Platform (CNAPP) now integrates natively with YaraHunter. YaraHunter is a powerful malware scanner for containers, images, and cloud-native hosts. in a previous mail, we discuss scanning cloud-native assets for malware using YaraHunter, to identify and report potential indicators of malware across different cloud resources, pods, virtual machines, file systems, image registries, and build artifacts. In this post, we’ll discuss using ThreatMapper to classify various cloud-native malware, enhancing Yara’s rule sets to identify crypto-signature malware risks, and prioritizing those risks using runtime context to create a better security posture.

Crypto malware attacks are becoming increasingly popular among cybercriminals due to the increase in the value of the currency and widespread adoption. Once running on a victim’s device, cryptomalware can usually run independently and indefinitely. What Estimate Per Google, the vast majority of instances (around 86%) in Google Cloud are compromised due to cryptomining. While it does not assume devastating proportions like ransomware, cryptomalware still causes severe losses in terms of computing resources, leading to direct and indirect damage.

ThreatMapper supports a wide variety of Yara rule sets to classify malware. Yara rule sets are descriptions of malware families based on textual or binary patterns. In particular, ThreatMapper has hundreds of rules covering a wide range of classifications: Crypto Mining, DDOS, Information Stealing, Spam Bot, RootKit, KeyLoggers, among others. Additionally, host-based flags such as filenames, registry keys, exposed passwords, and secret keys also form an important part of the rule set.

In our effort to keep ThreatMapper constantly abreast of current challenges, we have recently included the rules for the Cobalt strike malware. A brief overview of Cobalt Strike: Malicious actors are exploiting the CVE-2019-18935 vulnerability, a critical severity, which leads to remote code execution in the Telerik UI library and installs Cobalt strike beacons. Once the beacons are installed, they succeed in mining Monero tokens by hijacking system resources.

ThreatMapper, in addition to hundreds of existing rules that detect cryptominers, has also included the rules recently published by Google for detect Cobalt attack malware. This helps detect malware at all stages of the development and deployment lifecycle, as part of CI/CD scans, from image repositories, or during runtime of containers, pods, and hosts in the infrastructure.

The following is sample output when scanning images that have Cobalt strike malware:

    cobalt attack malware

Furthermore, when XmRig crypto miner malware is present in an image, scanning those images produces results of the form:

XmRig Crypto Mining Malware

ThreatMapper can also classify various types of malware:

ThreatMapper classifies various types of malware

In addition to classifying malware, the sensors implemented as part of ThreatMapper provide useful runtime context, which is used to automatically prioritize malware that needs immediate attention. In the coming days, we will add additional malware analysis controls, rules, and information derived from the various malware classifications. If you’re interested in going deeper into technical integration, take a look at our ThreatMapper repository. We welcome contributions in all forms, including documentation, feature requests, technical bugs, or source code patches.

The charge Identification and classification of cryptomalware using ThreatMapper first appeared in deep fence.

*** This is a syndicated blog from the Security Bloggers Network of deep fence written by Shyam Krishnaswamy. Read the original post at: