FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

As a reverse engineer on the FLARE Team I rely on a customized
Virtual Machine (VM) to perform malware analysis. The Virtual Machine
is a Windows installation with numerous tweaks and tools to aid my
analysis. Unfortunately trying to maintain a custom VM like this is
very laborious: tools frequently get out of date and it is hard to
change or add new things. There is also a constant fear that if the VM
gets corrupted it would be super tedious to replicate all of the
settings and tools that I’ve built up over the years. To address this
and many related challenges, I have developed a standardized (but
easily customizable) Windows-based security distribution called FLARE VM.

FLARE VM is a freely available and open sourced Windows-based
security distribution designed for reverse engineers, malware
analysts, incident responders, forensicators, and penetration testers.
Inspired by open-source Linux-based security distributions like Kali
Linux, REMnux and others, FLARE VM delivers a fully configured
platform with a comprehensive collection of Windows security tools
such as debuggers, disassemblers, decompilers, static and dynamic
analysis utilities, network analysis and manipulation, web assessment,
exploitation, vulnerability assessment applications, and many others.

The distribution also includes the FLARE team’s public malware
analysis tools such as FLOSS and FakeNet-NG.

How To Get It

You are expected to have an existing installation of Windows 7 or
above. This allows you to choose the exact Windows version, patch
level, architecture and virtualization environment yourself.

Once you have that available, you can quickly deploy the FLARE VM
environment by visiting the following URL in Internet Explorer
(other browsers are not going to work):



After you navigate to the above URL in the Internet Explorer, you
will be presented with a Boxstarter WebLauncher dialog. Select
Run to continue the installation as illustrated in Figure 1.

Figure 1: FLARE VM Installation

Following successful installation of Boxstarter WebLauncher, you
will be presented with a console window and one more prompt to enter
your Windows password as shown in Figure 2. Your Windows password is
necessary to restart the machine several times during the installation
without prompting you to login every time.

Figure 2: Boxstarter Password Prompt

The rest of the process is fully automated, so prepare yourself a
cup of coffee or tea. Depending on your connection speed, the initial
installation takes about 30-40 minutes. Your machine will also reboot
several times due to the numerous software installation’s
requirements. During the deployment process, you will see installation
logs of a number of packages.

Once the installation is complete, it is highly recommended to
switch the Virtual Machine networking settings to Host-Only mode so
that malware samples would not accidentally connect to the Internet or
local network. Also, take a fresh virtual machine snapshot so this
clean state is saved! The final FLARE VM installation should look like
Figure 3.

Figure 3: FLARE VM installation

NOTE: If you encounter a large number of error messages, try to
simply restart the installation. All of the existing packages will be
preserved and new packages will be installed.

Getting Started

The VM configuration and the included tools were either developed or
carefully selected by the members of the FLARE team who have been
reverse engineering malware, analyzing exploits and vulnerabilities,
and teaching malware analysis classes for over a decade. All of the
tools are organized in the directory structure shown in Figure 4.

Figure 4: FLARE VM Tools

While we attempt to make the tools available as a shortcut in the
FLARE folder, there are several available from command-line only.
Please see the online documentation at http://flarevm.info for the most up to
date list.

Sample Analysis

In order to best illustrate how FLARE VM can assist in malware
analysis tasks let’s perform a basic analysis on one of the samples we
use in our Malware Analysis Crash Course.

First, let’s obtain some basic indicators by looking at the strings
in the binary. For this exercise, we are going to run FLARE’s own
FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for
additional information about the tool. You can launch it by clicking
on the FLOSS icon in the taskbar and running it against the sample as
illustrated in Figure 5.

Figure 5: Running FLOSS

Unfortunately, looking over the resulting strings in Figure 6 only
one string really stands out and it is not clear how it is used.

Figure 6: Strings Analysis

Let’s dig a bit more into the binary by opening up CFF Explorer in
order to analyze sample’s imports, resources, and PE header structure.
CFF Explorer and a number of other utilities are available in the
FLARE folder that can be accessed from the Desktop or the Start menu
as illustrated in Figure 7.

Figure 7: Opening Utilities

While analyzing the PE header, there were several indicators that
the binary contains a resource object with an additional payload. For
example, the Import Address Table contained relevant Windows API calls
such as LoadResource, FindResource and finally WinExec. Unfortunately,
as you can see in Figure 8 the embedded payload “BIN” contains junk so
it is likely encrypted.

Figure 8: PE Resource

At this point, we could continue the static analysis or we could
“cheat” a bit by switching over to basic dynamic analysis techniques.
Let’s attempt to quickly gather basic indicators by using another
FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network
emulation tool which tricks malware into revealing its network
functionality by presenting it with fake services such as DNS, HTTP,
FTP, IRC and many others. Please visit http://fakenet.info for additional
information about the tool.

Also, let’s launch Procmon from Sysinternals Suite in order to
monitor all of the File, Registry and Windows API activity as well.
You can find both of these frequently used tools in the taskbar
illustrated in Figure 9.

Figure 9: Dynamic Analysis

After executing the sample with Administrator privileges, we quickly
find excellent network- and host–based indicators. Figure 10 shows
FakeNet-NG responding to malware’s attempt to communicate with
evil.mandiant.com using HTTP protocol. Here we capture useful
indicators such as a complete HTTP header, URL and a potentially
unique User-Agent string. Also, notice that FakeNet-NG is capable of
identifying the exact process communicating which is
level1_payload.exe. This process name corresponds to the unique
string that we have identified in the static analysis, but couldn’t
understand how it was used.

Figure 10: FakeNet-NG

Comparing our findings with the output of Procmon in Figure 11, we
can confirm that the malware is indeed responsible for creating
level1_payload.exe executable in the system32 folder.

Figure 11: Procmon

As part of the malware analysis process, we could continue digging
deeper by loading the sample in a disassembler and performing further
analysis inside a debugger. However, I would not want to spoil this
fun for our Malware Analysis Crash Course students by sharing all the
answers here. That said all of the relevant tools to perform such
analysis are already included in the distribution such as IDA Pro and
Binary Ninja disassemblers, a nice collection of debuggers and several
plugins, and many others to make your reverse engineering tasks as
convenient as possible.

Have It Your Way

FLARE VM is a constantly growing and changing project. While we try
to cover as many use-case scenarios as possible it is simply
impossible due to the nature of the project. Luckily, FLARE VM is
extremely easy to customize because it was built on top of the
Chocolatey project. Chocolatey is a Windows-based package management
system with thousands of packages. You can find the list here: https://chocolatey.org/packages.
In addition to the public Chocolatey repository, FLARE VM uses our own
FLARE repository which constantly growing and currently contains about
40 packages.

What all this means is that if you want to quickly add some package,
let’s say Firefox, you no longer have to navigate to the software
developer’s website. Simply open up a console and type in the command
in Figure 12 to automatically download and install any package:

Figure 12: Installing packages

In a few short moments, Firefox icon is going to appear on your
Desktop with no user interaction necessary.

Staying up to date

As I’ve mentioned in the beginning, one of the hardest challenges of
unmanaged Virtual Machine is trying to keep all the tools up to date.
FLARE VM solves this problem. You can completely update the entire
system by simply running the command in Figure 13.

Figure 13: Staying up to date

If any of the installed packages have newer versions, they will be
automatically downloaded and installed.

NOTE: Don’t forget to take another clean snapshot of an updated
system and set networking back to Host-Only.


I hope you enjoy this new free tool and will adopt it as another
trusted resource to perform reverse engineering and malware analysis
tasks. Next time you need to set up a new malware analysis
environment, try out FLARE VM!

In these few pages, we could only scratch the surface of everything
that FLARE VM is capable of; however, feel free to leave your
comments, tool requests, and bugs on our Github issues page here: https://github.com/fireeye/flare-vm
or http://flarevm.info/.


Wikileaks: CIA tasked Raytheon for analyzing TTPs used by threat actors in the wild

Wikileaks revealed that CIA contractor Raytheon Blackbird Technologies was tasked to analyze advanced malware and TTPs used by threat actors in the wild. Wikileaks continues to publish documents from Vault 7 leaks, today the organization has shed light on the collaboration between the US Intelligence agency and tech firms for malware development. The last batch […]

The post Wikileaks: CIA tasked Raytheon for analyzing TTPs used by threat actors in the wild appeared first on Security Affairs.

Wikileaks revealed that CIA contractor Raytheon Blackbird Technologies was tasked to analyze advanced malware and TTPs used by threat actors in the wild.

Wikileaks continues to publish documents from Vault 7 leaks, today the organization has shed light on the collaboration between the US Intelligence agency and tech firms for malware development.

The last batch of documents shows that the CIA contractor Raytheon Blackbird Technologies was tasked to analyze advanced malware and TTPs used by threat actors in the wild as part of the UMBRAGE project.

A previous Vault7 data leak reported that the Umbrage team was tasked by the Central Intelligence Agency for false flag hacking operations.

According to the documents leaked by WikiLeaks, Raytheon Blackbird Technologies produced at least five reports to CIA as part of UMBRAGE Component Library (UCL) project between November 2014 and September 2015.

Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September, 11th 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.” states Wikileaks.

“Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.”

The experts from the firm also provided proof-of-concept ideas and malware attack vectors to the firm.

The experts speculate the reports were commissioned by the CIA to gather information for the CIA’s Remote Development Branch (RDB) aimed to collect ideas for developing their own advanced malware.

Below the information contained in the reports provided by the Raytheon Blackbird Technologies.

Report 1 — Researchers at Raytheon detailed a variant of the HTTPBrowser Remote Access Tool (RAT), used by EMISSARY PANDA. This new variant was built in March of 2015 and is deployed through an unknown initial attack vector.

The RAT was used in cyber espionage campaigns by the Chinese APT group called ‘Emissary Panda.’

Report 2 — The report details a new variant of the NfLog Remote Access Tool (RAT),
also known as IsSpace, used by the SAMURAI PANDA APT group. The variant analyzed in the report is deployed using a repurposed version of the leaked Hacking Team Adobe Flash Exploit which leverages CVE-2015-5122. This new variant also incorporates the use of the Google App Engine (GAE) hosting to proxy communications to its C2 Server.

Report 3 — This report is a high-level analysis of “Regin” espionage platform that was first detected in 2014. The Regin cyber espionage tool is believed to be developed by the NSA  intelligence agency.

“This report is a fairly high-level overview of Regin, a very sophisticated malware sample that has been observed in operation since 2013. There are some indications that the malware has been in use since as early as 2008, but most agree that the current iteration of Regin dates to about 2013.”  states the report. “Regin appears to be focused on target surveillance and data collection. The most striking aspect of Regin is its modular architecture, which affords a high degree of flexibility and tailoring of attack capabilities to specific targets. Another impressive aspect of Regin is its stealthiness, its ability to hide itself from discovery and portions of the attack are memoryresident only.”

Report 4 — The report details the “HammerToss” malware which was discovered in early 2015.  The HammerToss is believed to be malicious code developed by Russian State-sponsored hackers that were being operational since late 2014.
“HammerToss is an interesting piece of malware because of its architecture, which leverages Twitter accounts, GitHub or compromised websites, basic steganography, and Cloud-storage to orchestrate command and control (C2) functions of the attack.” states the report.

Report 5 — This document details the self-code injection and API hooking methods of information stealing Trojan called “Gamker.”

“This report details the code injection and API hooking methods of an information
stealing Trojan known as Gamker. This August 2015 three-page report from Virus Bulletin contains more technical detail than many 30+ page reports from other sources. We recommend continued review of Virus Bulletin reports going forward.” states the report.

Below the list of release published by Wikileaks since March:

Pierluigi Paganini

(Security Affairs –  Wikileaks,  UCL RAYTHEON)

The post Wikileaks: CIA tasked Raytheon for analyzing TTPs used by threat actors in the wild appeared first on Security Affairs.