=========================
== Eduardo Robles Site ==
=========================
Hola Mundo 🌮

BSIDES RGV 2025

BSIDES RGV 2025

Quick, Easy, Malware Investigations and Threat Hunting

About Me

  • Hi! I’m Eduardo Robles I work for County of Hidalgo IT dept as a Cybersecurity Analyst IV
  • Founder of South Texas Linux Users Group.
  • You can check out my skills on my blog or LinkedIn.

Agenda

  1. Learn the basics of Malware Analysis
  2. Learn some Threat Hunting skills
  3. Small look into Digital Forensics

Disclaimer

Everything in this talk is my own research and opinion.

Malware Investigations

Why do internal malware analysis?

  • Existing tools Virustotal, JoeSandbox, etc.
  • Protect sensitive information from 3rd parties.
  • Freedom from reliance on one tool or platform. You can still use Virustotal or Any.Run but you can build workflows that don’t rely on them.

Malware is scary and dangerous, put in a box (container).

Malware is scary. Malware is dangerous. So it’s best to analyze in a “contained” environment.

  • Virtual Machines
  • Containers (Docker, Podman, etc)

Working with Malware Samples

Safely moving malware around to later analyze can be daunting. Here are some pointers.

Defang

Take a normal hyperlink or file extention and defang it so it’s not active.

  • Normal
https://eduardorobles.com or superbadmalware.exe
  • Defanged
hxxps://eduardorobles[.]com or superbadmalware.malz

Encrypted Archive with a Password (7zip)

Use 7zip to password encrypt an archive. This add an extra layer of protection by not allowing someone to accidently open the archive.

Disable network access

  • You can disable network access to your malware analysis station.
  • This stops malware from communicating to a C2 infrastruture.
  • Or you can also simulate network traffic if you want to analyze what the malware might be trying to communicate with.

REMnux

If you want easy button for malware analysis use REMnux as a VM or a container! https://remnux.org

“REMnux: A Linux Toolkit for Malware Analysis”

Setup REMnux in a Container

  • So I can have a container running on a Malware Analysis station and on my workstation. This gives me the flexibility to test on either machine or platform.

Run REMnux as a Transient container

podman run \
       --rm \
       -it \
       --name malContainer \
       -v /var/home/core/SAMPLES:/home/remnux/files \
       --privileged \
       --network none \
       remnux/remnux-distro:focal bash

Digital Forensics

Phishing Email Analysis

ClamAV

ClamAV is great to scan for malware but also can scan eml files including email attachments. Use the --debug flag for more info on the scan.

clamscan sample.eml

Continued

You can also use ClamAV to scan any suspicious file.

clamscan sample.zip

Demo

Investigating a suspicious PDF

Malicious content will be embedded. It’s best to extract the content in order to inspect it.

Strings

You can use the command strings to view all the different system call a file contains.

strings sus_invoice.pdf | grep http

You can also pipe grep to single out things like http links or hashes.

Yara

https://github.com/airbnb/binaryalert/blob/master/rules/public/eicar.yara

rule eicar_av_test {
    /*
       Per standard, match only if entire file is EICAR string plus optional trailing whitespace.
       The raw EICAR string to be matched is:
       X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    */

    meta:
        description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly."
        author = "Austin Byers | Airbnb CSIRT"
        reference = "http://www.eicar.org/86-0-Intended-use.html"

    strings:
        $eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*\s*$/

    condition:
        all of them
}

rule eicar_substring_test {
    /*
       More generic - match just the embedded EICAR string (e.g. in packed executables, PDFs, etc)
    */

    meta:
        description = "Standard AV test, checking for an EICAR substring"
        author = "Austin Byers | Airbnb CSIRT"

    strings:
        $eicar_substring = "$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"

    condition:
        all of them
}

Demo

To investigate a link REMnux offers so many awesome tools. I will cover THUG and Automater.

THUG

THUG is a “honeyclient”. A honeyclient is a tool that mimicks the behavior of a web browser. Useful for analyzing what a link does when a user clicks on it.

thug -u win7chrome49 "https://eduardorobles.com"

Continued…

Once it begins to “load” the suspicious site it executes any code that may be on the site. Once it is done running/loading the page it dumps a report. The report contains a summary of what occured plus you get any malicious artifacts that the page may have downloaded.

In one exercise a suspicous page downloaded an executable and I was able to analyze the executable from the container and it was indeed a malicous executable. Yikes!

Demo

Threat Hunting

Velociraptor

“Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints.” https://docs.velociraptor.app/

Velociraptor.exe gui

Tools

Cyberchef

A great tool!

GCHQ CyberChef in a container. CyberChef is the Cyber Swiss Army Knife web app for encryption, encoding, compression and data analysis.

Let’s run it in a container!

podman run \
       -d \
       --name cyberchef \
       -p 8000:8000 \
       mpepping/cyberchef

Conclusion

  • Hope you learned some quick tools to add to your daily workflow.
  • Automation?? A.I?? ¯\_(ツ)_/¯
  • Analyzing malware can be tricky but it shouldn’t be intimidating.