What is Active Countermeasures’ “Malware of the Day”?
The great crew at Active Countermeasures (https://www.activecountermeasures.com) offers a number of blogs posts (https://www.activecountermeasures.com/category/malware-of-the-day) which focus on a variety of different malware, the malware characteristics, and analysis information. Additionally, Active Countermeasures offers PCAP file(s) and tools for download to use during analysis.
Malware of the Day’s PCAP file
A PCAP file is a capture of the actual network traffic derived from packet capture tools such as Wireshark. The PCAP file normally does not include the actual ‘data’ payload but rather the connection details. “Malware of the day” PCAP files are free from any actual malware or malicious payload and only contain the network packet characteristics. This makes analyzing the PCAP completely safe for analysis on your own system.
Active Countermeasure’s Rita
Most all malware or malicious code requires network connectivity to the C2 (command and control) on the public internet. Rita is a program used for identifying beacon algorithms in order to identify beacons. Additionally Rita will offer what device is being used to beacon and the characteristics of the beacon, such as timing, duration, frequency, and various other characteristics. An EDR alone is not enough to identify the C2, and since Rita analyses against the actual network connections, other agents at endpoints are simply not required to identify the beacons (or, worse, sometimes forgotten to be installed).
Well, Rita is free and easily downloadable at https://www.activecountermeasures.com/free-tools/rita. Rita is a reliable tool to identify beacons, so much that it’s essentially the core coding to Active Countermeasures’ enterprise product titled AC-Hunter. AC-Hunter is a graphical tool which simply displays Rita’s results into a graphical interface.
Hunting with AC’s Malware of the Day
The hunting exercise is simply a fantastic way to practice identifying beacons with Rita in a safe environment, without the need of a segmented lab network or compromised system. Remember, they are only PCAP files, so no malware is actually installed through the process. Exercising the hunt with Rita pushes an engineer to become more familiar with identifying beacons while using the Rita program and CLI commands.
What’s in the Hunt?
On many of Active Countermeasures’ blog posts, the exercise is to identify the beacon of the residing process or malicious payload which is communicating to the C2 (command and control). Each “Malware of the Day” offers an description of the hunt but it is recommended to perform the exercise without the use of the details on the blog post so that the engineer can practice the identification. If further assistance is needed, each blog post offers those details to assist with the identification.
Who is Active Countermeasures?
I’m personally a big fan of all Black Hills Information Security (also known as BHIS) affiliated companies, mostly due to the wealth of knowledge, but also for what they contribute to the cybersecurity community. Each of the BHIS entities step out of the traditional ‘money-making’ style of business and focus on educating the cybersecurity community, which is certainly a refreshing approach today. Active Countermeasures has invested a lot of resources and funds towards tools such as Rita, Beaker, and Threat Simulator, and for that, I’m very grateful.
You can find Black Hills Information Security at https://www.blackhillsinfosec.com/ and can find a number of Rita resources such as a CLI cheat sheet https://www.activecountermeasures.com/free-tools/rita
If you found this post helpful, please consider buying a stranger a cup of coffee the next time you’re at a cafe
