Identification and Classification of Crypto-Malware Using ThreatMapper

Identification and Classification of Crypto-Malware Using ThreatMapper
December 8, 2022

Authors: Devi Prasad and Shyam Krishnaswamy  

ThreatMapper, our open-source Cloud Native Application Protection Platform (CNAPP), now integrates natively with YaraHunter. YaraHunter is a powerful malware scanner for cloud-native - containers, images & hosts. In a previous post, we discussed scanning the cloud native assets for malware using YaraHunter - to identify and report possible indicators of malware across different cloud resources, pods, virtual machines, file systems, image registries, and build artifacts. In this post, we will discuss using ThreatMapper to classify various cloud-native malware, the enhancements to the Yara rulesets to identify crypto signature malware risks, and prioritize those risks using runtime context to build a better security posture.

Crypto malware attacks are becoming increasingly popular among cybercriminals due to the increase in value of the currency, and the widespread adoption. Once executed on the victim's device, crypto-malware can typically run independently and indefinitely. As estimated by Google, a vast majority of instances (around 86%), in Google Cloud are compromised due to crypto mining. While not assuming devastating proportions like ransomware, crypto-malware still causes severe losses in terms of computation resources, leading to direct and indirect damages.

ThreatMapper is supported by a wide variety of Yara rule sets to classify malware. The Yara rule sets are descriptions of malware families based on textual or binary patterns. In particular, ThreatMapper has hundreds of rules that cover a wide range of classifications - Crypto Mining, DDOS, Information Stealing, Spam Bot, RootKit, KeyLoggers among others. In addition, host-based indicators like filenames, exposed passwords, and secret keys also form an important part of the ruleset.

In our effort to keep ThreatMapper constantly abreast of the current set of challenges, we have recently included the rules for Cobalt strike malware. A brief background on Cobalt Strike - malicious actors leverage the vulnerability  CVE-2019-18935, a critical severity, that leads to remote code execution in the Telerik UI library and install Cobalt strike beacons. Once the beacons are installed, they are successful in mining Monero tokens by hijacking system resources. 

ThreatMapper, in addition to hundreds of existing rules that detect crypto miners, has also included the rules recently released by Google to detect Cobalt strike malware. This helps to detect the malware at all stages of the development and deployment lifecycle - as a part of CI/CD scans, from image repositories, or during the runtime of the containers, pods, and hosts in the infrastructure. 

The following is a sample result when scans are performed on images having Cobalt strike malware - 

 Cobalt strike malware

Further, when XmRig crypto miner malware is present in an image, scanning those images produces results of the form -

XmRig crypto miner malware

ThreatMapper is also able to classify various malware types -

ThreatMapper classifies various malware types

In addition to classifying malware, the sensors deployed as a part of ThreatMapper provide useful runtime context, which is used to automatically prioritize the malware that needs immediate attention. In the upcoming days, we will add additional malware scan controls, rules, and insights derived from the various malware classifications. If you are interested in taking a deeper look at the technical integration, take a look at our ThreatMapper repository. We welcome contributions of all forms, including documentation, feature requests, technical bugs, or source code patches.