How to Defend Against IRONGATE-like malware?

A lot of the recent buzz in the InfoSec community was about the IRONGATE malware. IRONGATE was recently discovered by FireEye while hunting for PyInstaller-crafted executables in VirusTotal.

PyInstaller is a program that converts Python scripts into stand-alone executables under Windows, Linux, and more. Due to the simplicity of Python development and the easy deployment of Python programs enabled by PyInstaller, malware authors are able to write sophisticated malware in no time.

But how can we defend against these kind of threats? We need to perform the following steps:

1. 1. Identify PyInstaller executables
2. 2. Analyze the PyInstaller executable by reviewing its original Python script code
3. 3. Remediate according to the specific threat found

1. Identifying PyInstaller Executables

There's a YARA signature created by Didier Stevens that can be used in either an automatic or a manual mode to detect PyInstaller files. This signature basically looks for a specific string which is unique to PyInstaller-crafted executables.

PyInstaller Yara Signature

2. Analyzing The PyInstaller Executable

To deal with PyInstaller files, we can extract the original Python source code from any PyInstaller file and then analyze the code to get an understanding about its purpose, maliciousness, and full threat potential.

Unlike other executable binaries, for which we need to perform disassembly and review hard-to-read assembly code in order to fully analyze them, the process of analysis using PyInstaller is usually simple and fast. It fully exposes the entire Python code, making it easy to read.

Extracting the Python source code can be done by using the excellent pyinstxtractor project

It is used by running the pyinstallerextractor script:

python pyinstxtractor.py PYINSTALLER_TEST_FILE.exe

Now, in the directory where you run pyinstxtractor, you should have the Python source code available to you. The only thing left is to rapidly read the code and analyze what it's doing in your system.

3. Remediation

Remediation for PyInstaller files is not especially different from any other cyber threats; it really depends on the security systems deployed in your organization, and the code of the threat itself.

If you need any assistance regarding a specific case, we would be happy to help -- just visit our website or contact us via email at contact@intezer.com

About Intezer

After years of experience and research, we are soon launching a game-changing cloud service for instant, deep analysis of unknown cyber threats. It will transform unknown files and memory dumps into an open book – as if an experienced reverse engineer has analyzed the whole assembly code.

Subscribe to get access to our exclusive beta through our website!