How to Defend Against IRONGATE-like malware?
Posted on Thu 16 June 2016 by Intezer Labs
A lot of the recent buzz in the InfoSec community was about the IRONGATE malware. IRONGATE was recently discovered by FireEye while hunting for PyInstaller-crafted executables in VirusTotal.
PyInstaller is a program that converts Python scripts into stand-alone executables under Windows, Linux, and more. Due to the simplicity of Python development and the easy deployment of Python programs enabled by PyInstaller, malware authors are able to write sophisticated malware in no time.
But how can we defend against these kind of threats? We need to perform the following steps:
- 1. Identify PyInstaller executables
- 2. Analyze the PyInstaller executable by reviewing its original Python script code
- 3. Remediate according to the specific threat found
1. Identifying PyInstaller Executables
There's a YARA signature created by Didier Stevens that can be used in either an automatic or a manual mode to detect PyInstaller files. This signature basically looks for a specific string which is unique to PyInstaller-crafted executables.
2. Analyzing The PyInstaller Executable
To deal with PyInstaller files, we can extract the original Python source code from any PyInstaller file and then analyze the code to get an understanding about its purpose, maliciousness, and full threat potential.
Unlike other executable binaries, for which we need to perform disassembly and review hard-to-read assembly code in order to fully analyze them, the process of analysis using PyInstaller is usually simple and fast. It fully exposes the entire Python code, making it easy to read.
Extracting the Python source code can be done by using the excellent pyinstxtractor project
It is used by running the pyinstallerextractor script:
python pyinstxtractor.py PYINSTALLER_TEST_FILE.exe
Now, in the directory where you run pyinstxtractor, you should have the Python source code available to you. The only thing left is to rapidly read the code and analyze what it's doing in your system.
3. Remediation
Remediation for PyInstaller files is not especially different from any other cyber threats; it really depends on the security systems deployed in your organization, and the code of the threat itself.
If you need any assistance regarding a specific case, we would be happy to help -- just visit our website or contact us via email at contact@intezer.com
About Intezer
After years of experience and research, we are soon launching a game-changing cloud service for instant, deep analysis of unknown cyber threats. It will transform unknown files and memory dumps into an open book – as if an experienced reverse engineer has analyzed the whole assembly code.
Subscribe to get access to our exclusive beta through our website!
How to Defend Against IRONGATE-like malware?
Thu 16 June 2016
After a recent buzz in the Infosec community about IRONGATE malware, we would like to provide you insight into detecting and defeating these IRONGATE-like types of malware.
Docker IDA
Thu 26 May 2016
Docker IDA is an open-source tool used to make reverse engineering on a large-scale simpler and faster. Many companies contend with hundreds or thousands of suspicious malware threats per day. Current popular solutions are insufficient most of the time.