Category: Uncategorized

Set up your own malware analysis pipeline with Karton

Date of publication: 30/12/2020, Jarosław Jedynak

karton logo

We proudly announce that today we open-source a large part of our analysis framework and pipeline!

If you want to try it – check out Karton project on GitHub.

What is karton?

Karton is a robust framework for lightweight and flexible analysis backends. It can be used to connect malware analysis systems into a robust pipeline with very little effort.

We’re in the automation business since a long time. We’re dealing with more and more threats, and we have to automate everything to keep up with incidents. Because of this, we often end up with many scripts stuck together with duct tape and WD-40. These scripts are written by analysts in the heat of the moment, fragile and ugly – but they work, and produce intel that must be stored, processed further, sent to other systems or shared with other organisations.

We needed a way to take our PoC scripts and easily insert them into our analysis pipeline. We also wanted to monitor their execution, centralise logging, improve robustness, reduce development inertia… For this exact purpose, we created Karton.

Projects to check out

This is not a single system, but rather a collection of microservices. There are many small utilities, that may not be groundbreaking on their own, but compose nicely. They include:

    • karton – The main repository. It contains the karton.system service – main service, responsible for dispatching tasks within the system. It also contains the karton.core module, that is used as a library by other systems.
    • karton-dashboard – A small Flask dashboard for task and queue management and monitoring.
    • karton-classifier – The “router”. It recognises samples/files and produces various task types depending on the file format. Thanks to this, other systems may only listen for tasks with a specific format (for example, only zip archives).
    • karton-archive-extractor – Generic archive unpacker. Archives uploaded into the system will be extracted, and every file will be processed individually.
    • karton-config-extractor – Malware extractor. It uses Yara rules and Python modules to extract static configuration from malware samples and analyses. It’s a fishing rod, not a fish – we don’t share the modules themselves. But it’s easy to write your own!
    • karton-mwdb-reporter – A very important part of the pipeline. Reporter submits all files, tags, comments and other intel produced during the analysis to MWDB. If you don’t use MWDB yet or just prefer other backends, it’s easy to write your own reporter.
    • karton-yaramatcher – Automatically runs Yara rules on all files in the pipeline, and tags samples appropriately. Rules not included ;).
    • karton-asciimagic – Karton system that decodes files encoded with common methods, like hex, base64, etc. (You wouldn’t believe how common it is).
    • karton-autoit-ripper – A small wrapper around AutoIt-Ripper that extracts embedded AutoIt scripts and resources from compiled AutoIt executables.
    • karton-drakvuf (coming soon) – Uploads incoming samples to drakvuf-sandbox for dynamic analysis.
    • karton-misp-pusher (coming soon) – A reporter, that submits observed events to MISP.


Set up your own malware repository with MWDB Core

Date of publication: 21/10/2020, Paweł Srokosz

    We proudly announce that the open-source version of MWDB Core has been released!

    If you want to try it – check out mwdb-core project on GitHub.

    What is MWDB Core?

    MWDB Core is a malware repository for automated malware collection and analysis systems, developed by CERT Polska. You can set it up as a part of a malware analysis lab or use it for collaborative malware analysis in your organization.

    Read more

    CFP Secure 2020

    Date of publication: 19/03/2020, piotrb

    24th edition of iconic and the oldest cybersecurity conference in Poland.

    Do you love being on stage (or at least you don’t faint) and have something interesting to say? Apply!

    Read more

    What’s up Emotet?

    Date of publication: 18/02/2020, Michał Praszmo

    What’s up, Emotet?

    Emotet is one of the most widespread and havoc-wreaking malware families currently out there. Due to its modular structure, it’s able to easily evolve over time and gain new features without having to modify the core.

    Its first version dates back to 2014. Back then it was primarily a banking trojan. These days Emotet is known mostly for its spamming capabilities and as a delivery mechanism of other malware strains.

    Read more

    Brushaloader gaining new layers like a pro

    Date of publication: 19/11/2019, Michał Praszmo

    Yo dawg, I heard you like droppers so I put a dropper in your dropper

    On 2019-11-18 we received a report that some of Polish users have began receiving malspam imitating DHL:

    In this short article, we’ll take a look at the xls document that has been used as a (1st stage) dropper distributing another well-known (2nd stage) dropper – brushaloader.

    Read more

    SECURE 2019 – Call for Speakers

    Date of publication: 25/04/2019, misza

    Call for Speakers for SECURE 2019 is now open. If you have an interesting topic and would like to share your ideas with a crowd of Polish and international IT security specialists, please consider submitting your proposal. You will find all applicable information below.

    SECURE 2019 will be held on October 22-23, 2019 in Warsaw, Poland. This annual conference is dedicated entirely to IT security and addressed to administrators, security team members and practitioners in this field. SECURE’s unique feature is the organisers’ commitment to providing participants with reliable information about everything that is current and meaningful in IT security. A high professional level of the talks is ensured by CERT Polska during the paper selection process. Particular emphasis is on practical solutions, analysis of the current threats, latest trends in countering threats as well as important legal issues. Participants have an opportunity to gain the latest knowledge, improve their qualifications and exchange experience with experts.

    Impersonating online payment service providers was the most popular attack scenario used for targeting e-banking users over the last year. The evolution of malware (increasingly affecting mobile devices and Internet of Things) still remains a challenge for IT security professionals. Another observed trend is usage of previously unknown 0-day vulnerabilities by APT groups. The VPNFilter case shows that advanced attacks can also affect an ordinary user. The question arises, how to take care of privacy and security in the face of above? We will try to find the answer to these and many more questions during SECURE 2019.

    If you want to share your experience in these topics, or if you are an expert in one of the areas below, this Call for Speakers is for you.

    SECURE 2019 will be held on October 22-23, 2019 in Warsaw, Poland. The conference topics will be roughly grouped in the following tracks:

      • technical – practical aspects of implementation and integration of security solutions
      • organisational – new trends in attacks, threats and their mitigation
      • legal

    Presentation topics

    We are looking for speakers willing to deliver a talk covering one or more of the following subjects:

      • malware evolution and analysis, including viruses, worms and botnets
      • network monitoring and intrusion detection
      •  innovatory honeypot and sandbox applications
      •  APTs
      •  security of SCADA/ICS
      •  security of smartphones and other mobile systems
      •  security events visualisation
      •  early warning against network threats
      •  incident handling
      •  standards for security incident data exchange
      •  DDoS attacks and their mitigation
      •  efficiency of methods for mitigation of new attack vectors
      •  open source security tools
      •  protection of online identity
      •  IoT security
      •  hardware security
      •  privacy, confidentiality and anonymity
      •  hardware security
      •  chain-supply security
      •  securing the human
      •  Polish and European law in regards to computer and information security
      •  law enforcement actions in regards to cybercrime mitigation
      •  research projects in the area of computer and information security

    Important facts

      • proposals for presentations must be submitted only via EasyChair:
      • proposals should include at least a title, short abstract, name and bio of the speaker
      • any questions regarding the submission and selection process should be directed to [email protected]
      • time for presentation: 45 minutes, including Q&A
      • commercial presentations will not be accepted
      • all materials should be submitted in one of the following formats: OpenOffice, Microsoft Office, PDF
      • slides of presentations will be made available to all participants in an electronic version as well as video recordings where possible, unless strictly prohibited by the speaker
      • authors of accepted proposals will receive full conference package (workshops not inclusive), but they are responsible for their travel and accommodation

    Important dates

      • proposals submission until: July 22, 2019
      • acceptance notice by: August 12, 2019
      • presentation submission by: October 14, 2019

    Lightning talks

    We encourage participants of SECURE to share their thoughts. One of the conference blocks will include lightning talks, allowing everyone to talk briefly about their projects, works, ideas or problems. Everything goes, as long as it touches IT security.

    Important facts about lightning talks

      • maximum time for a talk is 5 minutes and total time for all talks will be limited
      • application for a lightning talk can be submitted at any time after you have registered for the conference or during the conference
      • the organisers reserve the right to accept or refuse any lightning talk application

    Strengthening our malware analysis capabilities

    Date of publication: 21/02/2019, piotrb

    During last year we have collaborated with on improving the open source Cuckoo Sandbox. The main works were focused on porting advanced mechanisms for memory analysis which were developed internally by our team in the previous years. The public release of the onemon marks the last stage of this collaboration. We are proud that results of this work are now available to the security community.
    Read more

    Detricking TrickBot Loader

    Date of publication: 05/02/2019, Michał Praszmo

      TrickBot (TrickLoader) is a modular financial malware that first surfaced in October in 20161. Almost immediately researchers have noticed similarities with a credential-stealer called Dyre. It is still believed that those two families might’ve been developed by the same actor.

      But in this article we will not focus on the core itself but rather the loader whose job is to decrypt the payload and execute it.
      Read more

      Recommendations on mitigation of man-in-the-middle phishing attacks (evilginx2/Modlishka)

      Date of publication: 31/01/2019, Michał Leszczyński

      CERT Polska has observed an interesting phishing technique used in attack against users of a popular Polish content aggregator. We have also noticed the emergence of a new tool called “Modlishka” whose purpose is to simplify and automate phishing attacks. In this article, we describe the way these highly-automated attacks work and present our recommendations for creators of websites for defending about them.Read more